CN109196891B - Method, terminal and server for managing subscription data set - Google Patents

Method, terminal and server for managing subscription data set Download PDF

Info

Publication number
CN109196891B
CN109196891B CN201780032616.9A CN201780032616A CN109196891B CN 109196891 B CN109196891 B CN 109196891B CN 201780032616 A CN201780032616 A CN 201780032616A CN 109196891 B CN109196891 B CN 109196891B
Authority
CN
China
Prior art keywords
terminal
management
data set
party application
euicc
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201780032616.9A
Other languages
Chinese (zh)
Other versions
CN109196891A (en
Inventor
高林毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN109196891A publication Critical patent/CN109196891A/en
Application granted granted Critical
Publication of CN109196891B publication Critical patent/CN109196891B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Telephone Function (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a method, a terminal and a server for managing a subscription data set. In the method, when the terminal downloads the subscription data set from the subscription management server to the eUICC, the terminal acquires the authentication information of the third-party application. And when the third-party application requests to execute management operation on the subscription data set in the eUICC, searching the subscription data set stored in the terminal according to the subscription data set identifier returned by the third-party application server. And the terminal verifies whether the third-party application has the authority for triggering the management operation on the subscription data set in the eUICC according to the authentication information of the third-party application stored in the subscription data set. By means of the existing eUICC system architecture of the current terminal, under the condition that no additional application module is added, the signed data set in the eUICC is managed through third-party application, and a management entry of the signed data set in the eUICC is added.

Description

Method, terminal and server for managing subscription data set
Technical Field
The present invention relates to the field of communications, and in particular, to a method, a terminal, and a server for managing a subscription data set.
Background
Currently, a terminal user purchases a SIM (Subscriber identity Module) Card or a UICC (Universal Integrated Circuit Card) from an operator, and inserts the SIM Card or the UICC into a terminal (device) to access a network of the operator according to a data set written in the Card. eUICC refers to a UICC that supports secure remote management of subscription data sets (profiles) and/or a UICC that supports local management of profiles.
Since the eUICC is generally integrated in the terminal by the terminal manufacturer, and is not generally manufactured by the operator, after the terminal leaves the factory, the eUICC may not contain data that can access the operator network. The terminal needs to use a remote management technology to connect SM-DP + (Subscription Manager Data Preparation +, Subscription management-Data Preparation entity), receive the profile delivered by SM-DP +, and download the profile to the eUICC, and then the eUICC can use the profile to access the network of the operator. When the Profile is in an active state, the eUICC has the same function as a conventional UICC, and can be used to access a network of a corresponding mobile network operator. The terminal further includes an LPA (Local Profile Assistant) for managing the Profile in the eUICC, for example, downloading another new Profile, activating the downloaded Profile, deactivating the Profile, deleting the Profile, and the like.
At present, a terminal can only manage the profile in the eUICC through an LPA, and a user cannot manage the profile in the eUICC through a third-party Application (Application), such as an Application client of an operator.
Disclosure of Invention
Embodiments of the present invention provide a method, a terminal, and a server for managing a subscription data set, which enable a third-party application on the terminal to perform access management on a profile in an eUICC by using a system architecture and an access control mechanism of a current eUICC.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, a method for managing a subscription data set is disclosed, where the method is performed by a terminal, and the terminal includes an integrated circuit card eUICC, an LPA (Local Profile Assistant), and a third-party application, and the method includes:
a terminal acquires a signing data set from a signing management server, wherein the signing data set comprises authentication information of third-party application;
the terminal receives a first request sent by the third-party application server, wherein the first request carries an identifier ICCID of the subscription data set, and the first request is used for triggering the execution of management operation on the subscription data set in the eUICC;
the terminal acquires authentication information of the third-party application contained in the subscription data set in the eUICC according to the identity ICCID of the subscription data set;
the terminal acquires certificate information of the third-party application stored in the terminal;
the terminal determines whether the third-party application has the authority to trigger management operation on the signed data set or not according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application;
and if the third-party application has the authority to trigger management operation on the signed data set, the terminal executes the management operation on the signed data set.
In the embodiment of the invention, the existing eUICC system architecture of the current terminal is utilized, the subscription data set in the eUICC is managed through third-party application under the condition of not increasing an additional application module, and a management entrance of the subscription data set in the eUICC is increased.
With reference to the first aspect, in a first possible implementation manner of the first aspect, before the terminal receives the first request sent by the third-party application server, the method further includes:
and the third party application of the terminal sends a first management operation request to a third party application server, wherein the first management operation request comprises the management operation of the third party application request on the signed data set in the eUICC.
With reference to the first aspect, in a second possible implementation manner of the first aspect, before the terminal receives the first request sent by the third-party application server, the method further includes:
and the third-party application server generates a management operation executed on a subscription data set in the eUICC.
With reference to the first aspect and the first and second possible implementation manners of the first aspect, in a third possible implementation manner of the first aspect, before the terminal obtains, according to the identifier ICCID of the subscription data set, the authentication information of the third-party application included in the subscription data set in the eUICC, the method further includes:
the terminal receives an identifier EID of the eUICC returned by the third-party application server;
the terminal determines whether the identifier EID of the eUICC returned by the third-party application server is the same as the identifier EID of the eUICC of the terminal;
and if the terminal determines that the identifier EID of the eUICC returned by the third-party application server is the same as the identifier EID of the eUICC of the terminal, the terminal acquires the authentication information of the third-party application contained in the subscription data set in the eUICC according to the identifier ICCID of the subscription data set.
With reference to the first aspect and the first to third possible implementation manners of the first aspect, in a fourth possible implementation manner of the first aspect, the determining, by the terminal, whether the third-party application has an authority to trigger a management operation on the subscription data set according to the authentication information of the third-party application in the subscription data set and the certificate information of the third-party application includes:
the LPA of the terminal determines whether the third-party application has the authority to trigger management operation on the signed data set according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application;
or, the eUICC of the terminal determines whether the third-party application has the authority to trigger management operation on the subscription data set according to the authentication information of the third-party application in the subscription data set and the certificate information of the third-party application.
With reference to the first aspect and the first to fourth possible implementation manners of the first aspect, in a fifth possible implementation manner of the first aspect, the performing, by the terminal, the management operation on the subscription data set includes:
the LPA of the terminal sends a management instruction acquisition request to the signing management server according to the first request;
the LPA of the terminal receives a management instruction returned by the signing management server according to the management instruction acquisition request;
and the LPA of the terminal executes the management operation in the first management operation request on the subscription data set in the eUICC according to the management instruction.
With reference to the first aspect and the first to fourth possible implementation manners of the first aspect, in a sixth possible implementation manner of the first aspect, the method further includes:
the first request comprises an indication indicating a management operation;
the terminal performs the management operation on the subscription data set, including:
and the LPA of the terminal executes the management operation indicated in the first request to the subscription data set in the eUICC according to the first request.
In a second aspect, a subscription data set management method is disclosed, where the method is performed by a subscription management server, and the method includes:
the subscription management server receives a second management operation request sent by a third-party application server, wherein the second management operation request comprises management operation executed on subscription data in a terminal, an identifier ICCID of a subscription data set in the terminal, an identifier EID of the terminal eUICC and authentication information of a third-party application in the terminal;
the contract signing management server sends a management request response to the third party application server, wherein the management request response comprises an identifier ICCID of a contract signing data set in the terminal and an identifier EID of the terminal eUICC;
specifically, after the subscription management server sends a management request response to the third-party application server, the third-party application server sends an identifier ICCID of the subscription data set in the terminal to the terminal.
The contract signing management server acquires a management instruction acquisition request sent by the terminal, wherein the management instruction acquisition request carries an identification EID of the terminal eUICC and certificate information of third party application stored in the terminal;
the signing management server acquires a request and the second management operation request according to the management instruction, and verifies whether a third party application in the terminal has the authority to trigger management operation on a signing data set in the terminal eUICC;
and if the subscription management server verifies that the third-party application in the terminal has the authority to trigger the management operation on the subscription data set in the eUICC, the subscription management server returns a management instruction to the terminal so that the terminal executes the management operation on the subscription data set in the eUICC according to the management instruction.
In the embodiment of the invention, the existing eUICC system architecture of the current terminal is utilized, the subscription data set in the eUICC is managed through third-party application under the condition of not increasing an additional application module, and a management entrance of the subscription data set in the eUICC is increased. The authorization of MNO APP is put to the network side for verification, the complexity of the method flow is further simplified, and the authentication operation of the terminal side is simplified.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the verifying, by the subscription management server, whether a third-party application in the terminal has an authority to trigger a management operation on a subscription data set in the terminal eUICC according to the management instruction obtaining request and the second management operation request includes:
the subscription management server acquires the identifier EID of the terminal eUICC in the request according to the management instruction, and searches a second management operation request associated with the identifier EID of the terminal eUICC;
the subscription management server determines whether the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request;
and if the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request, determining that the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the eUICC of the terminal.
With reference to the second aspect and the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the management request response sent by the subscription management server further includes a registration event identification event ID, where the registration event identification event ID is used to identify a management operation event registered by the subscription management server according to the second management operation request;
the signing management server acquires a management instruction acquisition request sent by the terminal and also carries the registration event identification (event ID);
the signing management server obtains the request and the second management operation request according to the management instruction, verifies whether a third party application in the terminal has the authority to trigger the management operation on a signing data set in the terminal eUICC, and comprises the following steps:
the signing management server obtains a registration event identification (event ID) in the request according to the management instruction, and searches a second management operation request associated with the registration event identification (event ID);
the subscription management server determines whether the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request;
and if the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request, the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the eUICC of the terminal.
In a third aspect, a terminal is disclosed that comprises a transceiver, an integrated circuit card, eUICC, to store a subscription data set, a memory, and one or more processors to execute one or more programs stored in the memory,
the one or more processors are to:
controlling the transceiver to acquire a subscription data set from a subscription management server, wherein the subscription data set comprises authentication information of third-party application;
receiving a first request sent by the third-party application server and received by the transceiver, wherein the first request carries an identifier ICCID of the subscription data set, and the first request is used for triggering execution of management operation on the subscription data set in the eUICC;
acquiring authentication information of third-party application contained in a subscription data set in the eUICC according to the identity ICCID of the subscription data set;
acquiring certificate information of the third-party application stored in the terminal;
determining whether the third-party application has the authority to trigger management operation on the signed data set or not according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application;
and if the third-party application has the authority to trigger the management operation on the signed data set, executing the management operation on the signed data set.
In the embodiment of the invention, the existing eUICC system architecture of the current terminal is utilized, the subscription data set in the eUICC is managed through third-party application under the condition of not increasing an additional application module, and a management entrance of the subscription data set in the eUICC is increased.
With reference to the third aspect, in a first possible implementation manner of the third aspect, the processor is further configured to:
and controlling the transceiver to send a first management operation request to a third-party application server, wherein the first management operation request comprises a management operation executed by the third-party application request on a subscription data set in the eUICC.
With reference to the third aspect, in a second possible implementation manner of the third aspect, the third-party application server generates a management operation performed on a subscription data set in the eUICC.
With reference to the third aspect and the first and second possible implementations of the third aspect, in a third possible implementation of the third aspect, the processor is further configured to:
receiving an identifier EID of the eUICC, which is returned by the third-party application server and received by the transceiver;
determining whether the identifier EID of the eUICC returned by the third party application server is the same as the identifier EID of the eUICC of the terminal;
and if the identifier EID of the eUICC returned by the third-party application server is determined to be the same as the identifier EID of the eUICC of the terminal, acquiring authentication information of the third-party application contained in the subscription data set in the eUICC according to the identifier ICCID of the subscription data set.
With reference to the third aspect and the first to third possible implementation manners of the third aspect, in a fourth possible implementation manner of the third aspect, the processor is further configured to:
instructing the LPA of the terminal to determine whether the third-party application has the authority to trigger management operation on the signed data set according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application;
or indicating the eUICC of the terminal to determine whether the third-party application has the authority to trigger management operation on the subscription data set according to the authentication information of the third-party application in the subscription data set and the certificate information of the third-party application.
With reference to the third aspect and the first to fourth possible implementation manners of the third aspect, in a fifth possible implementation manner of the third aspect, the processor is further configured to:
instructing the LPA of the terminal to send a management instruction acquisition request to the subscription management server according to the first request;
receiving a management instruction returned by the signing management server according to the management instruction acquisition request received by the transceiver;
and instructing the LPA of the terminal to execute the management operation in the first management operation request on the subscription data set in the eUICC according to the management instruction.
With reference to the third aspect and the first to fourth possible implementation manners of the third aspect, in a sixth possible implementation manner of the third aspect, the first request includes a management command indicating a management operation;
the processor is further configured to:
and instructing the LPA of the terminal to execute the management operation indicated in the first request on a subscription data set in the eUICC according to the first request.
In a fourth aspect, a subscription management server, the terminal comprising a transceiver, a memory, and one or more processors configured to execute one or more programs stored in the memory,
the one or more processors are to:
receiving a second management operation request sent by a third-party application server and received by the transceiver, wherein the second management operation request comprises a management operation executed on subscription data in a terminal, an identifier ICCID of a subscription data set in the terminal, an identifier EID of the terminal eUICC and authentication information of a third-party application in the terminal;
generating a management request response, and controlling the transceiver to send the management request response to the third-party application server, where the management request response includes an identifier ICCID of a subscription data set in the terminal and an identifier EID of the terminal eUICC, so that the third-party application server sends the identifier ICCID of the subscription data set in the terminal and the identifier EID of the terminal eUICC to the terminal;
receiving a management instruction acquisition request sent by the terminal and received by the transceiver, wherein the management instruction acquisition request carries an identifier EID of the eUICC of the terminal and certificate information of a third-party application stored in the terminal;
according to the management instruction acquisition request and the second management operation request, verifying whether a third-party application in the terminal has the authority to trigger management operation on a subscription data set in the eUICC of the terminal;
and if the subscription management server verifies that the third-party application in the terminal has the authority to trigger management operation on the subscription data set in the eUICC of the terminal, controlling the transceiver to return a management instruction to the terminal so that the terminal executes management operation on the subscription data set in the eUICC of the terminal according to the management instruction.
In the embodiment of the invention, the existing eUICC system architecture of the current terminal is utilized, the subscription data set in the eUICC is managed through third-party application under the condition of not increasing an additional application module, and a management entrance of the subscription data set in the eUICC is increased. The authorization of MNO APP is put to the network side for verification, the complexity of the method flow is further simplified, and the authentication operation of the terminal side is simplified.
With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the one or more processors are further configured to:
according to the identification EID of the terminal eUICC in the management instruction acquisition request, searching a second management operation request associated with the identification EID of the terminal eUICC;
determining whether the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request;
and if the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request, determining that the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the eUICC of the terminal.
With reference to the fourth aspect and the first possible implementation manner of the fourth aspect, in a second possible implementation manner of the fourth aspect, the management request response further includes a registration event identification event ID, where the registration event identification event ID is used to identify a management operation event that is registered by the subscription management server according to the second management operation request;
the management instruction acquisition request also carries the registration event identification (event ID);
the one or more processors are further to:
according to the registration event identification event ID in the management instruction acquisition request, searching a second management operation request associated with the registration event identification event ID;
determining whether the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request;
and if the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request, determining that the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the eUICC of the terminal.
Drawings
Fig. 1A is an application scenario diagram illustrating management of a profile in a terminal eUICC by a third-party application;
FIG. 1B is an architecture diagram of a remote management system for an eUICC;
fig. 2 is a schematic flowchart of a method for managing a subscription data set according to an embodiment of the present invention;
fig. 3 is a signaling interaction diagram of a method for managing a subscription data set according to an embodiment of the present invention;
fig. 4 is a signaling interaction diagram of another subscription data set management method according to an embodiment of the present invention;
fig. 5 is a signaling interaction diagram of another subscription data set management method according to an embodiment of the present invention;
fig. 6 is a signaling interaction diagram of another subscription data set management method according to an embodiment of the present invention;
fig. 7 is a flowchart illustrating a further method for managing a subscription data set according to an embodiment of the present invention;
fig. 8 is a signaling interaction diagram of another subscription data set management method according to an embodiment of the present invention;
fig. 9 is a signaling interaction diagram of another subscription data set management method according to an embodiment of the present invention;
fig. 10 is a block diagram of a terminal according to an embodiment of the present invention;
fig. 11 is a block diagram of a subscription management server according to an embodiment of the present invention.
Detailed Description
An existing SIM card or UICC card is generally subscribed to a card vendor by an MNO (mobile network operator) in a centralized manner, so that a network access application and data required for accessing a network of the vendor are downloaded to the card before the card leaves a factory, for example: USIM (Universal Subscriber Identity Module), IMSI (International Mobile Subscriber Identity), KI (key Identity), and the like. Thus, the user can access the network of the operator by inserting the terminal (device) after purchasing the SIM card or UICC card.
Unlike UICC cards, euiccs generally embed UICC cards in terminals. For the eUICC, the eUICC is not necessarily purchased from the card manufacturer by the operator, but may be purchased by the terminal manufacturer and then integrated into the terminal. The eUICC may not contain data that can access the operator network after leaving the factory, and needs to download the data remotely, such as: the subscription data set (profile, i.e., the set of data and applications deployed into the eUICC to provide services) is not until access to the operator network is obtained based on these data. After the profile is downloaded to the eUICC, the user may perform management operations such as activating, deactivating, deleting, downloading a new profile, and the like on the profile. Currently, the profile in the eUICC can only be managed through the LPA in the terminal. The management entry is single, and the user expects to be able to manage the profile in the eUICC through more entries.
The embodiment of the application provides an application scenario, and profile in an eUICC terminal is managed through third-party application. Fig. 1A is an application scenario diagram for managing profile in the eUICC of the terminal through a third-party application, as shown in fig. 1A:
the user starts an operator application (MNO APP) on the terminal desktop, and the user inputs a user name and a password to log in an operator application server. And the operator application displays the downloading operation and the management operation of the subscription data set, which can be triggered by the user through the operator application, according to the subscription information of the user. After the user selects "management profile", the operator application displays the type of management operation that the user can trigger. Since multiple profiles may have been downloaded in a terminal, the operator application displays the type of management operation that can be triggered for one or more profile users. For example, the user selects "activate profile X", which means that the user wishes to activate "profile X" in the terminal. And when the 'profile X' is successfully activated, displaying the UI interface successfully activated by the operator application.
The operator application is only used for example, and in the embodiment of the present application, the application is not limited to the operator application, which is a third party application.
In order to implement the above application scenario, profile in the eUICC is managed through a third-party application, such as an application of an operator, and the following two technical solutions are proposed according to a system architecture and an access control mechanism of the current eUICC without adding an additional application program.
Firstly, management authority information of a third-party application for managing the profile in the eUICC is preset in the profile of the SM-DP +. After the terminal downloads the profile containing the third-party application management authority information from the SM-DP +, the terminal obtains the management authority of the third-party application for managing the profile in the eUICC. For example, the management authority of the third-party application a for performing management operation on the profile in the eUICC is activation and deactivation, and the application a must not perform deletion operation on the profile in the eUICC. Or the third party Application B only allows to call a part of Application Programming Interface (API) of the LPA in the terminal, and must not call other API of the LPA.
When the third-party application initiates the management operation on the profile in the eUICC, the eUICC or the LPA of the terminal can verify whether the third-party application has the authority to manage the profile in the eUICC. And if the verification is passed, allowing the third-party application to perform management operations such as activation, deactivation, deletion, downloading of new profile and the like on the profile in the eUICC.
And secondly, when the third-party application initiates the management operation of the profile in the eUICC, the server of the third-party application sends the management operation and the certificate information of the third-party application to the SM-DP +. And verifying whether the third-party application has the authority of managing the profile in the eUICC by a Server system such as SM-DP + or SM-DS (subscription management-Discovery Server). And if the verification is passed, allowing the third-party application to perform management operations such as activation, deactivation, deletion, downloading of new profile and the like on the profile in the eUICC.
First, the following description will be made of systems, terms, and the like related to embodiments of the present invention:
first, as shown in fig. 1B, a block diagram of a remote management system of an eUICC according to an embodiment of the present invention is provided. Referring to fig. 1B, the system includes an SM-DP + (Subscription Manager Data Preparation +, Subscription management-Data Preparation) Server, an SM-DS (Subscription Manager-Discovery Server), an Operator (Operator), a card issuer (EUM), a certificate issuing center ci (certificate issuer), a Terminal (Terminal), and a User (End User).
In addition, the interfaces between the various entities are described: ES6 is the interface between the eUICC and the operator; ES2+ is the interface between the operator and SM-DP +; ES8+ is the interface between eUICC and SM-DP +; ES11 is an interface between the LDS (local discovery Service) of the terminal and the SM-DS; ES12 is the interface between SM-DS and SM-DP +; ES10a is the interface between LDS and eUICC; ES10c is LUI (local user interface) and eUICC; ESCi is the interface between EUM and CI, or the interface between CI and SM-DP +; ESeum is the interface between EUM and eUICC; ESop is the interface for a User (End User) to interact with the operator; ESeu is an interface between End User and LUI; ES9+ is the interface between SM-DP + and LPD (local profile download), ES10b is the interface between LPD and eUICC.
The SM-DP + function includes generation of a subscription data set (profile), protection (such as encryption) of the subscription data set, storage of the subscription data set, binding of the subscription data set (such as binding of the profile and an Event ID), sending or downloading of the subscription data set, management of a remote subscription data set, registration of SM-DS events and the like. The SM-DS is mainly responsible for accepting Event (Event) registration transmitted by SM-DP + and transmitting the Event to the terminal. The event includes a subscription dataset download event or a subscription dataset management event. The terminal downloads the subscription data set from the SM-DP + according to the subscription data set downloading event; or the terminal acquires the subscription data set management command from the SM-DP + according to the subscription data set management event.
Further, referring to fig. 1B, there are an LPA and an eUICC in the terminal, and the LPA includes an LDS, an LPD and an LUI. In specific implementation, the LDS of the terminal queries an event from the SM-DS, and the LPD is responsible for downloading a subscription data set, that is, the LPD downloads a profile from the SM-DP + to the LPD through an HTTPS (hypertext transfer Protocol Secure) Secure link, and then sends the downloaded subscription data set to the eUICC through a local APDU command. The subscription data set refers to a collection of file structures, data, application programs, and the like, and may include one or more network access applications and corresponding network access credentials. It should be noted that, in the embodiment of the present invention, the subscription data set is a generic term, and includes a subscription data set installed on an eUICC of a terminal and a profile package stored in an SM-DP +.
In addition, the LUI of the terminal provides an interactive logic and an interface with the user, and the user can complete the management of the profile through the LUI, such as downloading a new profile, activating the profile, deactivating the profile, deleting the profile, and the like.
According to the eUICC system architecture of the current terminal, the LPA can communicate with the eUICC, and other third-party applications APP need to call an Application Program Interface (API) opened by the LPA to realize communication with the eUICC. In order to ensure the security of API call to the LPA, it is necessary to verify whether the third-party application App has the authority to call the API of the LPA, and perform management operation on the corresponding profile in the eUICC.
Example one
An embodiment of the present invention provides a method for managing a subscription data set, as shown in fig. 2, the method includes the following steps:
101. and acquiring a signing data set in the terminal signing management server, wherein the signing data set comprises authentication information of third-party application.
The terminal automatically downloads or downloads the subscription data set from the subscription management server to the eUICC of the terminal according to a download instruction input by the user. The authentication information of the third party application may be carried in metadata (metadata) of the subscription data set, and specifically, may be added to a data field of the StoreMetadata command. After the subscription data set is downloaded into the eUICC, metadata of the subscription data set may be stored in an Security Domain space (ISD-P) created by the eUICC for the subscription data set. The authentication information of the third party application may include a hash value of the certificate of the third party application.
The Subscription management server may be an SM-DP + (Subscription Manager Data Preparation +, Subscription management-Data Preparation) server. It may also be an SM-DP + Server and an SM-DS (Subscription Manager-Discovery Server). And is not particularly limited herein.
Optionally, the authentication information of the third-party application may further include a hash algorithm of a certificate of the third-party application, a package name (package name), an API of the LPA that the third-party application is allowed to access, and the like. Alternatively, if the authentication information of the third party application does not contain the API of the LPA to which the third party application is allowed to access, the representative allows the third party application to access all the open APIs of the LPA.
Optionally, the authentication information of the third party application may further include a type of management operation that the third party application is allowed to perform on the subscription data set in the eUICC.
The authentication information of the third-party application may be preset in the SM-DP + by a Mobile Network Operator (MNO) through an MNO portal server, or may be provided to the SM-DP + by the MNO when subscribing to profile from the SM-DP +.
102. And the third party application of the terminal sends a first management operation request to a third party application server.
The first management operation request comprises a management operation which is requested by the third party application to execute on a subscription data set in the eUICC.
And after the terminal starts the third-party application, logging in a third-party application server. And inputting the management operation of managing the subscription data set in the eUICC by the user through the user interface of the third-party application. And the third party application sends a request message carrying a contract signing data set in the eUICC to execute management operation to a third party application server.
Specifically, the third party application server belongs to a server in an Operator (Operator) in the architecture shown in fig. 1B. Or the third party application server communicates with the subscription management server through an Operator (Operator).
In another embodiment, step 102 may not be performed. The third party application server may also trigger a management operation performed on the subscription data set in the eUICC according to another event. The third-party application is not required to send the first management operation request to the third-party application server.
103. The terminal receives a first request sent by a third-party application server, wherein the first request carries an identifier ICCID of a subscription data set.
The first request is used for triggering execution of a management operation on a subscription data set in the eUICC.
Specifically, after the third-party application server receives a first management operation request sent by a third-party application of the terminal, or after the third-party application server automatically generates a management operation executed on the subscription data set in the eUICC, the third-party application server may send the management operation in the first management operation request to the subscription management server, receive an identifier ICCID returned by the subscription management server to the subscription data set, then generate the first request and send the first request to the terminal, or directly generate the first request by the third-party application server, and send the first request carrying the identifier ICCID of the subscription data set to the terminal. And is not particularly limited herein.
Optionally, the first request may also carry an identification EID of the eUICC.
Optionally, the first request may further carry a management operation that indicates the third-party application to execute on the subscription data set in the eUICC. Or the first request is a management command of a management operation executed by the third-party application on the subscription data set in the eUICC. For example, the first request is an enable profile command.
104. And the terminal acquires the authentication information of the third-party application contained in the subscription data set in the eUICC according to the identification ICCID of the subscription data set.
And the terminal acquires the information of the subscription data set corresponding to the identifier ICCID in the eUICC according to the identifier ICCID of the subscription data set returned by the third-party application server. Since the eUICC of the terminal may include multiple subscription data sets, the subscription data set required by the third-party application to trigger the management operation may be obtained according to the identifier ICCID returned by the subscription management server.
And after the terminal acquires the subscription data set in the eUICC, further acquiring authentication information of the third-party application stored in the subscription data set. Specifically, the authentication information of the third-party application is acquired from metadata of the subscription data set. The authentication information of the third party application may include a hash value of the third party application certificate. Optionally, the authentication information of the third-party application may further include a hash algorithm of a certificate of the third-party application, a package name (package name), an API of the LPA that the third-party application is allowed to access, and the like.
Optionally, if the subscription management server also returns the identifier EID of the eUICC of the terminal at the same time, it is further determined whether the identifier EID of the eUICC returned by the subscription management server is consistent with the identifier EID of the eUICC in the terminal. If the two EID identifications are consistent, step 104 is performed.
105. And the terminal acquires the certificate information of the third-party application stored in the terminal.
When the third-party application is installed in the terminal, the certificate information of the third-party application is stored in the terminal. Specifically, the certificate information may include a certificate of the third-party application, a package name of the third-party application, and the like.
Specifically, if the authentication information of the third party application stored in the eUICC includes a hash algorithm in step 104, the terminal acquires the certificate of the third party application from the operating system and calculates the hash value using the hash algorithm in the authentication information of the third party application, or the terminal calculates the hash value using a default hash algorithm, or the terminal acquires the hash value of the third party certificate from the operating system according to the hash algorithm in the authentication information of the third party application or the default hash algorithm. If the authentication information of the third-party application stored in the eUICC also includes the package name of the third-party application in step 104, the terminal obtains the package name of the third-party application from the operating system.
106. And the terminal determines whether the third-party application has the authority to trigger the management operation on the signed data set or not according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application.
The terminal determines whether the third-party application has the right to trigger the management operation on the subscription data set according to the authentication information of the third-party application in the subscription data set acquired in step 104 and the certificate information of the third-party application acquired in step 105.
For example, it is determined whether the hash value of the third-party application in the authentication information of the third-party application is consistent with the hash value of the certificate of the third-party application. And judging whether the package name of the third-party application in the authentication information of the third-party application is consistent with the package name in the certificate information of the third-party application.
The execution subject of step 106 may be LPA of the terminal, or eUICC of the terminal.
107. And if the third-party application has the authority to trigger management operation on the signed data set, the terminal executes the management operation on the signed data set.
And if the judgment result in the step 106 is consistent, it indicates that the third-party application has the authority to trigger the management operation on the subscription data set. If the determination result in the step 106 is inconsistent, it indicates that the third-party application does not have the authority to perform the management operation on the subscription data set, the process is terminated, and the third-party application is not allowed to perform the management operation on the subscription data set in the eUICC.
There are various methods for the terminal to perform the management operation on the subscription data set in step 107, and the method is not particularly limited herein. The following examples illustrate:
example one:
and the LPA of the terminal sends a management instruction acquisition request to the subscription management server according to the first request.
And the LPA of the terminal receives the management instruction returned by the signing management server according to the management instruction acquisition request.
And the LPA of the terminal executes the management operation in the first management operation request on the subscription data set in the eUICC according to the management instruction.
Example two:
and the LPA of the terminal executes the management operation indicated in the first request to the subscription data set in the eUICC according to the first request. And the terminal receives a first request sent by the third-party application server and comprises an instruction for instructing management operation.
And presetting authentication information of the third-party application in the subscription data set, and when the terminal downloads the subscription data set from the subscription management server to the eUICC, the terminal acquires the authentication information of the third-party application. And when the third-party application requests to execute management operation on the subscription data set in the eUICC, searching the subscription data set stored in the terminal according to the subscription data set identifier returned by the third-party application server. And the terminal verifies whether the third-party application has the authority for triggering the management operation on the subscription data set in the eUICC according to the authentication information of the third-party application stored in the subscription data set. In the embodiment of the invention, the existing eUICC system architecture of the current terminal is utilized, the subscription data set in the eUICC is managed through third-party application under the condition of not increasing an additional application module, and a management entrance of the subscription data set in the eUICC is increased.
Specifically, the execution subject of step 106 may be LPA in the terminal, and may also be eUICC in the terminal.
Two specific examples are described in detail below. It is assumed that the third party application is an operator application (MNO APP) installed in the terminal developed by the operator.
Example two
As shown in fig. 3, the network element body according to the second embodiment includes a terminal, a portal server (MNO portal) of a mobile network operator, and a subscription management server. Specifically, the terminal comprises an eUICC, an LPA, an operator application (MNO APP) installed in the terminal. The signing management server comprises an SM-DP + server and an SM-DS server. Determining, by an LPA in the terminal, whether an operator application (MNO APP) in the terminal has authority to perform a management operation on a subscription data set in the terminal. The specific signaling interaction flow is as follows:
1. a Mobile Network Operator (MNO) has developed an operator application (MNO APP) for installation on a terminal. When an operator application is installed on a terminal, the terminal will store certificate information of said operator application, e.g. a certificate, a package name, etc. In order to enable a user to directly manage the profile of the eUICC in the terminal through the operator application, when a Mobile Network Operator (MNO) customizes a subscription data set in an SM-DP + in advance through an MNO portal server, authentication information of the application is stored in metadata of the subscription data set.
The authentication information of the operator application comprises a hash value of a certificate of the operator application. Optionally, the authentication information of the operator application may further include a hash algorithm of a certificate of the operator application, a package name (package name), an API of an LPA that the operator application is allowed to access, and the like.
2. When the terminal downloads the subscription data set of the mobile network operator from the SM-DP +, the authentication information of the application developed by the operator is also downloaded to the terminal along with the subscription data set. In particular, the authentication information of the operator application may be stored in metadata of the subscription data set. After downloading the subscription data set to the eUICC of the terminal, the metadata of the subscription data set may be stored in an security domain space (ISD-P) created by the eUICC for the subscription data set.
When the terminal finishes downloading the subscription data set of the mobile network operator, the MNO portal server of the mobile network operator stores the subscription data set downloading record of the terminal. Specifically, the subscription dataset download record may include an identification ICCID of the downloaded subscription dataset, an identification EID of the eUICC of the downloaded subscription dataset, and the like.
3. The user opens an operator application (MNO APP) client on the terminal and logs in an MNO portal.
4. The management operation of managing the subscription data set in the eUICC is entered through the client user interface of the operator application (MNO APP). A client of an operator application (MNO APP) sends a first management operation request (PRM/ReM) carrying a request for executing management operation on a subscription data set in the eUICC to an MNO portal. The management operation may be activating a subscription dataset, deactivating a subscription dataset, deleting a subscription dataset, querying eUICC information, downloading another new subscription dataset, etc. See in particular the application scenario shown in fig. 1A.
Specifically, after a user logs in an operator application (MNO APP) client on a terminal, the operator application (MNO APP) client acquires subscription information of the user at the time of operator registration from an MNO portal, and inputs a management operation for managing a subscription data set in the eUICC in a client user interface of the application according to the subscription information.
5. After receiving the first management operation request sent by the application client of the operator, the MNO portal searches for an identifier ICCID of the corresponding subscription data set (in embodiments two to five, "target profile identifier ICCID" for short) and an identifier EID of the eUICC on which the subscription data set is installed (in embodiments two to five, "target eUICC identifier EID for short) according to the subscription information of the user. And the MNO portal sends a second management operation request to the subscription management server. And the second management operation request comprises a management operation which is requested by the third party application to execute on the subscription data set in the eUICC and carries a target profile identifier ICCID and a target eUICC identifier EID.
Specifically, the MNO portal sends a second management operation request to SM-DP +. Optionally, if it is required to register a management operation, which is requested by a client of the operator application to perform on the subscription data set in the eUICC, to the SM-DS, the MNO portal also sends the address of the SM-DS to the SM-DP +. SM-DP + registers a management operation event to the management operation in SM-DS, and generates a registration event identification eventID.
6. Step 6 is an optional step. And if the MNO portal also sends the address of the SM-DS to the SM-DP +, the SM-DP + registers a management operation event for the management operation executed by the eUICC requested by the operator application in the SM-DS and generates a registration event identifier (eventID).
7. And after receiving a second management operation request sent by the MNO portal, the SM-DP + server stores the parameter information in the second management operation request.
And the SM-DP + returns a request response message to the MNO portal, wherein the request response message carries a target profile identification ICCID and a target eUICC identification EID. If the SM-DP + registers a management operation event for the management operation of the eUICC in the SM-DS in step 6, and generates a registration event identifier eventID, the SM-DP + return request message may also carry the registration event identifier eventID.
8. After receiving the request response message returned by the SM-DP +, the MNO portal generates a first request carrying the target profile identification ICCID, and sends the first request to an operator application (MNO APP) in the terminal. Specifically, the MNOportal may carry the target profile identification ICCID through a trigger request (polling trigger) message, and send the target profile identification ICCID to an operator application (MNO APP) in the terminal. Optionally, the trigger request (polling trigger) message may also carry the target eUICC identifier EID. If the SM-DP + registers the management operation, which is requested by the operator application to be executed on the subscription data set in the eUICC, to the SM-DS, the trigger request (polling trigger) message may also carry a registration event identifier eventID of the SM-DP + registering the management operation in the SM-DS.
9. After receiving a first request issued by an MNO portal, an operator application (MNO APP) forwards the first request to an LPA of a terminal.
10. Step 10 is an optional step. If the trigger request message sent by the operator application (MNO APP) is received by the LPA in step 9 and includes the target eUICC identifier EID, the LPA obtains the EID identifier of the terminal eUICC from the eUICC.
11. Step 11 is an optional step. And determining whether the identifier EID of the eUICC carried in the trigger request message is the same as the EID identifier of the terminal eUICC. If so, step 12 is performed.
12. And the LPA requests the eUICC to acquire the authentication information of the third-party application contained in the subscription data set corresponding to the target profile identification (ICCID). Specifically, the LPA sends a GetProfileInfo message to the eUICC, where the GetProfileInfo message carries the target profile identifier ICCID.
13. The eUICC searches a subscription data set corresponding to the target profile identification ICCID according to the target profile identification ICCID, and sends authentication information of third-party application in the subscription data set to the LPA. Specifically, the eUICC obtains, according to a target profile identity ICCID, metadata of a subscription data set corresponding to the target profile identity ICCID. Returning authentication information of an operator application (MNO APP) stored in the metadata to the LPA. Or return the metadata to the LPA.
14. After receiving the subscription data set information returned by the eUICC, the LPA obtains, from an Operating System (OS) of the terminal, certificate information, such as a certificate and a package name, generated when the operator application is installed on the terminal.
Specifically, if the metadata of the subscription data set returned by the eUICC includes a hash algorithm, the LPA obtains the certificate applied by the operator from the operating system of the terminal. And calculating the hash value of the certificate applied by the operator by using the hash algorithm in the subscription data set. If the certificate information generated when the operator application is installed on the terminal comprises the certificate hash value, the certificate hash value in the certificate information is obtained (the default terminal operating system performs hash operation on the certificate applied by the operator according to the hash algorithm in the authentication information to generate the hash value). And if the metadata of the subscription data set returned by the eUICC and received by the LPA also comprises the package name, the LPA acquires the package name applied by the operator from an operating system of the terminal.
15. The LPA judges whether authentication information of operator application in a subscription data set returned by the eUICC is consistent with certificate information of the operator application acquired by the LPA from an operating system of the terminal.
Specifically, whether a certificate hash value applied by an operator in a subscription data set returned by the eUICC is consistent with a certificate hash value applied by an operator in an operating system is judged. Optionally, if the package name of the operator is further obtained, it is determined whether the package name of the operator application in the subscription data set returned by the eUICC is consistent with the package name of the operator application in the operating system. Optionally, it is further determined whether the operator application is allowed to call the LPA's API.
16. After the verification of step 15 is passed, the LPA sends a message request to the eUICC to acquire an address, namely a polling address (Pollingaddress), of a subscription management server side, which is stored in a subscription data set corresponding to the target profile identifier ICCID. Specifically, the LPA sends a Get polling address message to the eUICC, where the Get polling address message carries the target profile identifier ICCID.
17. And the eUICC returns the address of the SM-DP + server to the LPA according to the request of the LPA. Optionally, the eUICC can also return the address of the SM-DS server to the LPA.
18. If the address returned by the eUICC is the address of the SM-DS server in step 17, the LPA and SM-DS perform bidirectional authentication, and steps 18a and 18b are performed.
18 a: the LPA sends a management instruction acquisition (retrieve RPM/ReM) request to the SM-DS, wherein the management instruction acquisition (retrieve RPM/ReM) request carries the target eUICC identification EID. Specifically, the management instruction acquisition request may be an authentication client (authenticated client) request.
Optionally, if the SM-DP + registers the management operation, which the operator application requests to perform on the subscription data set in the eUICC, to the SM-DS, the management instruction acquisition (retrieve RPM/ReM) request may also carry the registration event identification eventID of the SM-DP + registering the management operation at the SM-DS.
18 b: and the SM-DS searches the corresponding registration event according to the target eUICC identification EID or the registration event identification evenTID, and returns a registration event record (event record) corresponding to the registration event. Wherein, the registration event record carries the eventID and the address of SM-DP +.
When the target eUICC identifier EID in the SM-DS server corresponds to multiple registration events, the registration event information corresponding to the registration event identifier may be directly obtained according to the registration event identifier eventID.
19. The LPA sends a management instruction fetch (retrieve RPM/ReM) request to SM-DP +. Wherein the target eUICC identifier EID is carried in a management instruction acquisition (retrieve RPM/ReM) request. Optionally, the registration event identifier eventID is also carried in a management instruction fetch (retrieve RPM/ReM) request. Specifically, the management instruction acquisition request may be an authentication client (authenticated client) request.
20. And the SM-DP + returns a management instruction to the LPA, so that the LPA executes management operation on the subscription data set in the eUICC according to the management instruction.
In the technical scheme of this embodiment, the user can directly manage the downloaded subscription data set of the mobile network operator by using the MNO APP, thereby improving the consistency of user experience. Meanwhile, access control management is carried out on the MNO APP accessing the API of the LPA and the MNO APP management Profile through the Profile metadata, and the safety of the MNO APP for the Profile management is guaranteed.
EXAMPLE III
As shown in fig. 4, the network element body involved in the third embodiment includes a terminal, a portal server (MNO portal) of a mobile network operator, and a subscription management server. Specifically, the terminal comprises an eUICC, an LPA, an operator application (MNO APP) installed in the terminal. The signing management server comprises an SM-DP + server and an SM-DS server. Determining, by an eUICC in the terminal, whether an operator application (MNO APP) in the terminal has permission to perform a management operation on a subscription data set in the terminal.
Wherein, steps 1-11 in the third embodiment are similar to steps 1-11 in the second embodiment, and are not repeated herein for brevity.
12. The LPA obtains certificate information, such as a certificate, a package name, etc., generated by the operator application when the terminal is installed, from an Operating System (OS) of the terminal.
13. And the LPA sends the certificate information and the target profile identification (ICCID) applied by the operator to the eUICC.
Specifically, the LPA sends a request (authenticateApp) for authenticating the MNO App to the eUICC, where the request carries a certificate of the target profile identifying the ICCID and the MNO App. Optionally, the request also carries the package name, and certificate information such as LPA API that the MNO APP requests to access.
14. And the eUICC searches authentication information applied by the operator in the subscription data set corresponding to the target profile identification ICCID according to the target profile identification ICCID. Specifically, the eUICC obtains metadata (metadata) of a subscription data set corresponding to a target profile identifier ICCID according to the target profile identifier ICCID.
If the metadata includes a hash algorithm and the certificate information sent by the LPA includes a certificate applied by the operator, the eUICC calculates a hash value hash (cert) of the certificate applied by the operator according to the hash algorithm. If the MNO APP certificate sent to the eUICC by the LPA is a certificate hash value subjected to hash operation, the eUICC directly uses the hash value hash (cert).
15. The eUICC judges whether the authentication information of the operator application in the subscription data set is consistent with the certificate information of the operator application acquired by the LPA from the operating system of the terminal.
Specifically, whether the certificate hash value applied by the operator in the subscription data set is consistent with the certificate hash value applied by the operator in the operating system is judged. Optionally, if the package name exists in the authentication information and the certificate information, further determining whether the package name of the operator application in the subscription data set returned by the eUICC is consistent with the package name of the operator application in the operating system. Optionally, it is further determined whether the operator application is allowed to call the LPA's API.
16. After the verification of step 15 is passed, the eUICC returns a response message to the LPA, where the response message carries an address, namely a Polling address, of the subscription management server side, which is stored in the subscription data set corresponding to the target profile identifier ICCID.
Specifically, if the subscription data set corresponding to the target profile identification ICCID is stored in the SM-DP + server, the eUICC returns the address of the SM-DP + server. Optionally, the eUICC can also return the address of the SM-DS server to the LPA.
17. If the address returned by the eUICC is the address of the SM-DS server in step 16, the LPA and SM-DS perform bidirectional authentication, and perform steps 17a and 17 b.
17 a: the LPA sends a management instruction acquisition (retrieve RPM/ReM) request to the SM-DS, wherein the management instruction acquisition (retrieve RPM/ReM) request carries the target eUICC identification EID. In particular, it may be an authentication client (authenticated client) request.
Optionally, if the SM-DP + registers the management operation, which the operator application requests to perform on the subscription data set in the eUICC, to the SM-DS, the management instruction acquisition (retrieve RPM/ReM) request may also carry the registration event identification eventID of the SM-DP + registering the management operation at the SM-DS.
17 b: and the SM-DS searches the corresponding registration event according to the target eUICC identification EID or the registration event identification evenTID, and returns a registration event record (event record) corresponding to the registration event. Wherein, the registration event record carries the eventID and the address of SM-DP +.
When the target eUICC identifier EID in the SM-DS server corresponds to multiple registration events, the registration event information corresponding to the registration event identifier may be directly obtained according to the registration event identifier eventID.
18. The LPA sends a management instruction fetch (retrieve RPM/ReM) request to SM-DP +. Wherein the target eUICC identifier EID is carried in a management instruction acquisition (retrieve RPM/ReM) request. Optionally, the registration event identifier eventID is also carried in a management instruction fetch (retrieve RPM/ReM) request.
19. And the SM-DP + returns a management instruction to the LPA, so that the LPA executes management operation on the subscription data set in the eUICC according to the management instruction.
In the technical scheme of this embodiment, the user can directly manage the downloaded subscription data set of the mobile network operator by using the MNO APP, thereby improving the consistency of user experience. Meanwhile, access control management is carried out on the MNO APP accessing the API of the LPA and the MNO APP management Profile through the Profile metadata, and the safety of the MNO APP for the Profile management is guaranteed. The permission of the APP is verified by the eUICC, and the system security is higher.
In the technical scheme of this embodiment, the user can directly manage the downloaded subscription data set of the mobile network operator by using the MNO APP, thereby improving the consistency of user experience. Meanwhile, access control management is carried out on the MNO APP accessing the API of the LPA and the MNO APP management Profile through the Profile metadata, and the safety of the MNO APP for the Profile management is guaranteed. The access control management is carried out on the MNO APP access LPA API and the MNO APP management Profile through the eUICC, and the safety is further improved.
In the first embodiment, the step 107 of executing the management operation on the subscription data set by the terminal includes various specific implementation methods, and in addition to the second and third embodiments of requesting the management instruction from the SM-DP + server, the method may further include directly issuing the management instruction to the terminal LPA by the MNO portal. The present application does not specifically limit the implementation of step 107. The following describes the method flow for directly issuing the management command to the terminal LPA by the MNO portal through the fourth embodiment and the fifth embodiment.
Example four
As shown in fig. 5, the network element body involved in the fourth embodiment includes a terminal, a portal server (MNO portal) of a mobile network operator, and a subscription management server. Specifically, the terminal comprises an eUICC, an LPA, an operator application (MNO APP) installed in the terminal. The subscription management server comprises an SM-DP + server. Determining, by an LPA in the terminal, whether an operator application (MNO APP) in the terminal has authority to perform a management operation on a subscription data set in the terminal. The specific signaling interaction flow is as follows:
the fourth embodiment is different from the second embodiment in that the subscription data set preset in the SM-DP + by the MNO portal stores, in addition to the certificate hash value of the operator application, management operations that the operator application is allowed to perform. When the operator application sends a management request to the MNO portal, the MNO portal verifies whether the management operation request sent by the operator application belongs to a management operation allowed to be performed by the operator application. And if the management operation request sent by the operator application belongs to the management operation which is allowed to be executed by the operator application, directly returning the management operation to the terminal so as to allow the LPA to execute the management operation. The LPA does not need to send a message again to request the acquisition of management instructions after the authentication is passed.
In the embodiment, it is determined by the LPA of the terminal whether an operator application (MNO APP) in the terminal has the right to perform a management operation on a subscription data set in the terminal.
The specific signaling interaction flow is as follows:
1. a Mobile Network Operator (MNO) has developed an operator application (MNO APP) for installation on a terminal. When an operator application is installed on a terminal, the terminal will store certificate information of said operator application, e.g. a certificate, a package name, etc. In order to enable a user to directly manage the profile of the eUICC in the terminal through the operator application, when a Mobile Network Operator (MNO) customizes a subscription data set in an SM-DP + in advance through an MNO portal server, authentication information of the application is stored in metadata of the subscription data set.
The authentication information of the operator application includes a hash value of a certificate of the operator application and a management operation allowed to be performed by the operator application. Optionally, the authentication information of the operator application may further include a hash algorithm of a certificate of the operator application, a package name (package name), and the like.
2. When the terminal downloads the subscription data set of the mobile network operator from the SM-DP +, the authentication information of the application developed by the operator is also downloaded to the terminal along with the subscription data set. In particular, the authentication information of the operator application may be stored in metadata of the subscription data set. After downloading the subscription data set to the eUICC of the terminal, the metadata of the subscription data set may be stored in an security domain space (ISD-P) created by the eUICC for the subscription data set.
When the terminal finishes downloading the subscription data set of the mobile network operator, the MNO portal server of the mobile network operator stores the subscription data set downloading record of the terminal. Specifically, the subscription dataset download record may include an identification ICCID of the downloaded subscription dataset, an identification EID of the eUICC of the downloaded subscription dataset, and the like.
3. The user opens an operator application (MNO APP) client on the terminal and logs in an MNO portal.
4. The management operation of managing the subscription data set in the eUICC is entered through the client user interface of the operator application (MNO APP). A client of an operator application (MNO APP) sends a first management operation request (PRM/ReM) carrying a request for executing management operation on a subscription data set in the eUICC to an MNO portal. The management operation may be activating a subscription dataset, deactivating a subscription dataset, deleting a subscription dataset, querying eUICC information, downloading another new subscription dataset, etc. See in particular the application scenario shown in fig. 1A. Specifically, after a user logs in an operator application (MNO APP) client on a terminal, the operator application (MNO APP) client acquires subscription information of the user during operator registration from an MNO portal, and inputs a management operation for managing a subscription data set in the eUICC on a client user interface of the application according to the subscription information.
5. After receiving a first management operation request sent by a client of an operator application, an MNO portal determines whether a management operation carried in the request message is a management operation allowed to be executed by the operator application.
If so, the MNO portal searches the ID ICCID (target profile ID ICCID for short) of the corresponding subscription data set according to the subscription information of the user, and returns the first request to the terminal.
The first request carries a target profile identification ICCID, and a management operation requested by an allowed MNO APP or a management operation generated by an allowed MNO portal.
Optionally, the first request further carries a target eUICC identifier EID.
Optionally, the MNO portal signs the information sent to the MNO App. And the first request also carries the signature of the MNO portal and the certificate of the portal to an operator application in the terminal.
6. And the MNO App calls an API of the LPA to send the first request received in the step 5 to the LPA.
7. Step 7 is an optional step. If the LPA receives the first request forwarded by the MNO APP and includes the target eUICC identifier EID in step 6, the LPA obtains the EID identifier of the terminal eUICC from the eUICC.
8. Step 8 is an optional step. And if the LPA receives the eUICC identification EID forwarded by the MNO APP in the step 10 and the LPA acquires the EID identification of the terminal eUICC from the eUICC, determining whether the target eUICC identification EID is the same as the EID identification of the terminal eUICC. If so, step 9 is performed.
9. Step 9 is an optional step. If in step 6, the LPA receives the first request forwarded by the MNO APP and includes that the MNO oportal signs the information sent to the MNO APP, the LPA verifies whether the signature is correct. If the signature is correct, step 10 is performed.
Optionally, if the signature is correct, the user is further prompted through a UI interface of the LPA whether to allow the LPA to perform management operations on the eUICC. If the user confirms that the LPA is allowed to perform management operations on the eUICC, step 10 is performed.
10. And the LPA sends the target profile identification ICCID to the eUICC of the terminal so as to acquire the authentication information of the third-party application contained in the subscription data set corresponding to the ICCID. Specifically, the LPA sends a GetProfileInfo message to the eUICC, where the GetProfileInfo message carries the target profile identifier ICCID.
11. And the eUICC searches a subscription data set corresponding to the target profile identification ICCID according to the target profile identification ICCID, and sends authentication information of the third-party application in the subscription data set to the LPA. Specifically, the eUICC identifies the ICCID, and obtains metadata of a subscription data set corresponding to the target ICCID. Returning authentication information of an operator application (MNO APP) stored in the metadata to the LPA. Or return the metadata to the LPA.
12. After receiving the subscription data set information returned by the eUICC, the LPA obtains, from an Operating System (OS) of the terminal, certificate information, such as a certificate and a package name, generated when the operator application is installed on the terminal.
Specifically, if the metadata of the subscription data set returned by the eUICC includes a hash algorithm, the LPA obtains the certificate applied by the operator from the operating system of the terminal. And calculating the hash value of the certificate applied by the operator by using the hash algorithm in the subscription data set. If the certificate information generated by the operator application during terminal installation includes the certificate hash value, the certificate hash value in the certificate information is acquired. (the default terminal operating system has performed hash operation on the operator application certificate according to the hash algorithm in the authentication information to generate a hash value), if the LPA receives the package name in the metadata of the subscription data set returned by the eUICC, the LPA obtains the package name of the operator application from the terminal operating system.
13. The LPA judges whether authentication information of operator application in a subscription data set returned by the eUICC is consistent with certificate information of the operator application acquired by the LPA from an operating system of the terminal.
Specifically, whether a certificate hash value applied by an operator in a subscription data set returned by the eUICC is consistent with a certificate hash value applied by an operator in an operating system is judged. Optionally, if the package name of the operator is further obtained, it is determined whether the package name of the operator application in the subscription data set returned by the eUICC is consistent with the package name of the operator application in the operating system. Optionally, it is further determined whether the operator application is allowed to perform the management operation in step 6.
14. If the 13 th step of verification passes, the LPA sends a first request to the eUICC. And the first request carries the management operation and the target profile identification ICCID in the step 6.
15. And the eUICC returns the execution result of the management operation.
Specifically, if the management operation command is to edit the eUICC, the returned result includes information about the eUICC, such as available memory space, and the like.
16. The LPA returns the result of the execution of the management operation to the MNO APP.
17. And the MNO App returns the execution result of the management operation to the MNO portal.
Through the embodiment, an operator can directly utilize MNO APP to manage the profile without going through SM-DP + and SM-DS, so that the whole process is shortened, and the user experience is improved.
EXAMPLE five
As shown in fig. 6, the network element body involved in the fifth embodiment includes a terminal, a portal server (MNO portal) of a mobile network operator, and a subscription management server. Specifically, the terminal comprises an eUICC, an LPA, an operator application (MNO APP) installed in the terminal. The subscription management server comprises an SM-DP + server. Determining, by an LPA in the terminal, whether an operator application (MNO APP) in the terminal has authority to perform a management operation on a subscription data set in the terminal.
The present embodiment is different from the fourth embodiment in that the eUICC of the terminal determines whether an operator application (MNO APP) in the terminal has an authority to perform a management operation on a subscription data set in the terminal.
The specific signaling interaction flow is as follows:
the method flow of steps 1 to 8 in this embodiment is similar to the method flow of steps 1 to 8 in the fourth embodiment, and for brevity, no further description is provided here.
9. Step 9 is an optional step. The UI interface of the LPA prompts the user whether to allow the LPA to perform management operations on the eUICC. If the user confirms that the LPA is allowed to perform management operations on the eUICC, step 10 is performed.
10. The LPA sends a first request to the eUICC. The first request carries the management operation in step 6, the certificate information of the operator application, and the target profile identification ICCID.
11. And the eUICC acquires a subscription data set metadata corresponding to the ICCID according to the target profile identification ICCID.
Specifically, the eUICC identifies the ICCID, and obtains metadata of a subscription data set corresponding to the target ICCID.
Specifically, if the metadata of the subscription data set includes a hash algorithm, the eUICC calculates a hash value of the certificate applied by the operator using the hash algorithm in the subscription data set. And if the certificate information of the operator application forwarded by the LPA comprises the certificate hash value, directly obtaining the certificate hash value in the certificate information.
Optionally, if the signature of the MNO portal is included in the first request received by the eUICC, the eUICC verifies whether the signature is correct. And if the signature is correct, acquiring a subscription data set corresponding to the ICCID according to the target profile identification ICCID.
12. The eUICC determines whether the authentication information of the operator application in the subscription data set is consistent with the certificate information of the operator application sent by the LPA.
Specifically, whether the certificate hash value applied by the operator in the subscription data set is consistent with the certificate hash value applied by the operator is judged. Optionally, if the package name of the operator is further obtained, it is determined whether the package name applied by the operator in the subscription data set is consistent with the package name applied by the operator.
And if the authentication information of the operator application in the subscription data set is verified to be consistent with the certificate information of the operator application sent by the LPA, the eUICC executes the management operation in the step 10.
Optionally, after verifying whether the authentication information of the operator application in the subscription data set and the certificate information of the operator application sent by the LPA are consistent, further determining whether to allow the operator application to perform the management operation in step 10. If the verification is passed and the operator application is allowed to perform the management operation in step 10, the eUICC performs the management operation in step 10.
13. And the eUICC returns the execution result of the management operation.
Specifically, if the management operation command is to edit the eUICC, the returned result includes information about the eUICC, such as available memory space, and the like.
14. The LPA returns the result of the execution of the management operation to the MNO APP.
15. And the MNO App returns the execution result of the management operation to the MNO portal.
Through the embodiment, an operator can directly utilize MNO APP to manage the profile without going through SM-DP + and SM-DS, so that the whole process is shortened, and the user experience is improved. The access control management is carried out on the MNO APP access LPA API and the MNO APP management Profile through the eUICC, and the safety is further improved.
In the above embodiment, the main body authenticating the MNO APP management profile authority is the terminal. In another embodiment, the principal authenticating the MNO APP authority to manage profile may also be a subscription management server.
EXAMPLE six
An embodiment of the present invention provides another method for managing a subscription data set, where, as shown in fig. 7, a subscription data set is downloaded in advance in an eUICC of a terminal, and an access right of an LPA application interface is configured in advance in the terminal. The method comprises the following steps:
201. and the third party application of the terminal sends a first management operation request to the third party application server.
The first management operation request comprises a management operation which is requested by a third party application to execute to subscription data in the eUICC.
202. And the third party application server sends a second management operation request to the subscription management server, wherein the second management operation request comprises the management operation of the third party application request on the subscription data, the identifier ICCID of the subscription data set, the identifier EID of the terminal eUICC and the authentication information of the third party application.
In another embodiment, step 201 may not be performed, and step 202 may be performed directly.
Namely, the third-party application server automatically generates a second management operation request and sends the second management operation request to the signing management server, and the third-party application in the terminal is not required to send the first management operation request.
203. And the third party application server receives a management request response returned by the subscription management server, wherein the management request response comprises an identifier ICCID of the subscription data set and an identifier EID of the terminal eUICC.
And the third party application server sends the identifier ICCID of the subscription data set in the terminal to the terminal.
Optionally, the third party application server may further send the terminal eUICC identifier EID to the terminal
204. The terminal acquires certificate information of a third party application prestored in the terminal, and determines whether the third party application has the authority of calling a terminal LPA application interface or not according to the certificate information of the third party application. If the third party application has the right to call the LPA application interface of the terminal, step 205 is performed.
205. The terminal sends a management instruction acquisition request to a subscription management server, wherein the management instruction acquisition request carries a terminal eUICC identification EID and certificate information of a third party application prestored in the terminal.
206. And the subscription management server verifies whether the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the terminal eUICC. If the verification passes, step 207 is performed.
207. And the terminal receives a management instruction returned by the signing management server and executes management operation on the signing data set in the terminal eUICC according to the management instruction.
In the embodiment of the invention, the existing eUICC system architecture of the current terminal is utilized, the subscription data set in the eUICC is managed through third-party application under the condition of not increasing an additional application module, and a management entrance of the subscription data set in the eUICC is increased. The authorization of MNO APP is put to the network side for verification, the complexity of the method flow is further simplified, and the authentication operation of the terminal side is simplified.
Two specific examples are described in detail below. It is assumed that the third party application is an operator application (MNO APP) installed in the terminal developed by the operator.
EXAMPLE seven
As shown in fig. 8, the network element body involved in the seventh embodiment includes a terminal, a portal server (MNO portal) of a mobile network operator, and a subscription management server. Specifically, the terminal comprises an eUICC, an LPA, an operator application (MNO APP) installed in the terminal. The eUICC in the terminal has previously downloaded the subscription data set. The signing management server comprises an SM-DP + server and an SM-DS server. Determining, by the subscription management server, whether an operator application (MNO APP) in the terminal has permission to perform a management operation on a subscription data set in the terminal. The specific signaling interaction flow is as follows:
0. and configuring the access right of the third-party application calling the LPA application interface in the LPA of the terminal. For example, when the root certificate of the third party application is the certificate of the GSMA CI, the third party application is allowed to invoke the application interface of the LPA.
Optionally, the access right of the third party application for calling the LPA application interface may also be configured in the eUICC of the terminal, and the LPA then obtains the access right of the third party application for calling the LPA application interface from the eUICC.
1. A Mobile Network Operator (MNO) has developed an operator application (MNO APP) for installation on a terminal. When an operator application is installed on a terminal, the terminal will store certificate information of said operator application, e.g. a certificate, a package name, etc.
The user opens an operator application (MNO APP) client on the terminal and logs in an MNO portal.
2. The management operation of managing the subscription data set in the eUICC is entered through the client user interface of the operator application (MNO APP). An operator application (MNO APP) client sends a request message (i.e., a first management operation request) to an MNO portal, carrying a request message requesting execution of a management operation request on a subscription data set in the eUICC. The management operation may be activating a subscription dataset, deactivating a subscription dataset, deleting a subscription dataset, querying eUICC information, downloading another new subscription dataset, etc.
Specifically, after a user logs in an operator application (MNO APP) client on a terminal, obtaining subscription information of the user during operator registration, and inputting a management operation for managing a subscription data set in the eUICC in a client user interface of the application according to the subscription information.
3. And after receiving the first management operation request, the MNO portal searches for an identifier ICCID of the subscription data set downloaded by the terminal, an identifier EID of the eUICC which downloads the subscription data set by the terminal, and authentication information applied by the operator. And generating a second management operation request and sending the second management operation request to the SM-DP + server. The second management operation request carries an identifier ICCID of the subscription data set, an identifier EID of the terminal eUICC, authentication information of the operator application and management operation executed by the operator application request on the subscription data set in the eUICC.
The operator applied authentication information includes a certificate hash value. Optionally, the authentication information of the operator application may further include a package name, a hash algorithm, and the like of the operator application.
4. Step 4 is an optional step. And the SM-DP + sends the identification EID of the terminal eUICC and the authentication information applied by the operator to the SM-DS.
And if the MNO portal also sends the address of the SM-DS to the SM-DP +, the SM-DP + registers a management operation event for the management operation executed by the eUICC requested by the operator application in the SM-DS, and generates a registration event identifier (eventID). And after the SM-DS generates the registration event identification evenTID, sending the registration event identification evenTID to the SM-DP +.
5. And after receiving a second management operation request sent by the MNO portal, the SM-DP + server stores the message carried in the second management operation request.
And the SM-DP + returns a request response message to the MNO portal, wherein the request response message carries the identification ICCID of the subscription data set and the identification EID of the terminal eUICC.
Optionally, if the SM-DP + is in the SM-DS, a management operation event is registered for a management operation that the operator application requests to execute on the eUICC, the request response message returned by the SM-DP + may further include a registration event identifier eventID.
6. And after receiving the request response message returned by the SM-DP +, the MNO portal sends a trigger request message to an MNO APP in the terminal. Wherein the trigger request (polling trigger) message carries an identifier ICCID of the subscription data set.
Optionally, the trigger request (polling trigger) message may also carry one or more of the following parameters: the terminal eUICC identification EID, the registration event identification eventID and the hash algorithm.
7. After receiving the trigger request message sent by the MNO portal, an operator application (MNO APP) forwards the trigger request message to an LPA of the terminal.
8. The LPA acquires the MNO APP certificate from the operating system and confirms whether the MNO APP has the access right for calling the LPA application interface. For example, it is confirmed whether the root certificate of the MNO APP is the certificate of the GSMA CI, and if so, the MNO APP is allowed to call the application interface of the LPA.
9. Step 9 is an optional step. If the LPA receives the trigger request message sent by the operator application (MNO APP) and includes the identifier EID of the terminal eUICC in step 7, the LPA obtains the EID identifier of the terminal eUICC from the eUICC.
10. Step 10 is an optional step. And determining whether the EID of the terminal eUICC in the trigger request message is the same as the EID of the eUICC acquired by the LPA from the eUICC. If so, step 11 is performed.
11. And the LPA sends a message carrying the identification ICCID of the subscription data set to the eUICC to request to acquire the address of the subscription management server stored in the subscription data set corresponding to the identification ICCID of the subscription data set.
12. And if the signing data set corresponding to the identifier ICCID of the signing data set is stored in the SM-DP + server, the eUICC returns the address of the SM-DP + server. And if the subscription data set corresponding to the identifier ICCID of the subscription data set is stored in the SM-DS server, the eUICC returns the address of the SM-DS server.
13. If the address returned by the eUICC is the address of the SM-DS server in step 12, steps 13 and 14 are performed. If the address returned by the eUICC is the address of the SM-DP + server, step 16 is performed directly.
The LPA sends a request message for acquiring a registration event (retrieve event) to the SM-DS, and requests to search for the registration event corresponding to the terminal eUICC identifier EID. The request message of the registration event (retrievevent) carries certificate information of the terminal eUICC identifier EID and the MNO APP.
Optionally, the request message for acquiring the registration event (retrievevent) may also carry a registration event identifier eventID.
Optionally, the request message for acquiring the registration event (retrieve event) may also carry a package name (package name) of the MNO APP.
Optionally, the certificate information of the MNO APP may be a certificate of the MNO APP, or may be a hash value obtained by the terminal performing hash operation on the certificate of the MNO APP according to a hash algorithm carried in the trigger request message in step 7.
14. And after receiving the request message for acquiring the registration event (retrieve event), the SM-DS searches a corresponding registration event record (event record) according to the terminal eUICC identifier EID or the registration event identifier evenID.
It is then determined whether the hash value of the certificate carried in the request message to retrieve the registration event (retrievevent) is the same as the hash value recorded in the registration event. If the request message for acquiring the registration event (retrievevent) carries the certificate, the SM-DS needs to perform hash operation on the certificate before comparison, calculate a hash value, and compare the hash value with the hash value recorded in the registration event.
Optionally, if the request message for acquiring the registration event (retrievent) may further carry a package name (package name) of the MNO APP. It is determined whether the packet name carried in the request message of the registration event (retrievevent) is the same as the packet name of the registration event record.
15. And if the verification result in the step 14 is the same, the SM-DS returns the eventID and the SM-DP + address corresponding to the registration event record to the LPA of the terminal.
16. And the terminal sends a management instruction acquisition (retrieve RPM/ReM) request to a corresponding SM-DP + server to acquire the management instruction according to the SM-DP + address returned in the step 14 or the SM-DP + address sent by the eUICC in the step 12.
The management instruction obtains (retrieve RPM/ReM) a certificate carrying the terminal eUICC identification EID and the MNOAPP in the request.
Optionally, the management instruction fetch (retrieve RPM/ReM) request may also carry a registration event identifier eventID.
Optionally, the management instruction acquisition (retrieve RPM/ReM) request may also carry a package name (package name) of the MNO APP.
17. After receiving a retrieve management command retrieve (RPM/ReM) request, SM-D P + searches for a corresponding management request according to the terminal eUICC identifier EID or the registration event identifier eventID. The management request is the second management operation request received by SM-D P + in step 3.
It is then determined whether the hash value of the certificate carried in the retrieve management instruction retrieve (retrieve RPM/ReM) request is the same as the certificate hash value carried in the second management operation request. If the certificate is carried in the request for acquiring the management command (retrieve RPM/ReM), the SM-DP + needs to perform hash operation on the certificate before comparison, calculate a hash value, and compare the hash value with the hash value carried in the second management operation request.
Optionally, if the management instruction acquisition (retrieve RPM/ReM) request may also carry a package name (package name) of the MNO APP. It is determined whether the packet name carried in the management instruction fetch (retrieve RPM/ReM) request is the same as the packet name in the second management operation request.
18. And if the verification results in the step 17 are the same, the SM-DP + returns a management instruction corresponding to the second management operation request to the LPA, so that the LPA executes management operation on the subscription data set in the eUICC according to the management instruction.
In the technical scheme of the embodiment, the authorization information of the MNO APP does not need to be preset in the profile in advance, and the application range is expanded. Meanwhile, the authorization of MNO APP is put to the network side for verification, so that the complexity of the method flow is further simplified, and the authentication operation of the terminal side is simplified.
Example eight
As shown in fig. 9, the network element body according to the eighth embodiment includes a terminal, a portal server (MNO portal) of a mobile network operator, and a subscription management server. Specifically, the terminal comprises an eUICC, an LPA, an operator application (MNO APP) installed in the terminal. The eUICC in the terminal has previously downloaded the subscription data set. The signing management server comprises an SM-DP + server and an SM-DS server. Determining, by the subscription management server, whether an operator application (MNO APP) in the terminal has permission to perform a management operation on a subscription data set in the terminal.
The difference between the eighth embodiment and the seventh embodiment is that when the terminal verifies that the third-party application calls the access right of the LPA application interface, the eUICC of the terminal is executed as the main body.
The specific signaling interaction flow is as follows:
as shown in fig. 9, steps 8 to 14 in the eighth embodiment are different from those in the seventh embodiment, and the remaining steps may refer to the detailed description of the similar steps in the seventh embodiment, and are not repeated herein for brevity.
8. The LPA obtains the credentials of the MNO APP from the operating system. Optionally, the LPA may also obtain the packet name of the MNO APP from the operating system.
9. Step 9 is an optional step. If the LPA receives the trigger request message sent by the operator application (MNO APP) and includes the identifier EID of the terminal eUICC in step 7, the LPA obtains the EID identifier of the terminal eUICC from the eUICC.
10. Step 10 is an optional step. And determining whether the EID of the terminal eUICC in the trigger request message is the same as the EID of the eUICC acquired by the LPA from the eUICC. If so, step 11 is performed.
11. The LPA sends a certificate of the MNO APP to the eUICC, and requests the eUICC for verification.
12. The eUICC confirms whether the MNO APP has access rights to call the LPA application interface. For example, it is confirmed whether the root certificate of the MNO APP is the certificate of the GSMA CI, and if so, the MNO APP is allowed to call the application interface of the LPA. If the verification passes, step 13 is performed.
13. And the eUICC sends the verification passing message of the step 12 to the LPA. And the LPA sends a message carrying the identification ICCID of the subscription data set according to the message and requests to acquire the address of the subscription management server stored in the subscription data set corresponding to the identification ICCID of the subscription data set.
In the technical scheme of this embodiment, the eUICC verifies whether the third-party application has an access right to invoke the LPA application interface, so that the security is higher.
In addition, an embodiment of the present invention provides a terminal, where the terminal is configured to execute the steps executed by the terminal in the above subscription data set management method. The terminal provided in this embodiment may include modules corresponding to the respective steps.
In the embodiment of the present application, the terminal may be divided into the functional modules according to the method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The division of the modules in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
In the case of integrated units, fig. 10 shows a possible structural diagram of the terminal involved in the above-described embodiment. As shown in fig. 10, the terminal includes a processor 701, a memory 702, an integrated circuit card eUICC703, and a system bus 704, a transceiver 705. Wherein the processor 701 is configured to perform the method steps shown in fig. 2-6; the eUICC703 is used to store a subscription data set downloaded into the terminal. The terminal interacts with other devices through the transceiver 705, such as: a subscription management server and a third-party application server.
In the present embodiment, the Memory 702 may include a volatile Memory, such as an NVRAM (non-volatile Random Access Memory), a PRAM (Phase change ram), an MRAM (Magnetic Random Access Memory), and the like; the Memory 702 may also include a non-volatile Memory such as at least one of a magnetic disk storage device, an EEPROM (Electrically Erasable Programmable Read-Only Memory), a flash Memory device such as a NOR flash Memory (NOR flash Memory) or a NOR flash Memory (NAND flash Memory). The non-volatile memory stores an operating system and an application program executed by the processor. The processor 701 loads the operating program and data from the non-volatile memory into the memory and stores the data content in the mass storage device.
The one or more processors 701 are the control center for the terminal. The processor 701 connects various parts of the entire terminal using various interfaces and lines, performs various functions of the terminal and processes data by running or executing software programs and/or application modules stored in the memory 172 and calling data stored in the memory 702, thereby monitoring the terminal as a whole.
The processor 701 may include only a CPU, or may be a combination of a CPU, a GPU (graphics Processing Unit), a DSP, and a control chip (e.g., a baseband chip) in the communication Unit. In the embodiments of the present application, the CPU may be a single arithmetic core or may include multiple arithmetic cores.
The system bus 704 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, an EISA (extended Industry Standard Architecture) bus, or the like. The system bus 704 may be divided into an address bus, a data bus, a control bus, and the like. For clarity of illustration in the embodiments of the present application, the various buses are illustrated in FIG. 10 as system bus 704.
As shown in fig. 10, the one or more processors 701 are configured to perform the following steps.
And controlling the transceiver to acquire a subscription data set from a subscription management server, wherein the subscription data set comprises authentication information of third-party application.
And receiving a first request sent by the third-party application server and received by the transceiver, wherein the first request carries an identifier ICCID of the subscription data set, and the first request is used for triggering the execution of management operation on the subscription data set in the eUICC.
And acquiring authentication information of the third-party application contained in the subscription data set in the eUICC according to the identity ICCID of the subscription data set.
And acquiring the certificate information of the third-party application stored in the terminal.
And determining whether the third-party application has the authority to trigger management operation on the signed data set or not according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application.
And if the third-party application has the authority to trigger the management operation on the signed data set, executing the management operation on the signed data set.
Optionally, the processor 701 is further configured to: and controlling the transceiver to send a first management operation request to a third-party application server, wherein the first management operation request comprises a management operation executed by the third-party application request on a subscription data set in the eUICC.
In another embodiment, the third party application server generates a management operation to perform on a subscription data set in the eUICC.
Optionally, the processor 701 is further configured to:
and receiving an identifier EID of the eUICC, which is returned by the third-party application server and received by the transceiver.
And determining whether the identifier EID of the eUICC returned by the third party application server is the same as the identifier EID of the eUICC of the terminal.
And if the identifier EID of the eUICC returned by the third-party application server is determined to be the same as the identifier EID of the eUICC of the terminal, acquiring authentication information of the third-party application contained in the subscription data set in the eUICC according to the identifier ICCID of the subscription data set.
Optionally, the processor 701 is further configured to:
and indicating the LPA of the terminal to determine whether the third-party application has the authority to trigger management operation on the signed data set or not according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application.
Or indicating the eUICC of the terminal to determine whether the third-party application has the authority to trigger management operation on the subscription data set according to the authentication information of the third-party application in the subscription data set and the certificate information of the third-party application.
Optionally, the processor 701 is further configured to:
and indicating the LPA of the terminal to send a management instruction acquisition request to the subscription management server according to the first request.
And receiving a management instruction returned by the signing management server according to the management instruction acquisition request received by the transceiver.
And instructing the LPA of the terminal to execute the management operation in the first management operation request on the subscription data set in the eUICC according to the management instruction.
Optionally, the first request includes a management command indicating a management operation. The processor 701 is further configured to instruct the LPA of the terminal to perform, according to the first request, the management operation indicated in the first request on the subscription data set in the eUICC.
Fig. 11 shows a schematic diagram of a possible structure of the subscription management server involved in the above embodiment. As shown in fig. 11, the subscription management server includes a processor 801, a memory 802, a system bus 803, and a transceiver 804. Wherein the processor 801 is configured to perform the method steps shown in fig. 7-9. The subscription management server interacts with other devices through the communication interface 804, such as: terminal, third party application server.
As shown in fig. 11, the one or more processors 801 are configured to perform the following steps.
And receiving a second management operation request sent by a third-party application server and received by the transceiver, wherein the second management operation request comprises a management operation executed on subscription data in a terminal, an identifier ICCID of a subscription data set in the terminal, an identifier EID of the terminal eUICC and authentication information of a third-party application in the terminal.
And generating a management request response, and controlling the transceiver to send the management request response to the third-party application server, wherein the management request response comprises an identifier ICCID (identity identifier) of a subscription data set in the terminal and an identifier EID (identity identifier) of the terminal eUICC, so that the third-party application server sends the identifier ICCID of the subscription data set in the terminal and the identifier EID of the terminal eUICC to the terminal.
And receiving a management instruction acquisition request sent by the terminal and received by the transceiver, wherein the management instruction acquisition request carries an identifier EID of the eUICC of the terminal and certificate information of the third-party application stored in the terminal.
And verifying whether the third-party application in the terminal has the authority to trigger the management operation on the signed data set in the eUICC of the terminal according to the management instruction acquisition request and the second management operation request.
And if the subscription management server verifies that the third-party application in the terminal has the authority to trigger management operation on the subscription data set in the eUICC of the terminal, controlling the transceiver to return a management instruction to the terminal so that the terminal executes management operation on the subscription data set in the eUICC of the terminal according to the management instruction.
Optionally, the one or more processors are further configured to:
according to the identification EID of the terminal eUICC in the management instruction acquisition request, searching a second management operation request associated with the identification EID of the terminal eUICC;
determining whether the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request;
and if the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request, determining that the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the eUICC of the terminal.
Optionally, the management request response further includes a registration event identification event ID, where the registration event identification event ID is used to identify a management operation event registered by the subscription management server according to the second management operation request.
The management instruction acquisition request also carries the registration event identification event ID.
The one or more processors are further to:
according to the registration event identification event ID in the management instruction acquisition request, searching a second management operation request associated with the registration event identification event ID;
determining whether the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request;
and if the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request, determining that the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the eUICC of the terminal.
It will be clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules as needed, that is, the internal structure of the mobile device is divided into different functional modules to perform all or part of the above described functions. For the specific working processes and technical effects of the system, the mobile device and the unit described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described here again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, mobile device and method may be implemented in other ways. For example, the above-described mobile device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and other divisions may be realized in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of the mobile devices or units through some interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a Universal Serial bus flash disk (usb flash disk), a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (22)

1. A method for managing a subscription data set, the method being performed by a terminal, the terminal including an integrated circuit card eUICC, an LPA (Local Profile Assistant), and a third-party application, the method comprising:
a terminal acquires a signing data set from a signing management server, wherein the signing data set comprises authentication information of third-party application;
the terminal receives a first request sent by the third-party application server, wherein the first request carries an identifier ICCID of the subscription data set, and the first request is used for triggering the execution of management operation on the subscription data set in the eUICC;
the terminal acquires authentication information of the third-party application contained in the subscription data set in the eUICC according to the identity ICCID of the subscription data set;
the terminal acquires certificate information of the third-party application stored in the terminal;
the terminal determines whether the third-party application has the authority to trigger management operation on the signed data set or not according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application;
and if the third-party application has the authority to trigger management operation on the signed data set, the terminal executes the management operation on the signed data set.
2. The management method according to claim 1, wherein before the terminal receives the first request sent by the third-party application server, the method further comprises:
and the third party application of the terminal sends a first management operation request to a third party application server, wherein the first management operation request comprises the management operation of the third party application request on the signed data set in the eUICC.
3. The management method according to claim 1, wherein before the terminal receives the first request sent by the third-party application server, the method further comprises:
and the third-party application server generates a management operation executed on a subscription data set in the eUICC.
4. The method according to any one of claims 1 to 3, wherein before the terminal obtains the authentication information of the third-party application included in the subscription data set in the eUICC according to the identifier ICCID of the subscription data set, the method further includes:
the terminal receives an identifier EID of the eUICC returned by the third-party application server;
the terminal determines whether the identifier EID of the eUICC returned by the third-party application server is the same as the identifier EID of the eUICC of the terminal;
and if the terminal determines that the identifier EID of the eUICC returned by the third-party application server is the same as the identifier EID of the eUICC of the terminal, the terminal acquires the authentication information of the third-party application contained in the subscription data set in the eUICC according to the identifier ICCID of the subscription data set.
5. A method for managing a subscription data set, the method having all the features of any one of claims 1 to 4, and the terminal determining whether a third-party application in the subscription data set has a right to trigger a management operation on the subscription data set according to authentication information of the third-party application and certificate information of the third-party application, including:
the LPA of the terminal determines whether the third-party application has the authority to trigger management operation on the signed data set according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application;
or, the eUICC of the terminal determines whether the third-party application has the authority to trigger management operation on the subscription data set according to the authentication information of the third-party application in the subscription data set and the certificate information of the third-party application.
6. A method for managing a subscription data set, characterized in that it has all the features of the method of claim 2, and in that said terminal performs said management operations on said subscription data set, comprising:
the LPA of the terminal sends a management instruction acquisition request to the signing management server according to the first request;
the LPA of the terminal receives a management instruction returned by the signing management server according to the management instruction acquisition request;
and the LPA of the terminal executes the management operation in the first management operation request on the subscription data set in the eUICC according to the management instruction.
7. A method of subscription data set management, characterized in that it has all the features of the method of any one of claims 1 to 5, and in that it further comprises:
the first request comprises an indication indicating a management operation;
the terminal performs the management operation on the subscription data set, including:
and the LPA of the terminal executes the management operation indicated in the first request to the subscription data set in the eUICC according to the first request.
8. A subscription data set management method, performed by a subscription management server, the method comprising:
the subscription management server receives a second management operation request sent by a third-party application server, wherein the second management operation request comprises management operation executed on subscription data in a terminal, an identifier ICCID of a subscription data set in the terminal, an identifier EID of the terminal eUICC and authentication information of a third-party application in the terminal;
the contract signing management server sends a management request response to the third party application server, wherein the management request response comprises an identifier ICCID of a contract signing data set in the terminal and an identifier EID of the terminal eUICC;
the contract signing management server acquires a management instruction acquisition request sent by the terminal, wherein the management instruction acquisition request carries an identification EID of the terminal eUICC and certificate information of third party application stored in the terminal;
the signing management server acquires a request and the second management operation request according to the management instruction, and verifies whether a third party application in the terminal has the authority to trigger management operation on a signing data set in the terminal eUICC;
and if the subscription management server verifies that the third-party application in the terminal has the authority to trigger the management operation on the subscription data set in the eUICC, the subscription management server returns a management instruction to the terminal so that the terminal executes the management operation on the subscription data set in the eUICC according to the management instruction.
9. The method according to claim 8, wherein the verifying, by the subscription management server, whether the third-party application in the terminal has the right to trigger the management operation on the subscription data set in the eUICC of the terminal according to the management instruction obtaining request and the second management operation request includes:
the subscription management server acquires the identifier EID of the terminal eUICC in the request according to the management instruction, and searches a second management operation request associated with the identifier EID of the terminal eUICC;
the subscription management server determines whether the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request;
and if the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request, determining that the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the eUICC of the terminal.
10. The management method according to claim 9 or 8, wherein the management request response sent by the subscription management server further includes a registration event identification event ID, where the registration event identification event ID is used to identify the management operation event registered by the subscription management server according to the second management operation request;
the signing management server acquires a management instruction acquisition request sent by the terminal and also carries the registration event identification (event ID);
the signing management server obtains the request and the second management operation request according to the management instruction, verifies whether a third party application in the terminal has the authority to trigger the management operation on a signing data set in the terminal eUICC, and comprises the following steps:
the signing management server obtains a registration event identification (event ID) in the request according to the management instruction, and searches a second management operation request associated with the registration event identification (event ID);
the subscription management server determines whether the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request;
and if the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request, the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the eUICC of the terminal.
11. A terminal, comprising a transceiver, an integrated circuit card (eUICC) to store a subscription data set, a memory, and one or more processors to execute one or more programs stored in the memory,
the one or more processors are to:
controlling the transceiver to acquire a subscription data set from a subscription management server, wherein the subscription data set comprises authentication information of third-party application;
receiving a first request sent by the third-party application server and received by the transceiver, wherein the first request carries an identifier ICCID of the subscription data set, and the first request is used for triggering execution of management operation on the subscription data set in the eUICC;
acquiring authentication information of third-party application contained in a subscription data set in the eUICC according to the identity ICCID of the subscription data set;
acquiring certificate information of the third-party application stored in the terminal;
determining whether the third-party application has the authority to trigger management operation on the signed data set or not according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application;
and if the third-party application has the authority to trigger the management operation on the signed data set, executing the management operation on the signed data set.
12. The terminal of claim 11, wherein the processor is further configured to:
and controlling the transceiver to send a first management operation request to a third-party application server, wherein the first management operation request comprises a management operation executed by the third-party application request on a subscription data set in the eUICC.
13. The terminal of claim 11,
and the third-party application server generates a management operation executed on a subscription data set in the eUICC.
14. The terminal of any of claims 11 to 13, wherein the processor is further configured to:
receiving an identifier EID of the eUICC, which is returned by the third-party application server and received by the transceiver;
determining whether the identifier EID of the eUICC returned by the third party application server is the same as the identifier EID of the eUICC of the terminal;
and if the identifier EID of the eUICC returned by the third-party application server is determined to be the same as the identifier EID of the eUICC of the terminal, acquiring authentication information of the third-party application contained in the subscription data set in the eUICC according to the identifier ICCID of the subscription data set.
15. A terminal, characterized in that it has all the features of a terminal according to any of claims 11 to 14, and in that said processor is further adapted to:
instructing the LPA of the terminal to determine whether the third-party application has the authority to trigger management operation on the signed data set according to the authentication information of the third-party application in the signed data set and the certificate information of the third-party application;
or indicating the eUICC of the terminal to determine whether the third-party application has the authority to trigger management operation on the subscription data set according to the authentication information of the third-party application in the subscription data set and the certificate information of the third-party application.
16. A terminal characterized in that the terminal has all the features of the terminal of claim 12 and in that the processor is further configured to:
instructing the LPA of the terminal to send a management instruction acquisition request to the subscription management server according to the first request;
receiving a management instruction returned by the signing management server according to the management instruction acquisition request received by the transceiver;
and instructing the LPA of the terminal to execute the management operation in the first management operation request on the subscription data set in the eUICC according to the management instruction.
17. A terminal characterized in that it has all the features of the terminal of any one of claims 11 to 15 and in that said first request comprises a management command indicating a management operation;
the processor is further configured to:
and instructing the LPA of the terminal to execute the management operation indicated in the first request on a subscription data set in the eUICC according to the first request.
18. A subscription management server, comprising a transceiver, a memory, and one or more processors to execute one or more programs stored in the memory,
the one or more processors are to:
receiving a second management operation request sent by a third-party application server and received by the transceiver, wherein the second management operation request comprises a management operation executed on subscription data in a terminal, an identifier ICCID of a subscription data set in the terminal, an identifier EID of the terminal eUICC and authentication information of a third-party application in the terminal;
generating a management request response, and controlling the transceiver to send the management request response to the third-party application server, where the management request response includes an identifier ICCID of a subscription data set in the terminal and an identifier EID of the terminal eUICC, so that the third-party application server sends the identifier ICCID of the subscription data set in the terminal and the identifier EID of the terminal eUICC to the terminal;
receiving a management instruction acquisition request sent by the terminal and received by the transceiver, wherein the management instruction acquisition request carries an identifier EID of the eUICC of the terminal and certificate information of a third-party application stored in the terminal;
according to the management instruction acquisition request and the second management operation request, verifying whether a third-party application in the terminal has the authority to trigger management operation on a subscription data set in the eUICC of the terminal;
and if the subscription management server verifies that the third-party application in the terminal has the authority to trigger management operation on the subscription data set in the eUICC of the terminal, controlling the transceiver to return a management instruction to the terminal so that the terminal executes management operation on the subscription data set in the eUICC of the terminal according to the management instruction.
19. The server according to claim 18, wherein said one or more processors are further operative to:
according to the identification EID of the terminal eUICC in the management instruction acquisition request, searching a second management operation request associated with the identification EID of the terminal eUICC;
determining whether the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request;
and if the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request, determining that the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the eUICC of the terminal.
20. The server according to claim 19 or 18, wherein the management request response further includes a registration event identification event ID, where the registration event identification event ID is used to identify the management operation event registered by the subscription management server according to the second management operation request;
the management instruction acquisition request also carries the registration event identification (event ID);
the one or more processors are further to:
searching a second management operation request associated with the registration event identification event ID according to the registration event identification event ID in the management instruction acquisition request;
determining whether the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request;
and if the certificate information of the third-party application carried in the management instruction acquisition request is the same as the authentication information of the third-party application in the second management operation request, determining that the third-party application in the terminal has the authority to execute the management operation on the subscription data set in the eUICC of the terminal.
21. A storage medium, characterized in that it stores a computer program enabling, when executed by a computer device, to implement the method of any one of claims 1 to 7.
22. A storage medium, characterized in that it stores a computer program enabling, when executed by a computer device, to carry out the method of any one of claims 8 to 10.
CN201780032616.9A 2017-01-13 2017-01-13 Method, terminal and server for managing subscription data set Active CN109196891B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/071184 WO2018129723A1 (en) 2017-01-13 2017-01-13 Management method for subscription data set, terminal, and server

Publications (2)

Publication Number Publication Date
CN109196891A CN109196891A (en) 2019-01-11
CN109196891B true CN109196891B (en) 2020-09-08

Family

ID=62839215

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201780032616.9A Active CN109196891B (en) 2017-01-13 2017-01-13 Method, terminal and server for managing subscription data set

Country Status (2)

Country Link
CN (1) CN109196891B (en)
WO (1) WO2018129723A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112672346A (en) * 2020-12-18 2021-04-16 中国联合网络通信集团有限公司 Method, device and system for downloading authentication application

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112954694B (en) * 2019-11-26 2023-05-05 上海华为技术有限公司 Subscription information processing method, device and equipment
CN111342998A (en) * 2020-02-07 2020-06-26 中国联合网络通信集团有限公司 Terminal application management method and system, super application management terminal and storage medium
CN112235784B (en) * 2020-12-18 2021-03-05 深圳杰睿联科技有限公司 vSIM-based code number management method, device and equipment
CN114980121A (en) * 2021-02-19 2022-08-30 中国移动通信集团上海有限公司 Method and device for establishing logical private network of 5G message system
WO2022220616A1 (en) * 2021-04-14 2022-10-20 Samsung Electronics Co., Ltd. Method and apparatus for managing events in a wireless communication system
CN116528217B (en) * 2023-07-04 2023-10-10 中国电信股份有限公司 Method for remotely managing eUICC and related equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833066A (en) * 2011-06-15 2012-12-19 中兴通讯股份有限公司 Three-party authentication method and device as well as intelligent card supporting two-way authentication
CN103731268A (en) * 2013-09-23 2014-04-16 中兴通讯股份有限公司 Terminal, network side device, and terminal application control method and system
CN103782568A (en) * 2013-08-30 2014-05-07 华为终端有限公司 Remote alteration signing method and apparatus thereof
WO2016178548A1 (en) * 2015-05-07 2016-11-10 삼성전자 주식회사 Method and apparatus for providing profile

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102093757B1 (en) * 2012-05-24 2020-03-26 삼성전자 주식회사 Method for providing sim profile in euicc environment and devices therefor
CN104426887B (en) * 2013-09-04 2018-06-19 华为技术有限公司 Service authority determines method and apparatus
CN105723760B (en) * 2013-11-19 2020-09-04 瑞典爱立信有限公司 Profile change management
CN105357771B (en) * 2015-10-16 2019-01-08 中国联合网络通信集团有限公司 Connect method for building up and user terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833066A (en) * 2011-06-15 2012-12-19 中兴通讯股份有限公司 Three-party authentication method and device as well as intelligent card supporting two-way authentication
CN103782568A (en) * 2013-08-30 2014-05-07 华为终端有限公司 Remote alteration signing method and apparatus thereof
CN103731268A (en) * 2013-09-23 2014-04-16 中兴通讯股份有限公司 Terminal, network side device, and terminal application control method and system
WO2016178548A1 (en) * 2015-05-07 2016-11-10 삼성전자 주식회사 Method and apparatus for providing profile

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112672346A (en) * 2020-12-18 2021-04-16 中国联合网络通信集团有限公司 Method, device and system for downloading authentication application
CN112672346B (en) * 2020-12-18 2024-01-23 中国联合网络通信集团有限公司 Method, device and system for downloading authentication application

Also Published As

Publication number Publication date
CN109196891A (en) 2019-01-11
WO2018129723A1 (en) 2018-07-19

Similar Documents

Publication Publication Date Title
CN110178393B (en) Method, device and server for downloading subscription data set
CN109196891B (en) Method, terminal and server for managing subscription data set
CN109510849B (en) Cloud-storage account authentication method and device
US9661666B2 (en) Apparatus and methods of identity management in a multi-network system
US10349272B2 (en) Virtual SIM card cloud platform
WO2020093214A1 (en) Application program login method, application program login device and mobile terminal
TWI478615B (en) Management systems for multiple access control entities
EP2919497B1 (en) Soft sim card activating method and network-joining method and terminal, and network access device
EP3337219B1 (en) Carrier configuration processing method, device and system, and computer storage medium
CN109716805B (en) Installation method of subscription data set, terminal and server
CN105991614B (en) It is a kind of it is open authorization, resource access method and device, server
CN106034134B (en) Method, auxiliary method and device for carrying out identity authentication request in webpage application program
CN111434087A (en) Method and electronic device for providing communication service
US11234131B2 (en) Information verification method and related device
CN109842616B (en) Account binding method and device and server
CN109729535B (en) Base station opening method and device, computer storage medium and equipment
US11832348B2 (en) Data downloading method, data management method, and terminal
WO2018129753A1 (en) Method and device for downloading subscription information set, and related equipment
US10834555B2 (en) System and method for facilitating carrier-specific configuration of a user device based on pre-stored information for multiple carriers
KR20210011577A (en) Apparatus and Method for Personal authentication using Sim Toolkit and Applet
CN109314711B (en) Open authorization method, device and terminal
CN103559430B (en) application account management method and device based on Android system
CN114830702A (en) Method for managing profiles for accessing a communication network
CN102812470A (en) Content Binding At First Access
US20230033931A1 (en) Method, ledger and system for establishing a secure connection from a chip to a network and corresponding network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant