Summary of the invention
This part provides the general summary of the disclosure, rather than its full scope or the comprehensive of its whole feature drape over one's shoulders
Dew.
The data transmission system of the disclosure being designed to provide in a kind of eSIM Remote configuration, the system include first eventually
End, second terminal, Profile download server, encryption equipment 1 and encryption equipment 2;
Wherein, first terminal user requests the downloading of Profile data, and receives Profile download server by second
The Profile data that terminal is sent, and eSIM card is written;
Second terminal is used to authenticate first terminal when first terminal requests downloading Profile data;
The Profile download information and second terminal that Profile download server is used to be sent according to first terminal are sent
Authentication information, obtain Profile ciphertext, and be sent to first terminal;
Encryption equipment 1 encrypts in plain text for generating PPK key, and to PPK key and Profile, obtains PPK ciphertext 1
With Profile ciphertext, and it is sent to Profile download server;
Encryption equipment 2 receives the PPK of Profile download server transmission for generating the disposable public private key pair of another pair
PPK ciphertext 2 and DPot public key are then sent to Profile download server by ciphertext 1 and public key, and the PPK ciphertext 2 is by PPK
The processing of ciphertext 1 obtains.
Preferably, the first terminal further comprises eSIM card, downloading request module, key production module, decryption mould
Block;
Preferably, the eSIM card is used for Profile data management;
Preferably, the instruction that the downloading request module is used to be inputted according to user generates Profile downloading request, and
It is sent to second terminal;
Preferably, the key production module is for generating a pair of disposable public private key pair, and sends public key to
Profile download server, while storing private key;
Preferably, the deciphering module be used to receive ciphertext that Profile download server is sent by second terminal with
Public key, and after ciphertext is decrypted using private key, obtain corresponding Profile data.
Preferably, encryption equipment 2 is specifically used for: session key is calculated using DPot private key and eUICCot public key, and makes
PPK is obtained in plain text with server transport private key decryption PPK ciphertext 1, then, it is close to obtain PPK in plain text using session key encryption PPK
Text 2.
Preferably, the deciphering module is specifically used for: the decryption being calculated using DPot public key and eUICCot private key is close
PPK ciphertext 2 is decrypted in key, obtains PPK key, then, is decrypted using PPK key pair Profile ciphertext, finally
To Profile data.
Preferably, eSIM card is set in the first terminal, the second terminal is trusted third party's equipment, provides verifying
With communication etc. background services.
The present invention also provides the data transmission methods in a kind of eSIM Remote configuration, and this method comprises the following steps:
Step 1, when receiving Profile download information, to the authentication information of first terminal request eSIM card, and
Verify the authentication information;
Step 2, if the authentication information is by verifying, when monitoring Profile downloading confirmation instruction, by institute
It states Profile download information and the authentication information is sent to Profile download server, then, second terminal receives
The Profile data that the Profile download server returns, and the Profile data are sent to the first terminal,
So that the Profile data are written in eSIM card the first terminal;
The step 2 specifically:
Profile is sent to encryption equipment 1 by step 21, Profile download server in plain text;
Step 22,1 internal random of encryption equipment generate a PPK key, in plain text using PPK key encryption Profile, use
Server transport public key encryption PPK key obtains PPK ciphertext 1, and encryption equipment 1 is close to Profile download server output Profile
Text and PPK ciphertext 1;
Profile ciphertext and PPK ciphertext 1 are sent to Profile management service by step 23, Profile download server
Device is stored in the database of Profile management server, due to only having encryption equipment 2 that could decrypt Profile ciphertext,
As long as encryption equipment 2 is safe, Profile storage exactly safety;
Step 3, when first terminal receives the PPK ciphertext 2 and public affairs that Profile download server is sent by second terminal
After key, after PPK ciphertext 2 and Profile ciphertext are decrypted respectively, corresponding Profile data are obtained, and will be described
Profile data are written in eSIM card.
Preferably, the step 2 further include:
When step 24, first terminal request downloading Profile, a pair of disposable public private key pair of generation: eUICCot public key,
EUICCot private key, private key are stored in first terminal, and public key is sent to Profile download server;
PPK ciphertext 1, eUICCot public key are sent to encryption equipment 2 by step 25, Profile download server;
Step 26, encryption equipment 2 generate the disposable public private key pair of another pair: DPot public key and DPot private key, and by PPK ciphertext
2 and DPot public key is sent to Profile download server;
Profile ciphertext, PPK ciphertext 2 and DPot public key are passed through second terminal by step 27, Profile download server
It is forwarded to first terminal.
Preferably, the step 26 specifically: session key is calculated using DPot private key and eUICCot public key, and
PPK is obtained in plain text using server transport private key decryption PPK ciphertext 1, then, obtains PPK in plain text using session key encryption PPK
Ciphertext 2.
Preferably, the step 3 specifically: the decruption key pair being calculated using DPot public key and eUICCot private key
PPK ciphertext 2 is decrypted, and obtains PPK key, then, is decrypted, is finally obtained using PPK key pair Profile ciphertext
Profile data.
The utility model has the advantages that can directly pass through mobile terminal from Profile download service after authentication information is by verifying
Profile data are downloaded in device, and give the Profile data forwarding to eSIM card apparatus, realize the Profile data of eSIM card
Write-in can quickly and effectively connect the downloading that Profile download server carries out Profile, improve the downloading of Profile just
Benefit.Meanwhile after encryption equipment 1 and encryption equipment 2 carry out multi-enciphering using corresponding key in plain text to Profile, so that
Profile ciphertext is not easy to be stolen in download transmission and installation process, improves the safety of Profile data downloading.
From describing provided herein, further applicability region will become obvious.Description in this summary and
Specific examples are intended merely to the purpose of signal, are not intended to limit the scope of the present disclosure.
Specific embodiment
It is described more fully the example of the disclosure referring now to the drawings.It is described below and is merely exemplary in nature,
It is not intended to limit the disclosure, application or purposes.
Example embodiment is provided, so that the disclosure will become detailed, and will be abundant to those skilled in the art
Convey its range in ground.The example of numerous specific details such as particular elements, device and method is elaborated, to provide to the disclosure
The detailed understanding of embodiment.To those skilled in the art, it does not need using specific details, example embodiment can be used
Many different forms are implemented, they shall not be interpreted to limit the scope of the present disclosure.In some example embodiments,
Well-known process, well-known structure and widely-known technique are not described in detail.
Below will be proposed to present disclosure the technical issues of, is described in detail.It should be noted that, the technical problem
It is merely exemplary, the application being not intended to limit the present invention.
The present invention also provides the data transmission systems in a kind of eSIM Remote configuration.
As shown in Figure 1, the system includes first terminal, second terminal, Profile download server, Profile management clothes
Business device, encryption equipment 1 and encryption equipment 2.
Wherein, first terminal user requests the downloading of Profile data, and receives Profile download server by second
The Profile data that terminal is sent, and eSIM card is written.The first terminal includes eSIM card, downloading request module, key life
At module, deciphering module.
The eSIM card is used for Profile data management.
The downloading request module is used for the instruction that input according to user, generates Profile downloading and requests, and is sent to the
Two terminals.
The key production module is sent to Profile downloading for generating a pair of disposable public private key pair, and by public key
Server, while storing private key.
The deciphering module is used to receive the ciphertext and public key that Profile download server is sent by second terminal, and
After ciphertext is decrypted using private key, corresponding Profile data are obtained.
Second terminal is used to authenticate first terminal when first terminal requests downloading Profile data.
The Profile download information and second terminal that Profile download server is used to be sent according to first terminal are sent
Authentication information, obtain Profile ciphertext, and be sent to first terminal.
Profile management server is stored and is arranged for Profile data.
Encryption equipment 1 encrypts in plain text for generating PPK key, and to PPK key and Profile, obtains PPK ciphertext 1
With Profile ciphertext, and it is sent to Profile download server.
Encryption equipment 2 receives the PPK of Profile download server transmission for generating the disposable public private key pair of another pair
PPK ciphertext 2 and DPot public key are then sent to Profile download server by ciphertext 1 and public key, and the PPK ciphertext 2 is by PPK
The processing of ciphertext 1 obtains.
The following detailed description of the interactive mode of equipment each in above system.
When first terminal needs to download Profile, downloading request module therein generates Profile downloading request, concurrently
It is sent to second terminal.It wherein, include Profile download information in the downloading request.
ESIM card is set in the first terminal, the second terminal is trusted third party's equipment, provides verifying and communication
Equal background services.
After second terminal receives downloading request, Profile download information is obtained, and according to download information to first terminal
Request the authentication information of eSIM card.The authentication information can be the personal identification number of current eSIM card.
After first terminal receives the solicited message of second terminal transmission, downloading request module receives the current of user's input
The personal identification number of eSIM card, and it is sent to second terminal.
After second terminal receives the personal identification number of current eSIM card, it is pre- that the machine is obtained by Profile download information
The personal identification number deposited, and the personal identification number of the current eSIM card received is compared with the personal identification number prestored,
If the two is identical, the identity that the second terminal verifies the first terminal is legal, and Xiang Suoshu first terminal sends response and disappears
Breath;If the two is different, authentication error message is sent to the first terminal.
If the authentication information, by verifying, second terminal, will when monitoring Profile downloading confirmation instruction
The Profile download information and the authentication information are sent to Profile download server, and then, second terminal connects
The Profile data that the Profile download server returns are received, and the Profile data are sent to described first eventually
End, so that the Profile data are written in eSIM card the first terminal.
Specifically:
Profile is sent to encryption equipment 1 by Profile download server in plain text.
1 internal random of encryption equipment generates a PPK key, in plain text using PPK key encryption Profile, uses server
Transmit public key encryption PPK key obtain PPK ciphertext 1, encryption equipment 1 to Profile download server output Profile ciphertext and
PPK ciphertext 1.
Profile ciphertext and PPK ciphertext 1 are sent to Profile management server by Profile download server, storage
In the database of Profile management server, due to only having encryption equipment 2 that could decrypt Profile ciphertext, as long as encryption
Machine 2 is safe, Profile storage exactly safety.
In order to realize forward secrecy, in downloading process, SIM card hardware (eUICC) i.e. needs between eSIM and encryption equipment 2
Will be by one disposable session key of ECKA negotiating algorithm, the session key is for encrypting PPK.
When first terminal request downloading Profile, key production module therein generates a pair of disposable public private key pair:
EUICCot public key, eUICCot private key, private key are stored in the key production module, and public key are sent under Profile
Carry server.
PPK ciphertext 1, eUICCot public key are sent to encryption equipment 2 by Profile download server.
Encryption equipment 2 generates the disposable public private key pair of another pair: DPot public key and DPot private key, and then, encryption equipment 2 uses
Session key is calculated in DPot private key and eUICCot public key, and obtains PPK using server transport private key decryption PPK ciphertext 1
In plain text.
Encryption equipment 2 obtains PPK ciphertext 2 using session key encryption PPK in plain text, and encryption equipment is by PPK ciphertext 2 and DPot public key
It is sent to Profile download server
Profile ciphertext, PPK ciphertext 2 and DPot public key are forwarded to by second terminal by Profile download server
One terminal.
After first terminal receives ciphertext and the public key of the transmission of Profile download server, deciphering module difference therein
After PPK ciphertext 2 and Profile ciphertext are decrypted, corresponding Profile data are obtained, and the Profile data are write
Enter in eSIM card.
Specifically: first terminal receive the Profile ciphertext that Profile download server sent by second terminal,
After PPK ciphertext 2 and DPot public key, decruption key that the deciphering module is calculated using DPot public key and eUICCot private key
PPK ciphertext 2 is decrypted, PPK key is obtained, then, the deciphering module is carried out using PPK key pair Profile ciphertext
Decryption, finally obtains Profile data.
Obtained Profile data are written in eSIM card first terminal, form new eSIM card.
The present invention also provides the data transmission methods in a kind of eSIM Remote configuration.
As shown in Fig. 2, this method comprises the following steps:
Step 1, when receiving Profile download information, to the authentication information of first terminal request eSIM card, and
Verify the authentication information.
Specifically: when first terminal needs to download Profile, Profile downloading request is generated, and be sent to second eventually
End.
It wherein, include Profile download information in the downloading request.
ESIM card is set in the first terminal, the second terminal is trusted third party's equipment, provides verifying and communication
Equal background services.
After second terminal receives downloading request, Profile download information is obtained, and whole to first according to download information
The authentication information of end request eSIM card.The authentication information can be the personal identification number of current eSIM card.
The personal identification number of the current eSIM card of user's input is received on first terminal, and is sent to second terminal.
After second terminal receives the personal identification number of current eSIM card, the machine is obtained by Profile download information
The personal identification number prestored, and the personal identification number of the current eSIM card received is compared with the personal identification number prestored
Compared with if the two is identical, the identity that the second terminal verifies the first terminal is legal, and Xiang Suoshu first terminal sends response
Message;If the two is different, authentication error message is sent to the first terminal.
Step 2, if the authentication information is by verifying, when monitoring Profile downloading confirmation instruction, by institute
It states Profile download information and the authentication information is sent to Profile download server, then, second terminal receives
The Profile data that the Profile download server returns, and the Profile data are sent to the first terminal,
So that the Profile data are written in eSIM card the first terminal.
Specifically:
Profile is sent to encryption equipment 1 by step 21, Profile download server in plain text.
Step 22,1 internal random of encryption equipment generate a PPK key, in plain text using PPK key encryption Profile, use
Server transport public key encryption PPK key obtains PPK ciphertext 1, and encryption equipment 1 is close to Profile download server output Profile
Text and PPK ciphertext 1.
Profile ciphertext and PPK ciphertext 1 are sent to Profile management service by step 23, Profile download server
Device is stored in the database of Profile management server, due to only having encryption equipment 2 that could decrypt Profile ciphertext,
As long as encryption equipment 2 is safe, Profile storage exactly safety.
In order to realize forward secrecy, in downloading process, SIM card hardware (eUICC) i.e. needs between eSIM and encryption equipment 2
Will be by one disposable session key of ECKA negotiating algorithm, the session key is for encrypting PPK.
When step 24, first terminal request downloading Profile, a pair of disposable public private key pair of generation: eUICCot public key,
EUICCot private key, private key are stored in first terminal, and public key is sent to Profile download server.
PPK ciphertext 1, eUICCot public key are sent to encryption equipment 2 by step 25, Profile download server.
Step 26, encryption equipment 2 generate the disposable public private key pair of another pair: DPot public key and DPot private key, use DPot private
Session key is calculated in key and eUICCot public key, and encryption equipment 2 obtains PPK using server transport private key decryption PPK ciphertext 1
In plain text, it reuses session key encryption PPK and obtains PPK ciphertext 2 in plain text, PPK ciphertext 2 and DPot public key are sent to by encryption equipment
Profile download server.
Profile ciphertext, PPK ciphertext 2 and DPot public key are passed through second terminal by step 27, Profile download server
It is forwarded to first terminal.
Step 3, right respectively after first terminal receives the PPK ciphertext 2 and public key of Profile download server transmission
After PPK ciphertext 2 and Profile ciphertext are decrypted, corresponding Profile data are obtained, and the Profile data are written
In eSIM card.
Specifically: when to receive the Profile that Profile download server is sent by second terminal close for first terminal
After text, PPK ciphertext 2 and DPot public key, the decruption key being calculated using DPot public key and eUICCot private key is to PPK ciphertext 2
It is decrypted, obtains PPK key, then, be decrypted using PPK key pair Profile ciphertext, finally obtain Profile number
According to.
Obtained Profile data are written in eSIM card, new eSIM card is formed.
Preferred embodiment of the present disclosure is described above by reference to attached drawing, but the disclosure is certainly not limited to above example.This
Field technical staff can obtain various changes and modifications within the scope of the appended claims, and should be understood that these changes and repair
Changing nature will fall into scope of the presently disclosed technology.
For example, can be realized in the embodiment above by the device separated including multiple functions in a unit.
As an alternative, the multiple functions of being realized in the embodiment above by multiple units can be realized by the device separated respectively.In addition, with
One of upper function can be realized by multiple units.Needless to say, such configuration includes in scope of the presently disclosed technology.
In this specification, described in flow chart the step of not only includes the place executed in temporal sequence with the sequence
Reason, and including concurrently or individually rather than the processing that must execute in temporal sequence.In addition, even in temporal sequence
In the step of processing, needless to say, the sequence can also be suitably changed.
Although embodiment of the disclosure is described in detail in conjunction with attached drawing above, it is to be understood that reality described above
The mode of applying is only intended to illustrate the disclosure, and does not constitute the limitation to the disclosure.For those skilled in the art, may be used
To make various changes and modifications the spirit and scope without departing from the disclosure to above embodiment.Therefore, the disclosure
Range is only limited by the attached claims and its equivalents.