CN111741465B - Soft SIM protection method and equipment - Google Patents
Soft SIM protection method and equipment Download PDFInfo
- Publication number
- CN111741465B CN111741465B CN201910227355.7A CN201910227355A CN111741465B CN 111741465 B CN111741465 B CN 111741465B CN 201910227355 A CN201910227355 A CN 201910227355A CN 111741465 B CN111741465 B CN 111741465B
- Authority
- CN
- China
- Prior art keywords
- information
- sub
- soft sim
- terminal equipment
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephone Function (AREA)
Abstract
The embodiment of the invention provides a soft SIM protection method and equipment, the method comprises the steps of obtaining an authentication code through hash algorithm calculation according to first information of terminal equipment and soft SIM information, wherein the first information is information used for uniquely representing the terminal equipment; and initiating authentication operation to a server side according to the identification of the terminal equipment and the authentication code so as to establish a secure link with the server side after authentication is successful. The soft SIM protection method provided by the embodiment of the invention can improve the safety of identity identification of the terminal equipment of the Internet of things and ensure low-cost implementation.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a soft SIM protection method and equipment.
Background
The internet of things is an information carrier based on the internet, a broadcast television network, a traditional telecommunication network and the like, so that all common physical objects which can be independently addressed can realize interconnection and intercommunication. The terminal of the Internet of things is equipment for connecting the sensing network layer and the transmission network layer in the Internet of things to collect data and send the data to the network layer. In order to realize identity recognition and service bearing, the terminal of the internet of things needs to be provided with a user identity recognition module (Subscriber Identity Module, SIM).
In the prior art, three schemes of a hard SIM, a soft SIM, an embedded subscriber identity module (Embedded Subscriber Identity Module, eSIM) and the like are generally adopted to identify the terminal of the Internet of things.
However, hard SIMs and esims increase trusted execution environment (Trusted Execution Environment, TEE) or trusted platform module (Trusted Platform Module, TPM) hardware costs; the existing soft SIM solution lacks necessary security measures, and particularly under the condition of the Internet of things of a low-power-consumption wide area network, the terminal of the Internet of things is easy to damage, so that the SIM information is tampered. Therefore, the scheme can not meet the requirements of users and operators on the low-cost high-reliability terminal of the Internet of things.
Disclosure of Invention
The embodiment of the invention provides a soft SIM protection method and equipment, which are used for reducing the cost of identity identification of terminal equipment of the Internet of things and improving the safety of the soft SIM identity identification.
In a first aspect, an embodiment of the present invention provides a soft SIM protection method, including:
according to first information and soft SIM information of terminal equipment, obtaining an authentication code through hash algorithm calculation, wherein the first information is information for uniquely characterizing the terminal equipment;
and initiating authentication operation to a server side according to the identification of the terminal equipment and the authentication code so as to establish a secure link with the server side after authentication is successful.
In one possible design, the first information is any one of a root key, an activator version information, an international mobile device identification code, and an electronic serial number.
In one possible design, the first information includes first sub-information and second sub-information; the obtaining the authentication code through hash algorithm calculation according to the first information and the soft SIM information of the terminal equipment comprises the following steps:
acquiring first sub-information and the soft SIM information, and calculating to acquire a first hash value through a hash algorithm according to the first sub-information and the soft SIM information;
acquiring second sub-information, and calculating to acquire the authentication code through a hash algorithm according to the second sub-information and the first hash value;
wherein the first sub-information and the second sub-information are any one of a root key, an activation program version information, an international mobile equipment identification code, and an electronic serial number, and the first sub-information is different from the second sub-information.
In one possible design, the first information includes first, second, and third sub-information; the obtaining the authentication code through hash algorithm calculation according to the first information and the soft SIM information of the terminal equipment comprises the following steps:
acquiring first sub-information and the soft SIM information, and calculating to acquire a first hash value through a hash algorithm according to the first sub-information and the soft SIM information;
acquiring second sub-information, and calculating to acquire a second hash value through a hash algorithm according to the second sub-information and the first hash value;
acquiring third sub-information, and calculating to acquire the authentication code through a hash algorithm according to the second sub-information and the first hash value;
the first sub-information, the second sub-information and the third sub-information are any one of a root key, an activation program version information, an international mobile equipment identification code and an electronic serial number, and the first sub-information, the second sub-information and the third sub-information are different.
In one possible design, the first information includes a root key; before the authentication code is obtained through the hash algorithm calculation according to the first information and the soft SIM information of the terminal equipment, the method further comprises the following steps:
in the running stage of the bootstrap program, accessing and obtaining the root key;
and initiating authentication operation to a server side according to the identification of the terminal equipment and the authentication code, wherein the authentication operation comprises the following steps:
and in the operation stage of the activation program, initiating authentication operation to a server side according to the identification of the terminal equipment and the authentication code.
In a second aspect, an embodiment of the present invention provides a soft SIM protection device, including:
the processing module is used for obtaining an authentication code through hash algorithm calculation according to first information and soft SIM information of the terminal equipment, wherein the first information is information used for uniquely characterizing the terminal equipment;
and the authentication module is used for initiating authentication operation to the server side according to the identification of the terminal equipment and the authentication code so as to establish a secure link with the server side after the authentication is successful.
In one possible design, the first information is any one of a root key, an activator version information, an international mobile device identification code, and an electronic serial number.
In one possible design, the first information includes first sub-information and second sub-information; the processing module is specifically configured to:
acquiring first sub-information and the soft SIM information, and calculating to acquire a first hash value through a hash algorithm according to the first sub-information and the soft SIM information;
acquiring second sub-information, and calculating to acquire the authentication code through a hash algorithm according to the second sub-information and the first hash value;
wherein the first sub-information and the second sub-information are any one of a root key, an activation program version information, an international mobile equipment identification code, and an electronic serial number, and the first sub-information is different from the second sub-information.
In one possible design, the first information includes first, second, and third sub-information; the processing module is specifically configured to:
acquiring first sub-information and the soft SIM information, and calculating to acquire a first hash value through a hash algorithm according to the first sub-information and the soft SIM information;
acquiring second sub-information, and calculating to acquire a second hash value through a hash algorithm according to the second sub-information and the first hash value;
acquiring third sub-information, and calculating to acquire the authentication code through a hash algorithm according to the second sub-information and the first hash value;
the first sub-information, the second sub-information and the third sub-information are any one of a root key, an activation program version information, an international mobile equipment identification code and an electronic serial number, and the first sub-information, the second sub-information and the third sub-information are different.
In one possible design, the first information includes a root key; the apparatus further comprises:
the acquisition module is used for accessing and acquiring the root key in the operation stage of the bootstrap program before the authentication code is obtained according to the first information of the terminal equipment and the soft SIM information through the hash algorithm calculation;
the authentication module is specifically configured to:
and in the operation stage of the activation program, initiating authentication operation to a server side according to the identification of the terminal equipment and the authentication code.
In a third aspect, an embodiment of the present invention provides a soft SIM protection device, including: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes the computer-executable instructions stored by the memory such that the at least one processor performs the method as described above in the first aspect and the various possible designs of the first aspect.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium having stored therein computer-executable instructions which, when executed by a processor, implement the method as described in the first aspect and the various possible designs of the first aspect.
According to the soft SIM protection method and the soft SIM protection device, the authentication code is obtained through the hash algorithm according to the unique characterization information of the terminal device and the soft SIM information, authentication is initiated to the server side through the authentication code and the identification of the terminal device for registering in the server, if authentication is successful, a safe link between the terminal device and the server is established, if authentication is unsuccessful, the fact that the soft SIM information or the related information of the terminal device is wrong is indicated, and the realization of low cost can be ensured while the safety of identity identification of the terminal device of the Internet of things is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the drawings that are needed in the embodiments or the description of the prior art will be briefly described below, it will be obvious that the drawings in the following description are some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort to a person skilled in the art.
Fig. 1 is a schematic architecture diagram of an identity recognition system of an internet of things terminal device according to an embodiment of the present invention;
fig. 2 is a flowchart of a soft SIM protection method according to another embodiment of the present invention;
fig. 3 is a flowchart of a soft SIM protection method according to another embodiment of the present invention;
fig. 4 is a flowchart of a soft SIM protection method according to still another embodiment of the present invention;
fig. 5 is a flowchart of a soft SIM protection method according to another embodiment of the present invention;
fig. 6 is a schematic structural diagram of a soft SIM protection device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a soft SIM protection device according to another embodiment of the present invention;
fig. 8 is a schematic hardware structure of a soft SIM protection device according to still another embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a schematic architecture diagram of an identity recognition system of an internet of things terminal device according to an embodiment of the present invention. As shown in fig. 1, the system provided in this embodiment includes a terminal device 101 and a server 102. The terminal device 101 may be an internet of things terminal device, and may include a communication interface, a microprocessor, a sensor, and an identity module (Subscriber Identification Module, SIM). The terminal device 101 may communicate with the server 102 via various wireless networks or wired networks to complete the identification of the terminal device 101 by the server 102. The network may be a wide area network (wireless mobile communication network, satellite communication network, internet and public telephone network), a local area network (ethernet, wireless local area network, bluetooth, wifi) or a personal area network (Zigbee, sensor network). The terminal device 101 may be any terminal device capable of implementing information exchange between objects, for example: a pet tracking terminal, an intelligent agriculture terminal or an intelligent parking terminal. The specific implementation of the terminal device in this embodiment is not particularly limited.
The identity authentication method aims at completing the identity authentication of the terminal equipment. The identity recognition module can adopt a hard SIM or eSIM with high safety, but both the hard SIM and the eSIM can increase the hardware cost, and a soft SIM solution can be adopted, but necessary safety measures are lacked, so that the existing identity recognition scheme can not meet the requirements of users and operators on the low-cost high-reliability terminal of the Internet of things. Based on the above, the embodiment of the invention provides a soft SIM protection method, so as to improve the security of soft SIM protection on the premise of ensuring low cost.
The soft SIM protection method provided by the embodiment of the present invention is described below with specific embodiments.
Fig. 2 is a flowchart of a soft SIM protection method according to another embodiment of the present invention. As shown in fig. 2, the method includes:
s201, according to first information of terminal equipment and soft SIM information, an authentication code is obtained through hash algorithm calculation, wherein the first information is information used for uniquely characterizing the terminal equipment.
Alternatively, the execution subject of the method may be integrated on the terminal device, or on the server, or be a separate third party device in communication with both the terminal device and the server.
Alternatively, the hash algorithm may be calculated using a hash function and an HMAC function. Hashing function: i.e. hash function, which is a function of mapping a message of any length to a hash value of a fixed length, in the following embodiments, fHASH () is used to represent the hash function, and the specific algorithm may be selected according to the balance between performance and security requirements, such as SHA1/SHA256, etc., and the present embodiment is not particularly limited. Hash algorithm: HMAC is a key dependent hash message authentication code algorithm, and HMAC operates to take a key and a message as inputs and generate a message digest as output. The HMAC function is represented by fHMAC () in the following embodiments, where fHMAC () may select different hash algorithms, such as hmac_sha256, according to the balance between performance and security requirements, and the present embodiment is not particularly limited.
Alternatively, the first information may be a Root Key (Root Key), an activator version information, an international mobile equipment identity (International Mobile Equipment Identity, IMEI), an electronic serial number (Electronic Serial Number, ESN). The IMEI may be the IMEI of any core component in the terminal device (e.g., modem) or the IMEI of the whole terminal device.
S202, initiating authentication operation to a server side according to the identification of the terminal equipment and the authentication code so as to establish a secure link with the server side after authentication is successful.
The identifier of the terminal device in this embodiment may be any identifier that can be used to uniquely register the terminal device in the server. For example, the identifier may be an IMEI of a modem in the terminal device or an IMEI of a complete machine of the terminal device.
In practical applications, there may be various methods for authentication at the server side. In one possible implementation manner, the authentication code of each terminal device may be stored in advance on the server side, and the subsequent server compares the authentication code sent by the current terminal device with the stored authentication code of the terminal device, if the authentication codes are consistent, the authentication is successful, otherwise, the authentication is failed. The present embodiment is not limited to the scheme adopted.
According to the soft SIM protection method provided by the embodiment, the authentication code is obtained through the hash algorithm according to the unique characterization information and the soft SIM information of the terminal equipment, authentication is initiated to the server side through the authentication code and the identification of the terminal equipment for registering in the server, if authentication is successful, a safety link between the terminal equipment and the server is established, if authentication is unsuccessful, the fact that the soft SIM information or the related information of the terminal equipment is wrong is indicated, and the realization of low cost can be ensured while the safety of identity identification of the terminal equipment of the Internet of things is improved.
Fig. 3 is a flowchart of a soft SIM protection method according to another embodiment of the present invention. As shown in fig. 3, the first information includes first sub information and second sub information; the method comprises the following steps:
s301, the first information comprises first sub-information and second sub-information, the first sub-information and the soft SIM information are obtained, and a first hash value is obtained through hash algorithm calculation according to the first sub-information and the soft SIM information.
Alternatively, the first sub information may be any one of a root key, an activator version information, an international mobile device identification code, and an electronic serial number. And the first sub information (M1) may be used as a key, and the first sub information and the soft SIM information (SoftSIM) are substituted into an HMAC function to obtain a first hash value, and a first hash value h1=ffhmac (M1, softSIM) may be obtained.
S302, acquiring second sub-information, and calculating and acquiring the authentication code through a hash algorithm according to the second sub-information and the first hash value; wherein the first sub-information and the second sub-information are any one of a root key, an activation program version information, an international mobile equipment identification code, and an electronic serial number, and the first sub-information is different from the second sub-information.
Alternatively, the second sub-information (M1) may be used as a key, and the authentication code may be obtained by substituting the second sub-information (M1) and the first hash value (h 1) into an HMAC function to obtain an authentication code hresult=ffhmac (M2, h 1).
S303, initiating authentication operation to the server side according to the identification of the terminal equipment and the authentication code so as to establish a secure link with the server side after authentication is successful.
In this embodiment, step S303 is similar to step S202 in the above embodiment, and will not be described here again.
According to the soft SIM protection method provided by the embodiment, the authentication code is obtained by carrying out hash operation on any two of the root key, the version information of the activation program, the international mobile equipment identification code, the electronic serial number and the soft SIM, and then an authentication request is initiated to the server according to the authentication code and the identification. The method can improve the safety of identity identification of the terminal equipment of the Internet of things and simultaneously ensure low cost.
Fig. 4 is a flowchart of a soft SIM protection method according to still another embodiment of the present invention. As shown in fig. 4, the first information includes first, second and third sub information; the method comprises the following steps:
s401, acquiring first sub-information and the soft SIM information, and calculating to obtain a first hash value through a hash algorithm according to the first sub-information and the soft SIM information.
Step S401 in this embodiment is similar to step S301 in the above embodiment, and will not be described here again.
S402, obtaining second sub-information, and obtaining a second hash value through hash algorithm calculation according to the second sub-information and the first hash value.
Alternatively, the second sub information (M1) may be used as a key, and substituted into an HMAC function with the first hash value (h 1) to obtain a second hash value, and a second hash value h2=ffhmac (M2, h 1) may be obtained.
S403, obtaining third sub-information, and obtaining the authentication code through hash algorithm calculation according to the second sub-information and the first hash value; the first sub-information, the second sub-information and the third sub-information are any one of a root key, an activation program version information, an international mobile equipment identification code and an electronic serial number, and the first sub-information, the second sub-information and the third sub-information are different.
Alternatively, the third sub-information (M3) may be used as a key, and the authentication code may be obtained by substituting the third sub-information and the second hash value (h 2) into an HMAC function to obtain an authentication code hresult=ffhmac (M3, h 2).
In this embodiment, by generating the authentication code according to the root key, the activation program version information, the international mobile equipment identification code, the electronic serial number, and the soft SIM information and authenticating based on the authentication code, conditions such as modification of a soft SIM file, modification of an activation program version, theft of a root key value, and the like in the terminal device can be reacted through the authentication code hfsult, so that load authentication fails in step S404 described below. The server may implement further security precautions against authentication failure.
S404, initiating authentication operation to the server side according to the identification of the terminal equipment and the authentication code so as to establish a secure link with the server side after the authentication is successful.
In this embodiment, step S404 is similar to step S202 in the above embodiment, and will not be described here again.
According to the soft SIM protection method provided by the embodiment, the authentication code is obtained by carrying out hash operation on any two of the root key, the version information of the activation program, the international mobile equipment identification code, the electronic serial number and the soft SIM, and then an authentication request is initiated to the server according to the authentication code and the identification. The method can improve the safety of identity identification of the terminal equipment of the Internet of things and simultaneously ensure low cost.
Fig. 5 is a flowchart of a soft SIM protection method according to another embodiment of the present invention. As shown in fig. 5, the first information includes a root key; the method comprises the following steps:
s501, accessing and obtaining the root key in the operation stage of the bootstrap program.
Optionally, at the initial stage of starting the terminal device of the internet of things, a bootstrap program (Booter) is started first, and at the running stage of the bootstrap program, an authentication code of the terminal device, namely an hResult value, is calculated.
In a specific embodiment, this step may specifically include:
s5011, starting a Booter.
S5012, exclusive access read root key rtkey=rootkey.
S502, according to the first information and the soft SIM information of the terminal equipment, an authentication code is obtained through calculation of a hash algorithm.
Optionally, in a specific embodiment, the step S502 may specifically include:
s5021, accessing a soft SIM storage file softSIM, and calculating an HMAC value according to the root key rtKey: h0 =fhmac (rtKey, softSIM);
s5022, accessing the Loader version area, and calculating h1=fhmac (h 0, fhsh (Loader)) with h0 as a key;
s5023, reading the IMEI of the Modem in the terminal device, and calculating h2=fhmac (h 1, fhsh (IMEI)) with h1 as a key;
s5024, outputting hresult=h2; while the intermediate results of the above calculations are erased.
S5025, booter pull-up activation program (Loader), and transfer hResult to Loader
S503, in the operation stage of the activation program, according to the identification of the terminal equipment and the authentication code, an authentication operation is initiated to a server side.
Optionally, in the active program operation stage, a secure soft SIM maintenance channel is established through the hfsult calculated in the bootstrap operation stage.
Alternatively, in a specific embodiment, the step S503 may specifically include:
s5031, after Loader is started, the normal attachment process is finished;
s5032, the terminal device uses the identifier of the terminal device and hResult to initiate authentication to the server, and establishes a secure link with the server side (the secure link may be a data packet transport layer security protocol (Datagram Transport Layer Security, DTLS) or other security scheme, which is not particularly limited in this embodiment).
S5033, completing subsequent soft SIM security management based on the security link.
According to the soft SIM protection method, the root key is obtained in the operation stage of the bootstrap program, hash operation is carried out according to the root key and the soft SIM to obtain the authentication code, and then an authentication request is initiated to the server according to the authentication code and the identification. The method can improve the safety of identity identification of the terminal equipment of the Internet of things and simultaneously ensure low cost.
Fig. 6 is a schematic structural diagram of a soft SIM protection device according to an embodiment of the present invention. As shown in fig. 6, the soft SIM protection device 60 includes: a processing module 601 and an authentication module 602.
The processing module 601 is configured to obtain an authentication code by performing a hash algorithm calculation according to first information of a terminal device and soft SIM information, where the first information is information for uniquely characterizing the terminal device.
Alternatively, the soft SIM protection device 60 may be integrated on the terminal device, or on a server, or a separate third party device in communication with both the terminal device and the server.
Alternatively, the hash algorithm may be calculated using a hash function and an HMAC function. Hashing function: i.e. hash function, which is a function of mapping a message of any length to a hash value of a fixed length, in the following embodiments, fHASH () is used to represent the hash function, and the specific algorithm may be selected according to the balance between performance and security requirements, such as SHA1/SHA256, etc., and the present embodiment is not particularly limited. Hash algorithm: HMAC is a key dependent hash message authentication code algorithm, and HMAC operates to take a key and a message as inputs and generate a message digest as output. The HMAC function is represented by fHMAC () in the following embodiments, where fHMAC () may select different hash algorithms, such as hmac_sha256, according to the balance between performance and security requirements, and the present embodiment is not particularly limited.
Alternatively, the first information may be a Root Key (Root Key), an activator version information, an international mobile equipment identity (International Mobile Equipment Identity, IMEI), an electronic serial number (Electronic Serial Number, ESN). The IMEI may be the IMEI of any core component in the terminal device (e.g., modem) or the IMEI of the whole terminal device.
And the authentication module 602 is configured to initiate an authentication operation to the server side according to the identifier of the terminal device and the authentication code, so as to establish a secure link with the server side after authentication is successful.
The identifier of the terminal device in this embodiment may be any identifier that can be used to uniquely register the terminal device in the server. For example, the identifier may be an IMEI of a modem in the terminal device or an IMEI of a complete machine of the terminal device.
According to the soft SIM protection device provided by the embodiment of the invention, the processing module 601 calculates the authentication code according to the unique characterization information and the soft SIM information of the terminal device through the hash algorithm, and the authentication module 602 initiates authentication to the server side through the authentication code and the identifier of the terminal device for registering in the server, if the authentication is successful, the secure link between the terminal device and the server is established, if the authentication is unsuccessful, the error of the soft SIM information or the related information of the terminal device is indicated, and the realization of low cost can be ensured while the security of identity identification of the terminal device of the Internet of things is improved.
Fig. 7 is a schematic structural diagram of a soft SIM protection device according to another embodiment of the present invention. As shown in fig. 7, the soft SIM protection device 70 further includes: the acquisition module 603.
And the acquisition module is used for accessing and acquiring the root key in the operation stage of the bootstrap program before the authentication code is acquired through the hash algorithm calculation according to the first information and the soft SIM information of the terminal equipment.
Optionally, at the initial stage of starting the terminal device of the internet of things, a bootstrap program (Booter) is started first, and at the running stage of the bootstrap program, an authentication code of the terminal device, namely an hResult value, is calculated.
In a specific embodiment, the obtaining module is specifically configured to:
s5011, starting a Booter.
S5012, exclusive access read root key rtkey=rootkey.
The authentication module is specifically configured to:
and in the operation stage of the activation program, initiating authentication operation to a server side according to the identification of the terminal equipment and the authentication code.
Optionally, in the active program operation stage, a secure soft SIM maintenance channel is established through the hfsult calculated in the bootstrap operation stage.
Alternatively, in a specific embodiment, the authentication module may be specifically configured to:
s5031, after Loader is started, the normal attachment process is finished;
s5032, the terminal device uses the identifier of the terminal device and hResult to initiate authentication to the server, and establishes a secure link with the server side (the secure link may be a data packet transport layer security protocol (Datagram Transport Layer Security, DTLS) or other security scheme, which is not particularly limited in this embodiment).
S5033, completing subsequent soft SIM security management based on the security link.
In one possible design, the first information is any one of a root key, an activator version information, an international mobile device identification code, and an electronic serial number.
In one possible design, the first information includes first sub-information and second sub-information; the processing module is specifically configured to:
acquiring first sub-information and the soft SIM information, and calculating to acquire a first hash value through a hash algorithm according to the first sub-information and the soft SIM information;
alternatively, the first sub information may be any one of a root key, an activator version information, an international mobile device identification code, and an electronic serial number. And the first sub information (M1) may be used as a key, and the first sub information and the soft SIM information (SoftSIM) are substituted into an HMAC function to obtain a first hash value, and a first hash value h1=ffhmac (M1, softSIM) may be obtained.
Acquiring second sub-information, and calculating to acquire the authentication code through a hash algorithm according to the second sub-information and the first hash value;
wherein the first sub-information and the second sub-information are any one of a root key, an activation program version information, an international mobile equipment identification code, and an electronic serial number, and the first sub-information is different from the second sub-information.
Alternatively, the second sub-information (M1) may be used as a key, and the authentication code may be obtained by substituting the second sub-information (M1) and the first hash value (h 1) into an HMAC function to obtain an authentication code hresult=ffhmac (M2, h 1).
In one possible design, the first information includes first, second, and third sub-information; the processing module is specifically configured to:
acquiring first sub-information and the soft SIM information, and calculating to acquire a first hash value through a hash algorithm according to the first sub-information and the soft SIM information;
alternatively, the first sub information may be any one of a root key, an activator version information, an international mobile device identification code, and an electronic serial number. And the first sub information (M1) may be used as a key, and the first sub information and the soft SIM information (SoftSIM) are substituted into an HMAC function to obtain a first hash value, and a first hash value h1=ffhmac (M1, softSIM) may be obtained.
Acquiring second sub-information, and calculating to acquire a second hash value through a hash algorithm according to the second sub-information and the first hash value;
alternatively, the second sub information (M1) may be used as a key, and substituted into an HMAC function with the first hash value (h 1) to obtain a second hash value, and a second hash value h2=ffhmac (M2, h 1) may be obtained.
Acquiring third sub-information, and calculating to acquire the authentication code through a hash algorithm according to the second sub-information and the first hash value;
the first sub-information, the second sub-information and the third sub-information are any one of a root key, an activation program version information, an international mobile equipment identification code and an electronic serial number, and the first sub-information, the second sub-information and the third sub-information are different.
Alternatively, the third sub-information (M3) may be used as a key, and the authentication code may be obtained by substituting the third sub-information and the second hash value (h 2) into an HMAC function to obtain an authentication code hresult=ffhmac (M3, h 2).
The endpoint detection apparatus provided in the embodiment of the present invention may be used to execute the above method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein.
Fig. 8 is a schematic hardware structure of a soft SIM protection device according to still another embodiment of the present invention. As shown in fig. 8, the soft SIM protection device 80 provided in the present embodiment includes: at least one processor 801 and a memory 802. The soft SIM protection device 80 further comprises a communication component 803. The processor 801, the memory 802, and the communication section 803 are connected via a bus 804.
In a specific implementation, at least one processor 801 executes computer-executable instructions stored in the memory 802, such that the at least one processor 801 performs the soft SIM protection method as performed by the soft SIM protection device 80 above.
If the soft SIM protection device 80 is a third party device, which is present independently of the terminal device and the server, the communication means 803 may be adapted to obtain the first information from the terminal device and to send an authentication request to the server side.
The specific implementation process of the processor 801 may refer to the above-mentioned method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein again.
In the embodiment shown in fig. 8, it should be understood that the processor may be a central processing unit (english: central Processing Unit, abbreviated as CPU), or may be other general purpose processors, digital signal processors (english: digital Signal Processor, abbreviated as DSP), application specific integrated circuits (english: application Specific Integrated Circuit, abbreviated as ASIC), or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present invention may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in a processor for execution.
The memory may comprise high speed RAM memory or may further comprise non-volatile storage NVM, such as at least one disk memory.
The bus may be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (Peripheral Component, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, the buses in the drawings of the present application are not limited to only one bus or one type of bus.
The application also provides a computer readable storage medium, in which computer executable instructions are stored, which when executed by a processor, implement the soft SIM protection method performed by the soft SIM protection device above.
The application also provides a computer readable storage medium, in which computer executable instructions are stored, which when executed by a processor, implement the soft SIM protection method performed by the soft SIM protection device above.
The computer readable storage medium described above may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk, or optical disk. A readable storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.
An exemplary readable storage medium is coupled to the processor such the processor can read information from, and write information to, the readable storage medium. In the alternative, the readable storage medium may be integral to the processor. The processor and the readable storage medium may reside in an application specific integrated circuit (Application Specific Integrated Circuits, ASIC for short). The processor and the readable storage medium may reside as discrete components in a device.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a computer readable storage medium. The program, when executed, performs steps including the method embodiments described above; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (4)
1. A soft SIM protection method, comprising:
according to first information of terminal equipment and soft identity recognition module (SIM) information, obtaining an authentication code through hash algorithm calculation, wherein the first information is information for uniquely characterizing the terminal equipment;
according to the identification of the terminal equipment and the authentication code, initiating authentication operation to a server side so as to establish a secure link with the server side after authentication is successful;
the first information comprises first sub-information, second sub-information and third sub-information; the obtaining the authentication code through hash algorithm calculation according to the first information and the soft SIM information of the terminal equipment comprises the following steps:
acquiring first sub-information and the soft SIM information, and calculating to acquire a first hash value through a hash algorithm according to the first sub-information and the soft SIM information;
acquiring second sub-information, and calculating to acquire a second hash value through a hash algorithm according to the second sub-information and the first hash value;
acquiring third sub-information, and calculating to acquire the authentication code through a hash algorithm according to the third sub-information and the second hash value;
wherein the first sub-information, the second sub-information and the third sub-information are any one of a root key, an activation program version information, an international mobile equipment identification code and an electronic serial number, and the first sub-information, the second sub-information and the third sub-information are different;
the first sub information or the second sub information or the third sub information includes a root key; before the authentication code is obtained through the hash algorithm calculation according to the first information and the soft SIM information of the terminal equipment, the method further comprises the following steps:
at the initial stage of starting the terminal equipment of the Internet of things, starting a bootstrap program,
in the running stage of the bootstrap program, accessing and obtaining the root key;
after the authentication code is obtained through the hash algorithm calculation according to the first information of the terminal equipment and the Soft Identity Module (SIM) information, the method further comprises the following steps: the boot program pulls up the activation program;
and initiating authentication operation to a server side according to the identification of the terminal equipment and the authentication code, wherein the authentication operation comprises the following steps:
and in the operation stage of the activation program, initiating authentication operation to a server side according to the identification of the terminal equipment and the authentication code.
2. A soft SIM protection device, comprising:
the processing module is used for obtaining an authentication code through hash algorithm calculation according to first information and soft SIM information of the terminal equipment, wherein the first information is information used for uniquely characterizing the terminal equipment;
the authentication module is used for initiating authentication operation to the server side according to the identification of the terminal equipment and the authentication code so as to establish a secure link with the server side after the authentication is successful;
the first information comprises first sub-information, second sub-information and third sub-information; the processing module is specifically configured to:
acquiring first sub-information and the soft SIM information, and calculating to acquire a first hash value through a hash algorithm according to the first sub-information and the soft SIM information;
acquiring second sub-information, and calculating to acquire a second hash value through a hash algorithm according to the second sub-information and the first hash value;
acquiring third sub-information, and calculating to acquire the authentication code through a hash algorithm according to the third sub-information and the second hash value;
wherein the first sub-information, the second sub-information and the third sub-information are any one of a root key, an activation program version information, an international mobile equipment identification code and an electronic serial number, and the first sub-information, the second sub-information and the third sub-information are different;
the first sub information or the second sub information or the third sub information includes a root key; the apparatus further comprises:
the acquisition module is used for starting a bootstrap program at the initial starting stage of the terminal equipment of the Internet of things before the authentication code is obtained according to the first information and the soft SIM information of the terminal equipment through the hash algorithm calculation; in the running stage of the bootstrap program, accessing and obtaining the root key;
the activation module is used for guiding the program to pull up the activation program after the authentication code is obtained according to the first information of the terminal equipment and the SIM information of the soft identity recognition module through the hash algorithm calculation;
the authentication module is specifically configured to:
and in the operation stage of the activation program, initiating authentication operation to a server side according to the identification of the terminal equipment and the authentication code.
3. A soft SIM protection device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing computer-executable instructions stored in the memory causes the at least one processor to perform the soft SIM protection method of claim 1.
4. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor implement the soft SIM protection method of claim 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910227355.7A CN111741465B (en) | 2019-03-25 | 2019-03-25 | Soft SIM protection method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910227355.7A CN111741465B (en) | 2019-03-25 | 2019-03-25 | Soft SIM protection method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111741465A CN111741465A (en) | 2020-10-02 |
| CN111741465B true CN111741465B (en) | 2023-04-28 |
Family
ID=72645735
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910227355.7A Active CN111741465B (en) | 2019-03-25 | 2019-03-25 | Soft SIM protection method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111741465B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103813314A (en) * | 2012-11-09 | 2014-05-21 | 华为技术有限公司 | Soft SIM card enabling method and network access method, terminal, and network access device |
| CN106162505A (en) * | 2015-03-25 | 2016-11-23 | 中国移动通信集团公司 | Soft SIM communication means, device and terminal |
| CN107454035A (en) * | 2016-05-30 | 2017-12-08 | 宇龙计算机通信科技(深圳)有限公司 | A kind of identity authentication method and device |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7418595B2 (en) * | 2004-01-02 | 2008-08-26 | Nokia Siemens Networks Oy | Replay prevention mechanism for EAP/SIM authentication |
| CN104661211B (en) * | 2013-11-18 | 2018-07-06 | 成都鼎桥通信技术有限公司 | It is a kind of to automatically write the method for soft SIM information and terminal account-opening method in the terminal |
| CN105873045B (en) * | 2015-01-21 | 2019-05-28 | 中国移动通信集团公司 | Method for security protection, device, system and the terminal of soft SIM card |
| CN105357015B (en) * | 2015-12-02 | 2018-11-30 | 华北电力大学(保定) | A kind of Internet of Things safety certifying method |
| CN105975846B (en) * | 2016-04-29 | 2019-04-12 | 宇龙计算机通信科技(深圳)有限公司 | The authentication method and system of terminal |
| CN106790217A (en) * | 2017-01-10 | 2017-05-31 | 北京号码生活网络科技有限公司 | The authentication system of the internet of things equipment based on SIM certification mode |
| CN108737381B (en) * | 2018-04-23 | 2021-11-16 | 厦门盛华电子科技有限公司 | Extension authentication method of Internet of things system |
-
2019
- 2019-03-25 CN CN201910227355.7A patent/CN111741465B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103813314A (en) * | 2012-11-09 | 2014-05-21 | 华为技术有限公司 | Soft SIM card enabling method and network access method, terminal, and network access device |
| CN106162505A (en) * | 2015-03-25 | 2016-11-23 | 中国移动通信集团公司 | Soft SIM communication means, device and terminal |
| CN107454035A (en) * | 2016-05-30 | 2017-12-08 | 宇龙计算机通信科技(深圳)有限公司 | A kind of identity authentication method and device |
Non-Patent Citations (2)
| Title |
|---|
| Yiqun Xu等.A new secure SIM-card based RFID reader.《2010 International Conference on Anti-Counterfeiting, Security and Identification》.2010,全文. * |
| 冯韵.移动支付中身份认证分析与研究.《信息通信》.2012,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111741465A (en) | 2020-10-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9524158B2 (en) | Managing firmware updates for integrated components within mobile devices | |
| KR101187457B1 (en) | Method for providing smart cardsim security by checking a temporary subscriber identifiertmsi | |
| US20220021706A1 (en) | Network-Assisted Secure Data Access | |
| CN107579966A (en) | Control method, device, system and the terminal device of remote access to intranet | |
| EP3178011A1 (en) | Method and system for facilitating terminal identifiers | |
| US20130160094A1 (en) | OTA Bootstrap Method and System | |
| CN111193817B (en) | Method and device for automatically registering equipment serial number, computer equipment and storage medium | |
| WO2015074443A1 (en) | An operation processing method and device | |
| CN112988317B (en) | Multi-mode cloud desktop management and control method and device | |
| CN112491776A (en) | Security authentication method and related equipment | |
| CN106465076A (en) | Control method and terminal for short message reading | |
| WO2017181465A1 (en) | Access point name configuration method and device | |
| CN112653668B (en) | Data interaction method and device, computer equipment and storage medium | |
| CN112468497B (en) | Block chain terminal equipment authorization authentication method, device, equipment and storage medium | |
| US11843947B2 (en) | Electronic device and authentication method in electronic device | |
| CN111741465B (en) | Soft SIM protection method and equipment | |
| CN108702705B (en) | Information transmission method and equipment | |
| CN115150162A (en) | Root certificate updating method and device | |
| CN113015265B (en) | Network session self-healing method, device, system, computer equipment and storage medium | |
| CN117834312B (en) | Network access method, network access device, and computer-readable storage medium | |
| CN110881017A (en) | Communication service registration method, system, electronic device, authentication method and server | |
| CN113891385B (en) | Method, device and equipment for detecting link state of network equipment | |
| CN110536295B (en) | Initial access control method, device, terminal, smart card and storage medium | |
| CN113596830B (en) | Communication method, communication apparatus, electronic device, storage medium, and program product | |
| WO2024046157A1 (en) | Cloud desktop access method, electronic device, and computer readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |