CN109451483B - eSIM data processing method, equipment and readable storage medium - Google Patents

eSIM data processing method, equipment and readable storage medium Download PDF

Info

Publication number
CN109451483B
CN109451483B CN201910003930.5A CN201910003930A CN109451483B CN 109451483 B CN109451483 B CN 109451483B CN 201910003930 A CN201910003930 A CN 201910003930A CN 109451483 B CN109451483 B CN 109451483B
Authority
CN
China
Prior art keywords
information
mobile terminal
authentication server
authentication
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910003930.5A
Other languages
Chinese (zh)
Other versions
CN109451483A (en
Inventor
胡博
严斌峰
仇剑书
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201910003930.5A priority Critical patent/CN109451483B/en
Publication of CN109451483A publication Critical patent/CN109451483A/en
Application granted granted Critical
Publication of CN109451483B publication Critical patent/CN109451483B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • H04W8/205Transfer to or from user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities
    • H04W8/24Transfer of terminal data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an eSIM data processing method, equipment and a readable storage medium, wherein the method deploys an eSIM application by utilizing a trusted execution environment in a mobile terminal, establishes a secure data channel by utilizing a root trust mechanism of a trusted computing environment, acquires EID (enhanced identification) and eUICC (enhanced integrated circuit card) certificate information of the eSIM, and realizes online processes of authentication, EID distribution and certificate application; a technical basis is provided for the subsequent eSIM download conforming to the GSMA SGP.21/22 standard, and an application layer of the mobile terminal cannot directly read the data files of the eSIM, so that the safety of the data files of the eSIM is improved.

Description

eSIM data processing method, equipment and readable storage medium
Technical Field
The invention relates to the technical field of smart cards, in particular to an eSIM data processing method, equipment and a readable storage medium.
Background
With the development of intelligent terminals and the coming of the internet consumption era, the form of the SIM card is evolving towards a direction of "pluggable card-free" such as an electronic SIM card (abbreviated as "eSIM"). The eSIM technology can download SIM card data from a platform into a terminal and activate the SIM card data.
In one mode, the data files of the eSIM of the local operator can be downloaded from the mobile data service operation platform to the operating system of the mobile terminal in a simple encryption mode through a private protocol, and can be freely read by the application layer of the mobile terminal, so that the security of the data files of the eSIM is low.
Disclosure of Invention
The invention provides an eSIM data processing method, equipment and a readable storage medium, which are used for solving the problem of low security of an eSIM data file in the prior art.
A first aspect of the present invention provides an eSIM data processing method, including:
after receiving an eSIM service start request, a mobile terminal sends a first authentication request to a terminal registration authentication server in a trusted execution environment, where the first authentication request includes terminal information and ciphertext information corresponding to the terminal information, the terminal information includes an identifier of the trusted execution environment, so that the terminal registration authentication server allocates an EID to an eSIM TA of the mobile terminal, authenticates the mobile terminal through a TEE authentication server corresponding to the identifier of the trusted execution environment, and feeds back an authentication result and the EID to the mobile terminal, where the EID is used to uniquely identify the eSIM TA of the mobile terminal;
the mobile terminal receives an authentication result and an EID sent by the terminal registration authentication server;
the mobile terminal verifies the authentication result, and if the authentication result passes, the mobile terminal places the EID into an eSIM TA;
the mobile terminal generates certificate request information under a trusted execution environment, and generates trusted authentication information and signature information of the trusted authentication information according to the certificate request information;
the mobile terminal sends a trusted equipment authentication request to the terminal registration authentication server, wherein the trusted equipment authentication request comprises the trusted authentication information and signature information of the trusted authentication information, so that the terminal registration authentication server acquires eUICC certificate information of the mobile terminal after determining that the mobile terminal is trusted equipment, and sends the eUICC certificate information to the mobile terminal;
and the mobile terminal receives the eUICC certificate information sent by the terminal registration authentication server, obtains an eUICC certificate according to the eUICC certificate information, and stores the eUICC certificate.
A second aspect of the present invention provides a method for processing eSIM data, including:
a terminal registration authentication server receives a first authentication request sent by a mobile terminal, wherein the first authentication request comprises terminal information and ciphertext information corresponding to the terminal information, and the terminal information comprises an identifier of a trusted execution environment of the mobile terminal;
the terminal registration authentication server allocates an EID for the eSIM TA of the mobile terminal, wherein the EID is used for uniquely identifying the eSIM TA of the mobile terminal;
the terminal registration authentication server authenticates the mobile terminal through a TEE authentication server corresponding to the identification of the trusted execution environment of the mobile terminal, and sends an authentication result and the EID to the mobile terminal, so that the mobile terminal verifies the authentication result, and the EID is placed in an eSIM TA after the authentication is passed;
the terminal registration authentication server receives a trusted device authentication request sent by the mobile terminal;
and after the terminal registration authentication server determines that the mobile terminal is the trusted device through the TEE authentication server, the terminal registration authentication server acquires eUICC certificate information of the mobile terminal and sends the eUICC certificate information to the mobile terminal.
A third aspect of the present invention provides a mobile terminal, comprising:
a memory, a processor, and a computer program stored on the memory and executable on the processor,
the processor, when executing the computer program, implements the method of the first aspect described above.
A fourth aspect of the present invention provides a terminal registration authentication server, including:
a memory, a processor, and a computer program stored on the memory and executable on the processor,
the processor, when executing the computer program, performs the method of the second aspect described above.
A fifth aspect of the present invention provides a computer-readable storage medium storing a computer program,
which when executed by a processor implements the method of the first aspect described above.
A sixth aspect of the present invention provides a computer-readable storage medium storing a computer program,
which when executed by a processor implements the method of the second aspect described above.
According to the eSIM data processing method, the eSIM data processing equipment and the readable storage medium, the eSIM application is deployed by utilizing the trusted execution environment in the mobile terminal, the secure data channel is established by utilizing the root trust mechanism of the trusted computing environment, the EID and eUICC certificate information of the eSIM is acquired, and the online processes of authentication, EID distribution and certificate application are realized; a technical basis is provided for the subsequent eSIM download conforming to the GSMA SGP.21/22 standard, and an application layer of the mobile terminal cannot directly read the data files of the eSIM, so that the safety of the data files of the eSIM is improved.
Drawings
Fig. 1 is a system architecture diagram of eSIM data processing according to an embodiment of the present invention;
fig. 2 is a flowchart of an eSIM data processing method according to an embodiment of the present invention;
fig. 3 is a flowchart of an eSIM data processing method according to a second embodiment of the present invention;
fig. 4 is an interaction flowchart of an eSIM data processing method according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of a mobile terminal according to a fourth embodiment of the present invention;
fig. 6 is a schematic structural diagram of a terminal registration authentication server according to a fifth embodiment of the present invention.
With the above figures, certain embodiments of the invention have been illustrated and described in more detail below. The drawings and the description are not intended to limit the scope of the inventive concept in any way, but rather to illustrate it by those skilled in the art with reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
The terms to which the present invention relates will be explained first:
a Trusted Execution Environment (TEE for short) is applied to the fields of secure intelligent equipment, secure payment and the like. The technical core of the trusted execution environment is as follows: on the same CPU chip, access control of different IP components is realized through a hardware configuration mode, so that a completely isolated operation space is provided.
Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. In the description of the following examples, "plurality" means two or more unless specifically limited otherwise.
The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
Fig. 1 is a system architecture diagram of eSIM data processing according to an embodiment of the present invention. In this embodiment, as shown in fig. 1, the mobile terminal may be a mobile terminal such as a mobile phone, and the mobile terminal is composed of a plurality of parts including a trusted execution environment, a Local Profile Agent (LPA), a service acceptance application (APP shown in the figure), a TEE-eSIM baseband communication Agent module, a baseband processing mode, and a modem. The mobile terminal is a main device that completes initialization of the eSIM and related operations on an eSIM data file (also referred to as Profile).
The service acceptance system is composed of a service acceptance platform and service acceptance applications and is mainly responsible for ordering, activating and subsequent management of related services.
A connection interface exists between the eSIM management platform and the LPA and eSIM TA in the mobile terminal. The main function of the system is to call and receive information from the mobile terminal, process corresponding requests, communicate with functional modules including a certificate issuing server (such as CI shown in fig. 1) and a service acceptance platform, and complete downloading and management of Profile.
The TEE authentication server and the terminal registration authentication server have a connection interface, and the main function of the TEE authentication server is to authenticate the legality of the mobile terminal and assist in completing the subsequent certificate issuing process.
The certificate issuing server (abbreviated as CI) interfaces with the terminal registration authentication server, serves as a root of trust, issues an eSIM certificate, and is used for mutual trust between the eSIM management platform and the eSIM TA.
Connection interfaces respectively exist between the terminal registration server and the certificate issuing server, between the terminal registration server and the TEE authentication server as well as between the terminal registration server and the LPA in the terminal, and the main functions of the terminal registration server and the LPA are to complete EID distribution, certificate null issuing and other operations together with the modules.
Example one
Fig. 2 is a flowchart of an eSIM data processing method according to an embodiment of the present invention. The embodiment of the invention provides an eSIM data processing method aiming at the problem of low safety of an eSIM data file in the prior art. The method in this embodiment is applied to a mobile terminal, which may be a smart phone, a tablet computer, or the like. As shown in fig. 2, the method comprises the following specific steps:
step S101, after receiving an eSIM service starting request, a mobile terminal sends a first authentication request to a terminal registration authentication server in a trusted execution environment, wherein the first authentication request comprises terminal information and ciphertext information corresponding to the terminal information, the terminal information comprises an identifier of the trusted execution environment, so that the terminal registration authentication server allocates an EID for an eSIM TA of the mobile terminal, the mobile terminal is authenticated through a TEE authentication server corresponding to the identifier of the trusted execution environment, and an authentication result and the EID are fed back to the mobile terminal, and the EID is used for uniquely identifying the eSIM TA of the mobile terminal.
The eSIM TA of the mobile terminal refers to a trusted application TA of a trusted execution environment of the mobile terminal, and in this embodiment, the trusted application applied to eSIM data processing is denoted as the eSIM TA; accordingly, the eSIM CA of the mobile terminal refers to a terminal application CA of the trusted execution environment of the mobile terminal, and the terminal application applied to the eSIM data processing is referred to as the eSIM CA in this embodiment.
In this embodiment, a user selects to start an eSIM service through a software application APP on a mobile terminal, and sends an eSIM service start request to the mobile terminal. After receiving the eSIM service starting request, the mobile terminal acquires the EID and the eUICC certificate through the secure data channel in a trusted execution environment, and completes personalized configuration of the eSIM application on line.
Specifically, after receiving an eSIM service initiation request, a mobile terminal sends a first authentication request to a terminal registration authentication server in a trusted execution environment. After receiving the first authentication request, the terminal registration authentication server allocates an EID to the eSIM TA of the mobile terminal; authenticating the mobile terminal through a TEE authentication server corresponding to the identification of the trusted execution environment in the first authentication request to obtain an authentication result; and the terminal registration authentication server sends the EID and the authentication result to the mobile terminal, so that the mobile terminal acquires the EID.
Wherein the EID is used to uniquely identify the eSIM TA of the mobile terminal.
Optionally, after receiving the eSIM service initiation request, the mobile terminal sends the first authentication request to the terminal registration authentication server in the trusted execution environment, which may specifically be implemented in the following manner:
after receiving an eSIM service starting request, a mobile terminal generates terminal information under a trusted execution environment, wherein the terminal information comprises an identifier of the trusted execution environment; the mobile terminal encrypts the terminal information according to a preset secret key to obtain ciphertext information corresponding to the terminal information; the mobile terminal sends a first authentication request comprising terminal information and ciphertext information corresponding to the terminal information to a terminal registration authentication server.
Optionally, the terminal information may include an identifier of the trusted execution environment, and information such as a terminal identifier, a model number, a serial number, and a software version of the terminal, and the terminal information may uniquely identify a mobile terminal.
And S102, the mobile terminal receives the authentication result and the EID sent by the terminal registration authentication server.
And S103, the mobile terminal verifies the authentication result, and if the authentication result passes, the mobile terminal places the EID into the eSIM TA.
And after receiving the authentication result and the EID sent by the terminal registration authentication server, the mobile terminal verifies the authentication result in a trusted execution environment, and if the authentication result passes, the mobile terminal places the EID into the eSIM TA.
If the authentication result is not verified, the mobile terminal can consider that the authentication result provided by the terminal registration authentication server is not authentic, and can not place the EID in the eSIM TA, and the eSIM data processing flow is finished.
In this embodiment, a signature and signature verification rule is agreed in advance between the trusted execution environment and the TEE authentication server corresponding to the trusted execution environment. The TEE authentication server may verify the signature information generated by the trusted execution environment, and the trusted execution environment may also verify the signature information generated by the TEE authentication server.
Optionally, the authentication result includes the first challenge word generated by the TEE authentication server and signature information of the first challenge word. The mobile terminal verifies the authentication result, which can be specifically realized by adopting the following method:
the mobile terminal checks the first challenge word and signature information of the first challenge word according to a preset key in a trusted execution environment; if the signature verification is successful, the authentication result is verified to be passed, and if the signature verification is failed, the authentication result is verified not to be passed.
Step S104, the mobile terminal generates certificate request information under the trusted execution environment, and generates trusted authentication information and signature information of the trusted authentication information according to the certificate request information.
The certificate request information is used for applying for an eUICC certificate to a certificate issuing server.
Optionally, the mobile terminal generates the trusted authentication information and the signature information of the trusted authentication information according to the certificate request information, and may specifically adopt the following manner:
and the mobile terminal uses ciphertext information obtained by encrypting the certificate request information, the challenge word and the like as credible authentication information and signs the credible authentication information by adopting a preset signature algorithm to obtain signature information of the credible authentication information.
The preset signature algorithm can be a signature algorithm agreed in advance for a trusted execution environment of the mobile terminal and a TEE authentication server corresponding to the trusted execution environment, the TEE authentication server can check the signature information generated by the trusted execution environment, and the trusted execution environment can also check the signature information generated by the TEE authentication server.
Step S105, the mobile terminal sends a trusted device authentication request to the terminal registration authentication server, wherein the trusted device authentication request comprises trusted authentication information and signature information of the trusted authentication information, so that the terminal registration authentication server acquires eUICC certificate information of the mobile terminal after determining that the mobile terminal is trusted device, and sends the eUICC certificate information to the mobile terminal.
In this embodiment, the mobile terminal sends a trusted device authentication request including trusted authentication information and signature information of the trusted authentication information to the terminal registration authentication server. After receiving the authentication request of the trusted device, the terminal registration authentication server authenticates whether the mobile terminal is the trusted device or not through a TEE authentication server corresponding to the mobile terminal according to the trusted authentication information and signature information of the trusted authentication information; after the mobile terminal is determined to be the trusted device, the terminal registration authentication server extracts the certificate request information in the trusted authentication information, and requests the eUICC certificate from the certificate issuing server according to the certificate request information. The certificate issuing server generates an eUICC certificate for the mobile terminal and sends the eUICC certificate to the terminal registration authentication server. And after receiving the eUICC certificate, the terminal registration authentication server generates eUICC certificate information and sends the eUICC certificate information to the mobile terminal.
Optionally, in order to ensure secure transmission of the eUICC certificate, the certificate issuing server sends the eUICC certificate to the terminal registration authentication server through an end-to-end secure encryption channel.
Optionally, in order to safely transmit the eUICC certificate to the mobile terminal, after the eUICC certificate is acquired, the terminal registration authentication server encrypts the eUICC certificate through the TEE authentication server to obtain ciphertext information of the eUICC certificate, signs the ciphertext information of the eUICC certificate to obtain signature information of the ciphertext information of the eUICC certificate, uses the ciphertext information of the eUICC certificate and the signature information of the ciphertext information of the eUICC certificate as eUICC certificate information, and sends the eUICC certificate information to the mobile terminal.
And S106, the mobile terminal receives the eUICC certificate information sent by the terminal registration authentication server, obtains the eUICC certificate according to the eUICC certificate information, and stores the eUICC certificate.
After receiving the eUICC certificate information sent by the terminal registration authentication server, the mobile terminal obtains an eUICC certificate according to the eUICC certificate information in a trusted execution environment, and stores the eUICC certificate.
In addition, the mobile terminal receives the eUICC certificate information sent by the terminal registration authentication server, obtains the eUICC certificate according to the eUICC certificate information, and after storing the eUICC certificate, the method further includes:
the mobile terminal downloads an eSIM data file; the mobile terminal loads the eSIM data file and activates the eSIM data file.
Optionally, after the eSIM data file is activated, the mobile terminal notifies the baseband proxy module to perform operations such as logout authentication using the eSIM TA of the trusted execution environment.
In addition, the international standard organization GSMA establishes SGP.21/22 technical standards, and defines operation specifications such as carrying electronic SIM card data and performing remote management on independent hardware, namely an embedded UICC (for short, eUICC), but the mode still occupies the hardware space of the terminal on one hand and has higher manufacturing cost on the other hand due to the adoption of the independent hardware.
In the embodiment, the existing trusted execution environment of the intelligent terminal can be utilized for deployment, so that the cost is reduced.
According to the eSIM data processing method, the eSIM data processing equipment and the readable storage medium, the eSIM application is deployed by utilizing the trusted execution environment in the mobile terminal, the secure data channel is established by utilizing the root trust mechanism of the trusted computing environment, the EID and eUICC certificate information of the eSIM is acquired, and the online processes of authentication, EID distribution and certificate application are realized; a technical basis is provided for the subsequent eSIM download conforming to the GSMA SGP.21/22 standard, and an application layer of the mobile terminal cannot directly read the data files of the eSIM, so that the safety of the data files of the eSIM is improved.
Example two
Fig. 3 is a flowchart of an eSIM data processing method according to a second embodiment of the present invention. The embodiment of the invention provides an eSIM data processing method aiming at the problem of low safety of an eSIM data file in the prior art. The method in the embodiment is applied to a terminal registration authentication server. As shown in fig. 3, the method comprises the following specific steps:
step S201, the terminal registration authentication server receives a first authentication request sent by the mobile terminal, where the first authentication request includes terminal information and ciphertext information corresponding to the terminal information, and the terminal information includes an identifier of a trusted execution environment of the mobile terminal.
In this embodiment, a user selects to start an eSIM service through a software application APP on a mobile terminal, and sends an eSIM service start request to the mobile terminal. After receiving the eSIM service starting request, the mobile terminal acquires the EID and the eUICC certificate through the secure data channel in a trusted execution environment, and completes personalized configuration of the eSIM application on line.
After receiving the eSIM service initiation request, the mobile terminal sends a first authentication request to a terminal registration authentication server in a trusted execution environment. The terminal registration authentication server receives a first authentication request sent by the mobile terminal.
Step S202, the terminal registration authentication server allocates an EID to the eSIM TA of the mobile terminal, where the EID is used to uniquely identify the eSIM TA of the mobile terminal.
The eSIM TA of the mobile terminal refers to a trusted application TA of a trusted execution environment of the mobile terminal, and in this embodiment, the trusted application applied to eSIM data processing is denoted as the eSIM TA; accordingly, the eSIM CA of the mobile terminal refers to a terminal application CA of the trusted execution environment of the mobile terminal, and the terminal application applied to the eSIM data processing is referred to as the eSIM CA in this embodiment.
In this step, the terminal registration authentication server allocates an EID to the eSIM TA of the mobile terminal after receiving the first authentication request.
Step S203, the terminal registration authentication server authenticates the mobile terminal through the TEE authentication server corresponding to the identifier of the trusted execution environment of the mobile terminal, and sends the authentication result and the EID to the mobile terminal, so that the mobile terminal verifies the authentication result, and after the verification is passed, the EID is placed in the eSIM TA.
After receiving the first authentication request, the terminal registration authentication server authenticates the mobile terminal through the TEE authentication server corresponding to the identification of the trusted execution environment in the first authentication request to obtain an authentication result; and the terminal registration authentication server sends the EID and the authentication result to the mobile terminal, so that the mobile terminal acquires the EID.
In this embodiment, a signature and signature verification rule is agreed in advance between the trusted execution environment and the TEE authentication server corresponding to the trusted execution environment. The TEE authentication server may verify the signature information generated by the trusted execution environment, and the trusted execution environment may also verify the signature information generated by the TEE authentication server.
Optionally, the authentication result includes the first challenge word generated by the TEE authentication server and signature information of the first challenge word. The mobile terminal can verify the first challenge word and signature information of the first challenge word under a trusted execution environment; if the signature verification is successful, the authentication result is verified to be passed, and if the signature verification is failed, the authentication result is verified not to be passed.
Optionally, the terminal registration authentication server authenticates the mobile terminal through the TEE authentication server corresponding to the identifier of the trusted execution environment of the mobile terminal, and sends the authentication result and the EID to the mobile terminal, which may specifically be implemented in the following manner:
the terminal registration authentication server determines a TEE authentication server corresponding to the identification of the trusted execution environment of the mobile terminal according to the identification of the trusted execution environment of the mobile terminal in the first authentication request; the terminal registration authentication server sends a second authentication request to the TEE authentication server, wherein the second authentication request comprises terminal information and ciphertext information corresponding to the terminal information, so that the TEE authentication server verifies the terminal information and the ciphertext information corresponding to the terminal information according to a stored preset key corresponding to the mobile terminal, generates a first challenge word after the verification is passed, signs the first challenge word by adopting the preset key to obtain signature information of the first challenge word, and sends the signature information of the first challenge word and the signature information of the first challenge word as an authentication result to the terminal registration authentication server; and the terminal registration authentication server sends the EID and the received authentication result to the mobile terminal.
Step S204, the terminal registration authentication server receives the trusted device authentication request sent by the mobile terminal.
The trusted device authentication request comprises trusted authentication information and signature information of the trusted authentication information.
Step S205, after the terminal registration authentication server determines that the mobile terminal is the trusted device through the TEE authentication server, the terminal registration authentication server obtains the eUICC certificate information of the mobile terminal and sends the eUICC certificate information to the mobile terminal.
In this embodiment, the step may be specifically implemented as follows:
the terminal registration authentication server sends the credible authentication information and the signature information of the credible authentication information to the TEE authentication server so that the TEE authentication server checks and signs the credible authentication information and the signature information of the credible authentication information, if the check and sign are passed, the mobile terminal is determined to be credible equipment, certificate request information is obtained through calculation according to the credible authentication information, and the certificate request information is sent to the terminal registration authentication server; after receiving certificate request information sent by a TEE authentication server, a terminal registration authentication server determines that a mobile terminal is a trusted device; the terminal registration authentication server sends the certificate request information to the certificate issuing server so that the certificate issuing server generates an eUICC certificate according to the certificate request information and sends the eUICC certificate to the terminal registration authentication server; the terminal registration authentication server receives an eUICC certificate sent by the certificate issuing server; and the terminal registration authentication server generates corresponding eUICC certificate information according to the eUICC certificate and sends the eUICC certificate information to the mobile terminal.
Optionally, in order to improve the security of eUICC certificate transmission, the terminal registration authentication server generates corresponding eUICC certificate information according to the eUICC certificate, and sends the eUICC certificate information to the mobile terminal, which may specifically be implemented in the following manner:
the terminal registration authentication server sends the eUICC certificate to the TEE authentication server so that the TEE authentication server encrypts the eUICC certificate to obtain ciphertext information of the eUICC certificate, signs the ciphertext information of the eUICC certificate to obtain signature information of the ciphertext information of the eUICC certificate, and sends the ciphertext information of the eUICC certificate and the signature information of the ciphertext information of the eUICC certificate to the terminal registration authentication server; the terminal registration authentication server receives the ciphertext information of the eUICC certificate and the signature information of the ciphertext information of the eUICC certificate sent by the TEE authentication server, and sends the ciphertext information of the eUICC certificate and the signature information of the ciphertext information of the eUICC certificate to the mobile terminal as eUICC certificate information.
According to the eSIM data processing method, the eSIM data processing equipment and the readable storage medium, the eSIM application is deployed by utilizing the trusted execution environment in the mobile terminal, the secure data channel is established by utilizing the root trust mechanism of the trusted computing environment, the EID and eUICC certificate information of the eSIM is acquired, and the online processes of authentication, EID distribution and certificate application are realized; a technical basis is provided for the subsequent eSIM download conforming to the GSMA SGP.21/22 standard, and an application layer of the mobile terminal cannot directly read the data files of the eSIM, so that the safety of the data files of the eSIM is improved.
EXAMPLE III
Fig. 4 is an interaction flowchart of an eSIM data processing method according to a third embodiment of the present invention. In addition to the first or second embodiment, in the present embodiment, an interaction flow of the mobile terminal, the registration authentication server, the TEE authentication server, the certificate issuing server, and the like in the eSIM data processing method is exemplarily described. As shown in fig. 2, the method comprises the following specific steps:
step S301, a user selects to start an eSIM service through an APP, and sends an eSIM service starting request to an LPA through the APP;
step S302, forwarding an eSIM service starting request to an eSIM CA by the LPA;
step S303, the eSIM CA transmits an eSIM service starting request to the eSIM TA;
step S304, the eSIM TA forwards an eSIM service starting request to a trusted execution environment TEE of the mobile terminal;
step S305, the TEE generates a challenge word C, terminal information A and ciphertext information A' corresponding to the terminal information;
step S306, the TEE sends the (A, A', C) to the eSIM TA;
step S307, the eSIM TA forwards the (A, A', C) to the eSIM CA;
step S308, the eSIM CA forwards the (A, A', C) to the LPA;
step S309, the LPA sends a first authentication request including (A, A', C) to the terminal registration authentication server;
step S310, the terminal registration authentication server determines a corresponding TEE authentication server according to the trusted execution environment identifier in the terminal information A in the first authentication request;
step S311, the terminal registration authentication server sends (A, A', C) to the TEE authentication server;
step S312, the terminal registration authentication server distributes EID for the eSIM TA;
s313, the TEE authentication server verifies A and A ', if the verification is successful, the TEE authentication server generates a challenge word CS1, generates a first challenge word B according to the challenge word C and the challenge word CS1, and signs the first challenge word B to obtain B';
step S314, the TEE authentication server sends (B, B', CS1) as an authentication result to the terminal registration authentication server;
step S315, the terminal registration authentication server sends the EID and the (B, B', CS1) to the LPA;
step S316, LPA forwards EID and (B, B', CS1) to eSIM CA;
step S317, the eSIM CA forwards the EID and the (B, B', CS1) to the eSIM TA;
step S318, the eSIM TA sends the (B, B') to the TEE;
step S319, the TEE checks the (B, B') and feeds back the result of checking the signature to the eSIM TA;
step S320, if the signature verification is successful, the eSIM TA places the EID into the eSIM TA;
if the verification is successful, the authentication of the terminal registration authentication server is considered to be successful; and if the signature verification fails, the authentication of the terminal registration authentication server is considered to fail, and the EID is not placed in the eSIM TA.
Step S321, the eSIM TA generates certificate request information CSR;
step S322, the eSIM TA sends (CS1, CSR) to the TEE;
s323, encrypting (CS1, CSR) by the TEE to obtain credible authentication information AA, and signing the credible authentication information AA to obtain corresponding signature information AA';
step S324, the TEE feeds back (AA, AA') to the eSIM TA;
step S325, the eSIM TA forwards (AA, AA') to the eSIM CA;
step S326, eSIM CA forwards (AA, AA') to LPA;
step S327, the LPA sends a trusted device authentication request including (AA, AA') to the terminal registration authentication server;
step S328, the terminal registration authentication server sends (AA, AA') to the TEE authentication server;
step S329, the TEE authentication server checks the (AA, AA'), and after the check is successful, the AA is decrypted to obtain certificate request information CSR;
and (E) the TEE authentication server checks the (AA, AA'), if the checking is successful, the mobile terminal is determined to be the trusted device, and the certificate request information is calculated according to the trusted authentication information.
Step S330, the TEE authentication server sends the certificate request information CSR to the terminal registration authentication server;
step S331, the terminal registration authentication server sends certificate request information CSR to the certificate issuing server CI;
step S332, generating an eUICC certificate by the CI according to the CSR;
step S333, the CI sends the eUICC certificate to a terminal registration authentication server;
step S334, the terminal registration authentication server sends an eUICC certificate to a TEE authentication server;
step S335, the TEE authentication server encrypts the eUICC certificate to obtain ciphertext information Cert1 of the eUICC certificate, and signs the Cert1 to obtain Cert 1';
step S336, the TEE authentication server sends (Cert1, Cert 1') to the terminal registration authentication server;
step S337, the terminal registration authentication server sends (Cert1, Cert 1') to the LPA;
step S338, LPA forwards (Cert1, Cert 1') to eSIM CA;
step S339, eSIM CA forwards (Cert1, Cert 1') to eSIM TA;
step S340, the eSIM TA sends (Cert1, Cert 1') to the TEE;
step S341, the TEE checks the signature of the certificate pair (Cert1, Cert 1'), and if the signature check is successful, the Cert1 is decrypted to obtain the eUICC certificate;
step S342, the TEE sends the eUICC certificate to the eSIM TA;
step S343, the eUICC certificate is stored by the eSIM TA, and personalized configuration is completed.
Optionally, the eSIM TA stores the eUICC certificate, and after completing the personalized provisioning, the eSIM TA may send a personalized provisioning completion notification message to the user APP through the eSIM CA and the LPA, where the notification message carries the EID.
After the personalized configuration is completed, the Profile can be downloaded in a downloading mode conforming to the GSMA SGP.21/22 standard.
In addition, the activation and use of the Profile can be realized by the following steps:
step 1, a user selects activation by clicking or a service APP calls an activation command of an interface function of an LPA;
step 2, calling an eSIM CA activation method by the LPA through an API interface function;
step 3, the eSIM CA sends an APDU (application protocol data unit) activation instruction to the eSIM TA;
step 4, the eSIM TA executes the APDU activating instruction to complete the activation of the Profile;
step 5, after the activation is completed, the eSIM TA feeds back an activation success message to the eSIM TA;
step 6, the eSIM CA forwards the activation success message to the LPA;
step 7, after receiving the activation success message, namely the Profile activation is successful, the LPA initiates an eSIM activation instruction to the TEE-eSIM baseband communication proxy module and specifies a card slot used by the activated eSIM;
if the LPA does not receive the activation success message, the LPA keeps reporting errors after a certain number of retries and gives up.
And 8, registering the card processing instruction of the card slot specified in the step 7 with the baseband processing module by the TEE-eSIM baseband communication proxy module.
Step 9, the activated baseband processing module sends all APDUs to the TEE-eSIM baseband communication agent module;
step 10, the TEE-eSIM baseband communication agent module sends APDU to eSIM CA;
step 11, the eSIM CA transfers the APDU to the eSIM TA;
step 12, after the eSIM TA simulates the behavior of the SIM card to process the APDU, returning a response APDU to the eSIM CA;
step 13, the eSIM CA returns the response APDU to the TEE-eSIM baseband communication proxy module;
and step 14, the TEE-eSIM baseband communication proxy module returns the response APDU to the baseband processing module.
In addition, during deactivation, contrary to the activation step, the TEE-eSIM baseband communication proxy module is deactivated first to cut off the instruction sent by the baseband processing module to the eSIM CA, and then the LPA sends a Profile deactivation instruction to the eSIM TA to set the Profile in the eSIM TA in an inactive state.
Optionally, in the above architecture, the eSIM CA may be omitted, and in the architecture in which the eSIM CA is omitted, the LPA may directly communicate with the eSIM TA to complete registration, personalized configuration, and download of the eSIM Profile; the TEE-eSIM baseband communication proxy module can communicate directly with the eSIM TA to complete command processing for all eSIM card telecommunications applications.
The embodiment of the invention provides a detailed interaction flow of a mobile terminal, a registration authentication server, a TEE authentication server, a certificate issuing server and the like in an eSIM data processing method.
According to the eSIM data processing method, the eSIM data processing equipment and the readable storage medium, the eSIM application is deployed by utilizing the trusted execution environment in the mobile terminal, the secure data channel is established by utilizing the root trust mechanism of the trusted computing environment, the EID and eUICC certificate information of the eSIM is acquired, and the online processes of authentication, EID distribution and certificate application are realized; a technical basis is provided for the subsequent eSIM download conforming to the GSMA SGP.21/22 standard, and an application layer of the mobile terminal cannot directly read the data files of the eSIM, so that the safety of the data files of the eSIM is improved. Compared with the traditional method, the process is realized in the card making process of the entity card, in this embodiment, because the TEE realizes a mode similar to the soft SIM, the TEE needs to apply for the EID and the eUICC certificate in the using process of the user, and thus, the resource allocation on demand is realized.
Example four
Fig. 5 is a schematic structural diagram of a mobile terminal according to a fourth embodiment of the present invention. As shown in fig. 5, the mobile terminal 50 includes: a processor 501, a memory 502, a trusted execution environment (not shown), and computer programs stored on the memory 502 and executable by the processor 501.
The processor 501 implements the eSIM data processing method provided in the above-described first or third embodiment when executing the computer program stored on the memory 502.
According to the eSIM data processing method, the eSIM data processing equipment and the readable storage medium, the eSIM application is deployed by utilizing the trusted execution environment in the mobile terminal, the secure data channel is established by utilizing the root trust mechanism of the trusted computing environment, the EID and eUICC certificate information of the eSIM is acquired, and the online processes of authentication, EID distribution and certificate application are realized; a technical basis is provided for the subsequent eSIM download conforming to the GSMA SGP.21/22 standard, and an application layer of the mobile terminal cannot directly read the data files of the eSIM, so that the safety of the data files of the eSIM is improved.
EXAMPLE five
Fig. 6 is a schematic structural diagram of a terminal registration authentication server according to a fifth embodiment of the present invention. As shown in fig. 6, the terminal registration authentication server 60 includes: a processor 601, a memory 602, and computer programs stored on the memory 602 and executable by the processor 601.
The processor 601 implements the eSIM data processing method provided in the second or third embodiment described above when executing the computer program stored on the memory 602.
According to the eSIM data processing method, the eSIM data processing equipment and the readable storage medium, the eSIM application is deployed by utilizing the trusted execution environment in the mobile terminal, the secure data channel is established by utilizing the root trust mechanism of the trusted computing environment, the EID and eUICC certificate information of the eSIM is acquired, and the online processes of authentication, EID distribution and certificate application are realized; a technical basis is provided for the subsequent eSIM download conforming to the GSMA SGP.21/22 standard, and an application layer of the mobile terminal cannot directly read the data files of the eSIM, so that the safety of the data files of the eSIM is improved.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the method for processing eSIM data provided in the first embodiment or the third embodiment is implemented.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the eSIM data processing method provided in the second embodiment or the third embodiment is implemented.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiment, which is not described herein again.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This invention is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.

Claims (12)

1. An eSIM data processing method, comprising:
after receiving an eSIM service start request, a mobile terminal sends a first authentication request to a terminal registration authentication server in a trusted execution environment, where the first authentication request includes terminal information and ciphertext information corresponding to the terminal information, the terminal information includes an identifier of the trusted execution environment, so that the terminal registration authentication server allocates an EID to an eSIM TA of the mobile terminal, authenticates the mobile terminal through a TEE authentication server corresponding to the identifier of the trusted execution environment, and feeds back an authentication result and the EID to the mobile terminal, where the EID is used to uniquely identify the eSIM TA of the mobile terminal; the eSIM TA is a trusted application applied to eSIM data processing;
the mobile terminal receives an authentication result and an EID sent by the terminal registration authentication server;
the mobile terminal verifies the authentication result, and if the authentication result passes, the mobile terminal places the EID into an eSIM TA;
the mobile terminal generates certificate request information under a trusted execution environment, and generates trusted authentication information and signature information of the trusted authentication information according to the certificate request information;
the mobile terminal sends a trusted equipment authentication request to the terminal registration authentication server, wherein the trusted equipment authentication request comprises the trusted authentication information and signature information of the trusted authentication information, so that the terminal registration authentication server acquires eUICC certificate information of the mobile terminal after determining that the mobile terminal is trusted equipment, and sends the eUICC certificate information to the mobile terminal;
the mobile terminal receives eUICC certificate information sent by the terminal registration authentication server, obtains an eUICC certificate according to the eUICC certificate information, and stores the eUICC certificate;
wherein the generating the trusted authentication information and the signature information of the trusted authentication information according to the certificate request information includes: the mobile terminal encrypts and obtains ciphertext information according to the certificate request information, the challenge word and other information and the like to serve as the credible authentication information, and signs the credible authentication information by adopting a preset signature algorithm to obtain signature information of the credible authentication information;
the preset signature algorithm is a signature algorithm which is agreed in advance by the trusted execution environment of the mobile terminal and a TEE authentication server corresponding to the execution environment.
2. The method of claim 1, wherein the authentication result comprises a first challenge word generated by the TEE authentication server and signature information of the first challenge word,
the mobile terminal verifies the authentication result, and the verification comprises the following steps:
the mobile terminal checks the first challenge word and signature information of the first challenge word according to a preset secret key in a trusted execution environment;
and if the signature verification is successful, the authentication result is verified to be passed, and if the signature verification is failed, the authentication result is verified not to be passed.
3. The method of claim 1, wherein the eUICC certificate information comprises ciphertext information of the eUICC certificate and signature information of the ciphertext information of the eUICC certificate;
the mobile terminal obtains the eUICC certificate according to the eUICC certificate information, and the method comprises the following steps:
the mobile terminal checks the ciphertext information of the eUICC certificate and the signature information of the ciphertext information of the eUICC certificate in an executable environment;
and if the signature verification is passed, the mobile terminal decrypts the ciphertext information of the eUICC certificate to obtain the eUICC certificate.
4. The method according to any one of claims 1 to 3, wherein after the mobile terminal receives the eUICC certificate information sent by the terminal registration authentication server, obtains the eUICC certificate according to the eUICC certificate information, and stores the eUICC certificate, the method further comprises:
the mobile terminal downloads an eSIM data file;
and the mobile terminal loads the eSIM data file and activates the eSIM data file.
5. An eSIM data processing method, comprising:
a terminal registration authentication server receives a first authentication request sent by a mobile terminal, wherein the first authentication request comprises terminal information and ciphertext information corresponding to the terminal information, and the terminal information comprises an identifier of a trusted execution environment of the mobile terminal;
the terminal registration authentication server allocates an EID for the eSIM TA of the mobile terminal, wherein the EID is used for uniquely identifying the eSIM TA of the mobile terminal; the eSIM TA is a trusted application applied to eSIM data processing;
the terminal registration authentication server authenticates the mobile terminal through a TEE authentication server corresponding to the identification of the trusted execution environment of the mobile terminal, and sends an authentication result and the EID to the mobile terminal, so that the mobile terminal verifies the authentication result, and the EID is placed in an eSIM TA after the authentication is passed;
the terminal registration authentication server receives a trusted device authentication request sent by the mobile terminal; the trusted device authentication request comprises the trusted authentication information and signature information of the trusted authentication information; the trusted authentication information is ciphertext information obtained by encrypting the mobile terminal according to certificate request information, challenge words and other information generated by the mobile terminal in a trusted execution environment; the signature information of the credible authentication information is obtained by the mobile terminal by adopting a preset signature algorithm to sign the credible authentication information; the preset signature algorithm is a signature algorithm which is agreed in advance by the trusted execution environment of the mobile terminal and a TEE authentication server corresponding to the execution environment;
and after the terminal registration authentication server determines that the mobile terminal is the trusted device through the TEE authentication server, the terminal registration authentication server acquires eUICC certificate information of the mobile terminal and sends the eUICC certificate information to the mobile terminal.
6. The method of claim 5, wherein the terminal registration authentication server authenticates the mobile terminal through a TEE authentication server corresponding to an identity of a trusted execution environment of the mobile terminal and sends an authentication result and the EID to the mobile terminal, and comprises:
the terminal registration authentication server determines a TEE authentication server corresponding to the identification of the trusted execution environment of the mobile terminal according to the identification of the trusted execution environment of the mobile terminal in the first authentication request;
the terminal registration authentication server sends a second authentication request to the TEE authentication server, wherein the second authentication request comprises the terminal information and ciphertext information corresponding to the terminal information, so that the TEE authentication server verifies the terminal information and the ciphertext information corresponding to the terminal information according to a stored preset key corresponding to the mobile terminal, generates a first challenge word after the verification is passed, signs the first challenge word by using the preset key to obtain signature information of the first challenge word, and sends the first challenge word and the signature information of the first challenge word as authentication results to the TEE authentication server;
and the terminal registration authentication server sends the EID and the received authentication result to the mobile terminal.
7. The method of claim 5, wherein the trusted device authentication request includes trusted authentication information and signature information of the trusted authentication information;
after the terminal registration authentication server determines that the mobile terminal is a trusted device through the TEE authentication server, the terminal registration authentication server acquires eUICC certificate information of the mobile terminal and sends the eUICC certificate information to the mobile terminal, and the method comprises the following steps:
the terminal registration authentication server sends the credible authentication information and the signature information of the credible authentication information to the TEE authentication server so that the TEE authentication server checks the credible authentication information and the signature information of the credible authentication information, if the check passes, the mobile terminal is determined to be credible equipment, certificate request information is obtained through calculation according to the credible authentication information, and the certificate request information is sent to the terminal registration authentication server;
after the terminal registration authentication server receives the certificate request information sent by the TEE authentication server, the mobile terminal is determined to be a trusted device;
the terminal registration authentication server sends the certificate request information to a certificate issuing server so that the certificate issuing server generates an eUICC certificate according to the certificate request information and sends the eUICC certificate to the terminal registration authentication server;
the terminal registration authentication server receives the eUICC certificate sent by the certificate issuing server;
and the terminal registration authentication server generates corresponding eUICC certificate information according to the eUICC certificate and sends the eUICC certificate information to the mobile terminal.
8. The method of claim 7, wherein the terminal registration authentication server generates corresponding eUICC certificate information according to the eUICC certificate and sends the eUICC certificate information to the mobile terminal, and comprises:
the terminal registration authentication server sends the eUICC certificate to the TEE authentication server so that the TEE authentication server encrypts the eUICC certificate to obtain ciphertext information of the eUICC certificate, signs the ciphertext information of the eUICC certificate to obtain signature information of the ciphertext information of the eUICC certificate, and sends the ciphertext information of the eUICC certificate and the signature information of the ciphertext information of the eUICC certificate to the terminal registration authentication server;
and the terminal registration authentication server receives the ciphertext information of the eUICC certificate and the signature information of the ciphertext information of the eUICC certificate sent by the TEE authentication server, and sends the ciphertext information of the eUICC certificate and the signature information of the ciphertext information of the eUICC certificate to the mobile terminal as the eUICC certificate information.
9. A mobile terminal, comprising:
a trusted execution environment, a memory, a processor, and a computer program stored on the memory and executable on the processor,
the processor, when executing the computer program, implements the method of any of claims 1-4.
10. A terminal registration authentication server, comprising:
a memory, a processor, and a computer program stored on the memory and executable on the processor,
the processor, when executing the computer program, implements the method of any of claims 5-8.
11. A computer-readable storage medium, in which a computer program is stored,
the computer program, when executed by a processor, implementing the method of any one of claims 1-4.
12. A computer-readable storage medium, in which a computer program is stored,
the computer program, when executed by a processor, implementing the method of any one of claims 5-8.
CN201910003930.5A 2019-01-03 2019-01-03 eSIM data processing method, equipment and readable storage medium Active CN109451483B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910003930.5A CN109451483B (en) 2019-01-03 2019-01-03 eSIM data processing method, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910003930.5A CN109451483B (en) 2019-01-03 2019-01-03 eSIM data processing method, equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN109451483A CN109451483A (en) 2019-03-08
CN109451483B true CN109451483B (en) 2021-09-07

Family

ID=65542372

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910003930.5A Active CN109451483B (en) 2019-01-03 2019-01-03 eSIM data processing method, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN109451483B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677263B (en) * 2019-09-30 2022-08-02 恒宝股份有限公司 Method and system for issuing certificate under new CI system by eSIM card on line
CN114189334B (en) * 2021-11-05 2023-09-26 卓望数码技术(深圳)有限公司 Manageable eSIM terminal certificate online issuing method and system
CN114173327B (en) * 2021-12-06 2024-08-23 中国电信股份有限公司 Authentication method and terminal based on private network in 5G industry

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105392116A (en) * 2014-08-22 2016-03-09 思科技术公司 System and method for location reporting in an untrusted network environment
CN108418812A (en) * 2018-02-12 2018-08-17 北京豆荚科技有限公司 A kind of intelligent terminal security message method of servicing based on credible performing environment
CN108848496A (en) * 2018-06-12 2018-11-20 中国联合网络通信集团有限公司 Authentication method, TEE terminal and the management platform of virtual eSIM card based on TEE

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9027102B2 (en) * 2012-05-11 2015-05-05 Sprint Communications Company L.P. Web server bypass of backend process on near field communications and secure element chips
US10848320B2 (en) * 2016-03-25 2020-11-24 Apple Inc. Device-assisted verification
FR3054349B1 (en) * 2016-07-21 2019-06-07 Ingenico Group METHOD FOR PROCESSING DATA BY AN ELECTRONIC DATA ACQUISITION DEVICE, DEVICE AND PROGRAM THEREOF
US9942094B1 (en) * 2016-12-28 2018-04-10 T-Mobile Usa, Inc. Trusted execution environment-based UICC update

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105392116A (en) * 2014-08-22 2016-03-09 思科技术公司 System and method for location reporting in an untrusted network environment
CN108418812A (en) * 2018-02-12 2018-08-17 北京豆荚科技有限公司 A kind of intelligent terminal security message method of servicing based on credible performing environment
CN108848496A (en) * 2018-06-12 2018-11-20 中国联合网络通信集团有限公司 Authentication method, TEE terminal and the management platform of virtual eSIM card based on TEE

Also Published As

Publication number Publication date
CN109451483A (en) 2019-03-08

Similar Documents

Publication Publication Date Title
KR102242218B1 (en) User authentication method and apparatus, and wearable device registration method and apparatus
CN110178393B (en) Method, device and server for downloading subscription data set
CN109992949B (en) Equipment authentication method, over-the-air card writing method and equipment authentication device
US9854431B2 (en) Method, apparatus, and system of distributing data of virtual subscriber identity module
US9432086B2 (en) Method and system for authorizing execution of an application in an NFC device
CN101978675B (en) System and method for securely issuing subscription credentials to communication devices
US8850527B2 (en) Method of performing a secure application in an NFC device
CN108848496B (en) TEE-based virtual eSIM card authentication method, TEE terminal and management platform
CN101699892B (en) Method and device for generating dynamic passwords and network system
CN112559993B (en) Identity authentication method, device and system and electronic equipment
CN109451483B (en) eSIM data processing method, equipment and readable storage medium
CN105308907B (en) Installation package authorization method and device
KR101210260B1 (en) OTP certification device
CN111163467B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
WO2020057314A1 (en) Method, device and system for issuing esim certificate online
CN104717648A (en) Unified authentication method and device based on SIM card
CN105743651B (en) The card in chip secure domain is using method, apparatus and application terminal
CN105812370A (en) Smart card processing method, device and system
CN106888448B (en) Application downloading method, secure element and terminal
CN101931530B (en) Generation method, authentication method and device for dynamic password and network system
JP2010117995A (en) System, device and method for issuing application
US20160078469A1 (en) Application Purchasing Method, And Terminal
CN107977564B (en) Transaction authentication processing method, authentication server, terminal and transaction equipment
CN110267253B (en) eSIM management platform, eSIM installation method and device
CN114928834B (en) Method for downloading user identification card profile of communication module, device, equipment and medium thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant