CN112637848A - Method, device and system for managing authentication application certificate - Google Patents
Method, device and system for managing authentication application certificate Download PDFInfo
- Publication number
- CN112637848A CN112637848A CN202011513469.7A CN202011513469A CN112637848A CN 112637848 A CN112637848 A CN 112637848A CN 202011513469 A CN202011513469 A CN 202011513469A CN 112637848 A CN112637848 A CN 112637848A
- Authority
- CN
- China
- Prior art keywords
- certificate
- application
- authentication
- server
- authentication application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The application discloses a method, a device and a system for managing an authentication application certificate, wherein the method for managing the authentication application certificate comprises the following steps: sending a certificate application request to an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application; receiving an authentication application certificate downloading request sent by the operator server; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application; and extracting the certificate of the authentication application from the authentication application certificate downloading request, and storing the certificate of the authentication application. According to the embodiment of the application, the eUICC actively initiates the certificate application request at any time after the card is issued to realize the downloading of the certificate of the authentication application, so that the flexibility of the certificate management of the authentication application is improved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method, an apparatus, and a system for managing and authenticating an application certificate.
Background
With fifth generation mobile communications (5G, the 5)th GenAction), series 5G application scenes put higher requirements on information security than the traditional internet, particularly in the field of industrial Internet of things, massive and diversified terminals under ubiquitous connection scenes are easy to attack and utilize, and threaten network operation security.
On the other hand, smart cards as the basic portal of mobile communication networks are also gradually developing from production components of mobile communication to important carriers of mobile communication services and service innovation, and becoming important platforms of mobile informatization. Based on the important position and security attribute of the smart card in the mobile communication network, the industry provides an identity authentication solution based on the smart card, the smart card is used as a security bearing module of the terminal to store authentication application and sensitive data such as certificates and keys, and the terminal carries out identity authentication through interaction of the authentication application and an authentication server.
The related security authentication solution based on the smart card is a private solution, generally needs to cooperate with a designated card manufacturer and an operator, presets a designated authentication application and sensitive data such as certificates and keys during card manufacturing, establishes a private closed security system, or performs data transmission through a private interface, and is only suitable for users within a specific range. Thus, these solutions have many limitations on business models, product categories, and audience users.
Disclosure of Invention
The application provides a method, a device and a system for managing an authentication application certificate, which can improve the flexibility of the management of the authentication application certificate.
A first aspect of the present application provides a method for managing authentication application certificates, which is applied to an embedded universal integrated circuit card eUICC, and includes:
sending a certificate application request to an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
receiving an authentication application certificate downloading request sent by the operator server; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
and extracting the certificate of the authentication application from the authentication application certificate downloading request, and storing the certificate of the authentication application.
In some exemplary embodiments, the method further comprises:
sending a certificate update request to the operator server; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application;
receiving a certificate update response sent by the operator server; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application;
and extracting the new certificate of the authentication application from the certificate updating response, and storing the new certificate of the authentication application.
A second aspect of the present application provides a method for managing an authentication application certificate, applied to an operator server, the method including:
receiving a certificate application request sent by an embedded universal integrated circuit card (eUICC); wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
forwarding the certificate application request to a secure route SM-SR of a signing relationship management platform;
receiving an authentication application certificate downloading request sent by the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
and sending the authentication application certificate downloading request to the eUICC.
In some exemplary embodiments, the method further comprises:
receiving a certificate updating request sent by the eUICC; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application;
forwarding the certificate update request to the SM-SR;
receiving a certificate update response sent by the SM-SR; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application;
sending the certificate update response to the eUICC.
A third aspect of the present application provides a method for managing an authentication application certificate, which is applied to a secure routing SM-SR of a subscription relationship management platform, and the method includes:
receiving a certificate application request sent by an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
the authentication server is routed according to the ID of the authentication server, and the certificate application request is sent to the authentication server;
receiving an authentication application certificate downloading request sent by the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
and forwarding the authentication application certificate downloading request to the operator server according to the address of the operator server corresponding to the eUICC identification and the address of the operator server.
In some exemplary embodiments, the method further comprises:
receiving a certificate updating request sent by the operator server; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application;
routing the authentication server according to the ID of the authentication server, and sending the certificate updating request to the authentication server;
receiving a certificate updating response sent by the authentication server; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application;
and acquiring the address of the corresponding operator server according to the eUICC identification, and forwarding the certificate updating response to the operator server according to the address of the operator server.
A fourth aspect of the present application provides a method for managing an authentication application certificate, which is applied to an authentication server, and includes:
receiving a certificate application request sent by a secure route SM-SR of a signing relationship management platform; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
generating a certificate of the authentication application using a private key of the authentication server;
sending an authentication application certificate downloading request to the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and the certificate of the authentication application.
In some exemplary embodiments, the method further comprises:
receiving a certificate updating request sent by the SM-SR; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application;
generating a new certificate for the authentication application using a private key of the authentication server;
sending a certificate update response to the SM-SR; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application.
A fifth aspect of the present application provides an embedded universal integrated circuit card eUICC, comprising:
the first sending module is used for sending a certificate application request to an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
a first receiving module, configured to receive an authentication application certificate download request sent by the operator server; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
and the acquisition module is used for extracting the certificate of the authentication application from the authentication application certificate downloading request and storing the certificate of the authentication application.
A sixth aspect of the present application provides an operator server, comprising:
the second receiving module is used for receiving a certificate application request sent by an embedded universal integrated circuit card (eUICC); wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
the second sending module is used for forwarding the certificate application request to a secure route SM-SR of a signing relationship management platform;
the second receiving module is further configured to: receiving an authentication application certificate downloading request sent by the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
the second sending module is further configured to: and sending the authentication application certificate downloading request to the eUICC.
A seventh aspect of the present application provides a secure route SM-SR for a subscription relationship management platform, including:
the third receiving module is used for receiving a certificate application request sent by the operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
a third sending module, configured to route the authentication server according to the ID of the authentication server, and send the certificate application request to the authentication server;
the third receiving module is further configured to: receiving an authentication application certificate downloading request sent by the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
the third sending module is further configured to: and forwarding the authentication application certificate downloading request to the operator server according to the address of the operator server corresponding to the eUICC identification and the address of the operator server.
An eighth aspect of the present application provides an authentication server, comprising:
the fourth receiving module is used for receiving a certificate application request sent by the secure route SM-SR of the signing relationship management platform; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
a certificate generation module for generating a certificate of the authentication application using a private key of the authentication server;
a fourth sending module, configured to send an authentication application certificate download request to the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and the certificate of the authentication application.
A ninth aspect of the present application provides a system for managing authentication application certificates, comprising:
an embedded universal integrated circuit card (eUICC) for:
sending a certificate application request to an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
receiving an authentication application certificate downloading request sent by the operator server; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
extracting the certificate of the authentication application from the authentication application certificate downloading request, and storing the certificate of the authentication application;
an operator server to:
receiving a certificate application request sent by an eUICC;
forwarding the certificate application request to a secure route SM-SR of a signing relationship management platform;
receiving an authentication application certificate downloading request sent by the SM-SR;
sending the authentication application certificate download request to the eUICC;
SM-SR for:
receiving a certificate application request sent by an operator server;
the authentication server is routed according to the ID of the authentication server, and the certificate application request is sent to the authentication server;
receiving an authentication application certificate downloading request sent by the SM-SR;
forwarding the authentication application certificate downloading request to an operator server according to the address of the operator server corresponding to the eUICC identification and the address of the operator server;
an authentication server to:
receiving a certificate application request sent by a secure route SM-SR of a signing relationship management platform;
generating a certificate of the authentication application using a private key of the authentication server;
and sending an authentication application certificate downloading request to the SM-SR.
This application has following advantage:
according to the embodiment of the application, the eUICC initiatively initiates the certificate application request at any time after the card is issued to realize the management of the certificate of the authentication application, and the sensitive data of the authentication application does not need to be written in during card manufacturing, so that the flexibility of the management of the certificate of the authentication application is improved, for example, a flexible business mode is supported.
In some exemplary embodiments, the authentication application certificate is remotely managed through a secure channel between the eUICC and the operator server, that is, with the security system of the eUICC, there is no need to additionally configure a set of private security system for identity authentication, which improves the security of the management of the authentication application certificate.
In some exemplary embodiments, the security level is further enhanced by two-way verification, e.g., encrypting the public key of the authentication application by the eUICC, legality verifying the certificate application request by the operator server, signature verifying the first signer of the certificate application request by the SM-SR, legality verifying the authentication application certificate download request by the operator server, etc. Is beneficial to building a safe and open mobile identity authentication ecological environment.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application and not to limit the application.
Fig. 1 is a flowchart of a method for managing an authentication application certificate applied to an embedded Universal Integrated Circuit Card (eUICC), according to an embodiment of the present application;
fig. 2 is a flowchart of a method for managing an authentication application certificate applied to an operator server according to another embodiment of the present application;
fig. 3 is a flowchart of a method for managing an authentication application certificate applied to a Subscription relationship management platform secure Routing (SM-SR) according to another embodiment of the present application;
fig. 4 is a flowchart of a method for managing certificate of an authentication application applied to an authentication server according to another embodiment of the present application;
fig. 5 is an interaction diagram of a method for managing certificate of an authenticated application provided in example 1 of the present application;
fig. 6 is an interaction diagram of a method for managing certificate of an authenticated application provided in example 2 of the present application;
fig. 7 is a schematic structural component diagram of an eUICC according to another embodiment of the present application;
fig. 8 is a schematic structural component diagram of an operator server according to another embodiment of the present application;
fig. 9 is a schematic structural composition diagram of an SM-SR according to another embodiment of the present application;
fig. 10 is a schematic structural component diagram of an authentication server according to another embodiment of the present application;
fig. 11 is a schematic structural component diagram of a method for managing certificate of authenticated application according to another embodiment of the present application.
Detailed Description
The following detailed description of embodiments of the present application will be made with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present application, are given by way of illustration and explanation only, and are not intended to limit the present application.
As used in this disclosure, the term "and/or" includes any and all combinations of one or more of the associated listed items.
The terminology used in the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
When the term "comprises/comprising" and/or "made of.. is used in this disclosure, the presence of the stated features, integers, steps, operations, elements, and/or components are specified, but does not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Embodiments of the present disclosure may be described with reference to plan and/or cross-sectional views in light of idealized schematic illustrations of the present disclosure. Accordingly, the example illustrations can be modified in accordance with manufacturing techniques and/or tolerances.
Unless otherwise defined, all terms (including technical and scientific terms) used in this disclosure have the same meaning as commonly understood by one of ordinary skill in the art. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
On the basis of an eUICC security system, the embodiment of the application adds a service server, an authentication server, an interface between the service server and the authentication server, and an interface between the authentication server and an SM-SR to realize the management of the authentication application certificate.
In the present application, a Certificate cert.auserver of an authentication server is issued by a Certificate Issuer (CI) or an SM-SR, and a CI root Certificate is preset in the authentication server.
Fig. 1 is a flowchart of a method for managing authentication application credentials applied to an eUICC according to an embodiment of the present application.
As shown in fig. 1, an embodiment of the present application provides a method for managing an authentication application certificate, which is applied to an eUICC, and includes:
In some exemplary embodiments, the certificate application request may be sent to the operator server at any time after the eUICC issues the card.
In some exemplary embodiments, to improve security, the certificate application request may be sent to the Operator server through a Secure channel of a security Domain (MNO-SD) of the Mobile Network Operator. That is to say, the security system based on the eUICC realizes the management of the certificate of the authentication application, and improves the security.
In this application, the management of the authentication application certificate includes at least one of: downloading of the authentication application certificate and updating of the authentication application certificate.
In some exemplary embodiments, before sending the certificate application request to the operator server, the method further comprises:
generating a public key of the authentication application; encrypting the public key of the authentication application by adopting the public key of the authentication server;
correspondingly, the certificate application request further comprises: the encrypted public key of the application is authenticated.
In some exemplary embodiments, the method further comprises: a private key is generated that authenticates the application.
In some exemplary embodiments, the method further comprises: a Random Challenge (RC) is generated.
In some exemplary embodiments, the certificate application request further comprises at least one of: RC, Integrated Circuit Card Identification (ICCID).
In some exemplary embodiments, before sending the certificate application request to the operator server, the method further comprises: signing the public key of the RC and the encrypted authentication application to obtain a first signature body;
correspondingly, the certificate application request further comprises: a first signature body.
In some exemplary embodiments, the certificate application request further comprises at least one of: RC, ICCID, first signatory.
In some exemplary embodiments, authenticating the application certificate download request further comprises at least one of: RC, a second signature body; and the second signature body is obtained by signing the RC and the certificate of the authentication application.
In some exemplary embodiments, the method further comprises:
verifying the second signature body by using the public key of the authentication server, and comparing the generated RC with the RC in the authentication application certificate downloading request;
and under the condition that the second signature body passes verification and the generated RC is the same as the RC in the authentication application certificate downloading request, extracting the certificate of the authentication application from the authentication application certificate downloading request and storing the certificate of the authentication application.
According to the embodiment of the application, the security of the management process of the authentication application certificate is improved through the verification of the second signature body and the comparison of the generated RC and the RC in the authentication application certificate downloading request.
In some exemplary embodiments, the method further comprises:
sending a certificate update request to the operator server; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application;
receiving a certificate update response sent by the operator server; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application;
and extracting the new certificate of the authentication application from the certificate updating response, and storing the new certificate of the authentication application.
In some exemplary embodiments, before sending the certificate update request to the operator server, the method further comprises:
generating a new public key for the authentication application; encrypting the new public key of the authentication application by adopting the public key of the authentication server;
accordingly, the certificate update request further comprises: an encrypted new public key of the authentication application;
accordingly, the certificate update response further includes: the new public key of the authentication application.
In some exemplary embodiments, the method further comprises: a new private key is generated that authenticates the application.
In some exemplary embodiments, the method further comprises: generating a new RC;
accordingly, the certificate update request further comprises: a new RC.
In some exemplary embodiments, the certificate update request further comprises: and (4) ICCID.
In some exemplary embodiments, before sending the certificate update request to the operator server, the method further comprises:
signing the new RC and the encrypted new public key of the authentication application by adopting a private key of the authentication application to obtain a third signature body;
accordingly, the certificate update request further comprises: and a third signature body.
In some exemplary embodiments, the certificate update request further comprises: a fourth signature body; the fourth signature body is obtained by signing the new RC and the new certificate of the authentication application; correspondingly, the method further comprises the following steps:
verifying the fourth signature body by using the public key of the authentication server, and comparing the generated new RC with the new RC in the certificate updating response;
and under the condition that the fourth signature body is verified, and the generated new RC is the same as the new RC in the certificate updating response, extracting the new certificate of the authentication application from the certificate updating response, and saving the new certificate of the authentication application.
According to the embodiment of the application, the safety of the certificate management process of the authentication application is improved through the verification of the fourth signature body and the comparison of the generated new RC and the new RC in the certificate updating response.
Fig. 2 is a flowchart of a method for managing an authentication application certificate applied to an operator server according to another embodiment of the present application.
As shown in fig. 2, another embodiment of the present application provides a method for managing an authentication application certificate, applied to an operator server, the method including:
In some exemplary embodiments, the certificate application request further comprises at least one of: an integrated circuit card identification code ICCID, a random challenge RC, a first signature body and an encrypted public key of an authentication application; the first signature body is obtained by signing the RC and the encrypted public key of the authentication application.
In some exemplary embodiments, the method further comprises:
and carrying out validity verification on the certificate application request, and forwarding the certificate application request to a secure route SM-SR of a contract relation management platform under the condition that the validity verification is passed.
According to the embodiment of the application, the safety of the management process of the certificate of the authentication application is improved through the validity verification of the certificate application request.
In some exemplary embodiments, authenticating the application certificate download request further comprises at least one of: RC, a second signature body; and the second signature body is obtained by signing the RC and the certificate of the authentication application.
In some exemplary embodiments, the method further comprises:
and carrying out validity verification on the authentication application certificate downloading request, and sending the authentication application certificate downloading request to the eUICC under the condition that the validity verification is passed.
According to the method and the device, the safety in the certificate management process of the authentication application is improved through the validity verification of the certificate downloading request of the authentication application.
In some exemplary embodiments, the method further comprises:
receiving a certificate updating request sent by the eUICC; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification, the ICCID and the AID of the authentication application;
forwarding the certificate update request to the SM-SR;
receiving a certificate update response sent by the SM-SR; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application;
sending the certificate update response to the eUICC.
In some exemplary embodiments, the certificate update request further comprises at least one of: ICCID, new RC, third signatory, encrypted new public key of the authentication application; and the third signature body is obtained by signing the new RC and the encrypted new public key of the authentication application.
In some exemplary embodiments, the method further comprises:
and carrying out validity verification on the certificate updating request, and forwarding the certificate updating request to the SM-SR under the condition that the validity verification is passed.
According to the method and the device, the safety of the certificate management process of the authentication application is improved through the validity verification of the certificate updating request.
In some exemplary embodiments, the certificate update response further comprises at least one of: a new RC, a fourth signatory, a new public key for the authentication application; and the fourth signing body is obtained by signing the new RC and the new certificate of the authentication application.
In some exemplary embodiments, the method further comprises:
and carrying out validity verification on the certificate updating response, and sending the certificate updating response to the eUICC under the condition that the validity verification is passed.
The embodiment of the application improves the safety of the certificate management process of the authentication application through the validity verification of the certificate updating response.
Fig. 3 is a flowchart of a method for managing an authentication application certificate applied to an SM-SR according to another embodiment of the present application.
As shown in fig. 3, another embodiment of the present application provides a method for managing an authentication application certificate, which is applied to a secure route SM-SR of a subscription relationship management platform, and the method includes:
In some exemplary embodiments, the certificate application request further comprises at least one of: ICCID, RC, first signatory, encrypted public key of the authentication application; the first signature body is obtained by signing the RC and the encrypted public key of the authentication application.
In some exemplary embodiments, the method further comprises:
and performing signature verification on a first signature body of the certificate application request, routing the authentication server according to the ID of the authentication server under the condition that the signature verification is passed, and sending the certificate application request to the authentication server.
According to the embodiment of the application, the security of the certificate management process of the authentication application is improved through signature verification of the first signature body.
In some exemplary embodiments, authenticating the application certificate download request further comprises: and (3) RC.
In some exemplary embodiments, authenticating the application certificate download request further comprises: a second signatory body; and the second signature body is obtained by signing the RC and the certificate of the authentication application.
And 303, acquiring the address of the corresponding operator server according to the eUICC identification, and forwarding the authentication application certificate downloading request to the operator server according to the address of the operator server.
In some exemplary embodiments, obtaining the address of the corresponding operator server according to the eUICC identification includes:
inquiring information for activating the profile in the eUICC according to the eUICC identification; wherein the information for activating the profile includes: the corresponding mobile network operator identity MNO-ID information; and acquiring the address of the corresponding operator server according to the MNO-ID information.
In some exemplary embodiments, activating the profile update further comprises: MSISDN, ICCID.
In some exemplary embodiments, the method further comprises:
receiving a certificate updating request sent by the operator server; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application;
routing the authentication server according to the ID of the authentication server, and sending the certificate updating request to the authentication server;
receiving a certificate updating response sent by the authentication server; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application;
and acquiring the address of the corresponding operator server according to the eUICC identification, and forwarding the certificate updating response to the operator server according to the address of the operator server.
In some exemplary embodiments, the certificate update request further comprises at least one of: ICCID, new RC, the third signatory, and a new public key of the authentication application; and the third signature body is obtained by signing the new RC and the encrypted new public key of the authentication application.
In some exemplary embodiments, the method further comprises:
and carrying out validity verification on the certificate updating request, routing the authentication server according to the ID of the authentication server under the condition that the validity verification is passed, and sending the certificate updating request to the authentication server.
According to the embodiment of the application, the safety of the management process of the certificate of the authentication application is improved through the validity verification of the certificate updating request.
In some exemplary embodiments, the certificate update response further comprises at least one of: a new RC, fourth signatory; and the fourth signing body is obtained by signing the new RC and the new certificate of the authentication application.
Fig. 4 is a flowchart of a method for managing an authentication application certificate applied to an authentication server according to another embodiment of the present application.
As shown in fig. 4, another embodiment of the present application provides a method for managing an authentication application certificate, which is applied to an authentication server, and the method includes:
In some exemplary embodiments, the certificate application request further comprises at least one of: ICCID, RC, first signatory, encrypted public key of the authentication application; the first signature body is obtained by signing the RC and the encrypted public key of the authentication application.
In some exemplary embodiments, after receiving the certificate application request sent by the SM-SR, the method further includes:
and decrypting the encrypted public key of the authentication application to obtain the public key of the authentication application, and storing the public key of the authentication application.
In some exemplary embodiments, after generating the certificate of the authentication application using the private key of the authentication server, the method further comprises:
and signing the RC and the certificate of the authentication application to obtain a second signature body.
In some exemplary embodiments, authenticating the application certificate download request further comprises at least one of: RC, second signature body.
In some exemplary embodiments, the method further comprises:
receiving a certificate updating request sent by the SM-SR; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application;
generating a new certificate for the authentication application using a private key of the authentication server;
sending a certificate update response to the SM-SR; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application.
In some exemplary embodiments, the certificate update request further comprises at least one of: ICCID, new RC, the third signatory, encrypted new public key of the authentication application; and the third signature body is obtained by signing the new RC and the encrypted new public key of the authentication application.
In some exemplary embodiments, the method further comprises:
and performing signature verification on the third signature body by using the public key of the authentication application, and continuously performing the step of decrypting the encrypted new public key of the authentication application under the condition that the signature verification is passed.
In some exemplary embodiments, after receiving the certificate update request sent by the SM-SR, the method further includes:
and decrypting the encrypted new public key of the authentication application to obtain the new public key of the authentication application, and storing the new public key of the authentication application.
In some exemplary embodiments, after generating a new certificate for the authentication application using the private key of the authentication server, the method further comprises:
signing the new RC and the new certificate of the authentication application to obtain a fourth signature body; accordingly, the certificate update response further includes: and a fourth signature body.
In some exemplary embodiments, the certificate update response further comprises: a new RC.
The following describes in detail a specific implementation procedure of the method for managing an authentication application certificate according to an embodiment of the present application by way of example, and the example is only for convenience of description and cannot be used to limit the scope of protection of the method for managing an authentication application certificate according to an embodiment of the present application.
The process of applying for security and downloading the certificate of the authentication application through the ES6 interface between the operator server and the eUICC is as follows, in the present application, the secure channel is described by taking SMS transport protocol as an example, but the description also supports other transport protocols required by the interface.
Example 1
Initial conditions:
1) the process can be combined with a downloading and installing process of an authentication application (such as an applet), and before the process is started, the authentication application is obtained by presetting or downloading and installing in the MNO-SD of the profile currently activated by the eUICC.
2) Before the process begins, the authentication application obtains a public key PK.AuServer of the authentication server through presetting or configuration.
As shown in fig. 5, the method flow for downloading the certificate of the authenticated application includes:
(1) and the authentication application generates an authentication application public and private key pair: the method comprises the steps of generating an RC (remote control) (RC 1) by using a public key PK1.AuApplet of authentication application and a private key SK1.AuApplet of authentication application, encrypting the public key PK1.AuApplet of the authentication application by using a public key PK. AuServer of an authentication server, and sending the RC1 and the encrypted public key PK1.AuApplet of the authentication application to an MNO-SD (public network-secure digital).
(2) The MNO-SD sends a signature application request to the ISD-P; wherein, the signature application request comprises: RC1, authenticates the encrypted public key of the application, pk1. auapplet.
(3) The ISD-P forwards a signature application request to an eUICC control Security Domain (ECASD); wherein, the signature application request comprises: RC1, authenticates the encrypted public key of the application, pk1. auapplet.
(4) The ECASD signs the RC1 and the encrypted public key PK1.AuApplet of the authentication application by adopting a private key SK. ECASD. ECKA of the eUICC to obtain a first signature body.
(5) ECASD returns the first signatory to ISD-P.
(6) The ISD-P returns the first signature body to the MNO-SD, and the MNO-SD returns the first signature body to the authentication application.
(7) The authentication application sends a certificate application request to the operator server through a secure channel of the MNO-SD, the MNO-SD sends a terminal-initiated Short Message (MT-SMS) encrypted by using a SCP80 protocol to the operator server, and the MT-SMS comprises the following steps: a certificate application request, the certificate application request comprising: the signature authentication method comprises the steps of ID (namely AuServer-ID) of an authentication server, eUICC identification, ICCID, AID (namely AuApplet-AID) of an authentication application, RC1, encrypted public key PK1.AuApplet of the authentication application and a first signature body.
(8) The operator server carries out validity verification on the certificate application request, and the specific verification mode is not specified in the invention, and the certificate can be verified through the certificate of the authentication application or further carries out other business agreements. And under the condition that the verification is not passed, the operator server informs the result to the eUICC, and the process is ended.
(9) Under the condition that the verification is passed, the operator server forwards a certificate application request to the SM-SR; wherein the certificate application request comprises: the signature authentication method comprises the steps of ID (namely AuServer-ID) of an authentication server, eUICC identification, ICCID, AID (namely AuApplet-AID) of an authentication application, RC1, encrypted public key PK1.AuApplet of the authentication application and a first signature body.
(10) And the SM-SR performs signature verification on the first signature body of the certificate application request. Performing (11) if the signature verification passes; in the case of a failure of signature verification, the flow ends.
(11) The SM-SR routes the authentication server according to the ID (AuServer-ID) of the authentication server and sends the certificate application request to the authentication server; wherein the certificate application request comprises: the signature authentication method comprises the steps of ID (namely AuServer-ID) of an authentication server, eUICC identification, ICCID, AID (namely AuApplet-AID) of an authentication application, RC1, encrypted public key PK1.AuApplet of the authentication application and a first signature body.
(12) The authentication server decrypts the encrypted public key PK1.AuApplet of the authentication application to obtain the public key PK1.AuApplet of the authentication application, stores the public key PK1.AuApplet of the authentication application, generates a certificate CERT1.AuApplet of the authentication application by using a private key SK. AuServer of the authentication server, and signs the RC1 and the certificate CERT1.AuApplet of the authentication application to obtain a second signature body.
(13) The authentication server submits an authentication application certificate downloading request to the SM-SR; wherein authenticating the application certificate download request comprises: ID of authentication server (i.e. AuServer-ID), eUICC identification, AID of authentication application (i.e. AuApplet-AID), RC1, certificate cert1.AuApplet of authentication application, second signature body.
(14) The SM-SR inquires information for activating the profile in the eUICC according to the eUICC identification; wherein, the information for activating the profile includes: mobile station International subscriber identity (MSISDN), ICCID, and corresponding Mobile Network operator identification (MNO-ID) information.
(15) The SM-SR acquires the address of the corresponding operator server according to the MNO-ID information, and forwards the authentication application certificate downloading request to the operator server according to the address of the operator server; wherein authenticating the application certificate download request comprises: ID of authentication server (i.e. AuServer-ID), eUICC identification, AID of authentication application (i.e. AuApplet-AID), RC1, certificate cert1.AuApplet of authentication application, second signature body.
(16) And the operator server carries out validity verification on the authentication application certificate downloading request. The invention does not make provisions for specific verification modes, and can verify the profile information or further carry out other business agreements. And under the condition that the verification is not passed, the operator server informs the result to the SM-SR, and the process is ended.
(17) Under the condition that the validity verification is passed, the operator server sends a terminal receiving Short Message (MO-SMS) encrypted by using a Secure Copy Protocol (SCP) 80 Protocol to the MNO-SD; MO-SMS includes: authenticating the application certificate download request, the authenticating the application certificate download request comprising: ID of authentication server (i.e. AuServer-ID), eUICC identification, AID of authentication application (i.e. AuApplet-AID), RC1, certificate cert1.AuApplet of authentication application, second signature body.
(18) And the MNO-SD sends a certificate downloading request of the authentication application to the authentication application, the authentication application verifies the second signature body by using the public key PK.AuServer of the authentication server, and the generated RC1 is compared with the RC1 in the certificate downloading request of the authentication application. And under the condition that the second signer passes verification and the generated RC1 is the same as the RC1 in the certificate downloading request of the authentication application, extracting the certificate CERT1.AuApplet of the authentication application from the certificate downloading request of the authentication application, and saving the certificate CERT1.AuApplet of the authentication application.
(19) The authentication application returns a third result notice for indicating that the authentication application certificate is downloaded successfully to the MNO-SD; wherein the third result notification comprises: eUICC identification, ICCID, AID of the authentication application.
(20) The MNO-SD returns a third result notice for indicating that the authentication application certificate is downloaded successfully to the operator server; wherein the third result notification comprises: eUICC identification, ICCID, AID of the authentication application.
(21) And the operator server updates the profile according to the information in the third result notice.
(22) The operator server returns a third result notice for indicating that the authentication application certificate is downloaded successfully to the SM-SR; wherein the third result notification comprises: eUICC identification, ICCID, AID of the authentication application.
(23) And the SM-SR updates the EIS of the eUICC according to the information in the third result notice.
(24) The SM-SR returns a second result notice for indicating the downloading of the authentication application certificate to the authentication server; wherein the second result notification comprises: eUICC identification, and AID of the authentication application.
(25) The authentication server returns a first result notice for indicating that the authentication application certificate is successfully downloaded to the service server; wherein the first result notification comprises: and identifying the eUICC.
In order to save space in the drawing, the above (19) - (25) are not shown in the drawing.
The process can support the first downloading of the authentication application certificate after the card is issued, and can also be suitable for updating the certificate according to the service requirement or the certificate updating command of the authentication server under the condition that the authentication application certificate is configured in the eUICC. In summary, the present invention can safely download the authentication application certificate required by the authentication service in real time according to the service requirement after issuing the card, and can support a flexible business model.
The procedure for securely updating the certificate of the authentication application through the ES6 interface between the operator server and the eUICC in the embodiment of the present application is as follows, and the secure channel in the embodiment of the present application takes the SMS transport protocol as an example for description, but this description also supports other transport protocols required by the interface.
Example 2
Initial conditions:
1) before the process begins, the authentication application, the private key SK. AuApplet of the authentication application and the certificate CERT1.AuApplet of the authentication application are obtained by presetting or downloading and installing in the MNO-SD of the profile currently activated by the eUICC.
2) Before the process begins, the authentication application obtains a public key PK.AuServer of the authentication server through presetting or configuration.
As shown in fig. 6, the method flow for updating the certificate of the authentication application includes:
(1) the authentication application generates a new public key PK2.AuApplet of the authentication application according to the self certificate updating requirement or receives a certificate updating command of the authentication server, a new private key SK2.AuApplet of the authentication application generates a new RC (namely RC2), the public key PK. AuServer of the authentication server is adopted to encrypt the new public key PK2.AuApplet of the authentication application, and the original private key SK1.AuApplet of the authentication application is adopted to sign the RC2 and the encrypted new public key PK2.AuApplet of the authentication application to obtain a third signature body.
(2) The authentication application sends a certificate update request to the operator server through a secure channel of the MNO-SD, namely the authentication application sends the certificate update request to the MNO-SD, and the MNO-SD sends the operator server an MT-SMS encrypted using the SCP80 protocol, the MT-SMS comprising: a credential update request, the credential update request comprising: the ID of the authentication server (i.e., AuServer-ID), eUICC identification, ICCID, AID of the authentication application (i.e., AuApplet-AID), RC2, encrypted new public key of the authentication application pk2.AuApplet, and a third signature body.
(3) And the operator server carries out validity verification on the certificate updating request, wherein the specific verification mode is not specified in the application, and the verification can be carried out through the eUICC safety system or other business agreements. And under the condition that the validity verification is not passed, the operator server informs the eUICC of a result for indicating that the verification is not passed, and the process is ended.
(4) Under the condition that the validity verification is passed, the operator server forwards a certificate updating request to the SM-SR; wherein the certificate update request comprises: the ID of the authentication server (i.e., AuServer-ID), eUICC identification, ICCID, AID of the authentication application (i.e., AuApplet-AID), RC2, encrypted new public key of the authentication application pk2.AuApplet, and a third signature body.
(5) And the SM-SR carries out validity verification on the certificate updating request, wherein the specific verification mode is not specified in the application, and the verification can be carried out through the eUICC security system or further carrying out other business agreements. And in the case that the validity verification fails, notifying the eUICC of a result for indicating that the verification fails, and ending the flow.
(6) When the validity verification is passed, the SM-SR routes the authentication server according to the ID (AuServer-ID) of the authentication server and sends the certificate updating request to the authentication server; wherein the certificate update request comprises: the signature authentication method comprises the steps of ID (namely AuServer-ID) of an authentication server, eUICC identification, ICCID, AID (namely AuApplet-AID) of an authentication application, RC2, a public key PK2.AuApplet of a new encrypted authentication application and a third signature body.
(7) The authentication server adopts an original public key PK1.AuApplet of the authentication application to carry out signature verification on the third signature body, decrypts the encrypted new public key PK2.AuApplet of the authentication application under the condition that the signature verification is passed, obtains the new public key PK2.AuApplet of the authentication application, stores the new public key PK2.AuApplet of the authentication application, adopts a private key SK. AuServer of the authentication server to generate a new certificate CERT2.AuApplet of the authentication application, and signs the RC2 and the new certificate CERT2.AuApplet of the authentication application to obtain a fourth signature body.
(8) The authentication server submits a certificate updating response to the SM-SR; wherein the certificate update response comprises: the ID of the authentication server (i.e., AuServer-ID), the eUICC identification, the AID of the authentication application (i.e., AuApplet-AID), RC2, the new public key pk2.AuApplet of the authentication application, the fourth signature body, and the new certificate cert2.AuApplet of the authentication application.
(9) The SM-SR inquires information for activating the profile in the eUICC according to the EID; wherein, the information for activating the profile includes: MSISDN, ICCID and corresponding MNO-ID information.
(10) The SM-SR acquires the address of the corresponding operator server according to the MNO-ID information, and forwards the certificate updating response to the operator server according to the address of the operator server; wherein the certificate update response comprises: the ID of the authentication server (i.e., AuServer-ID), the eUICC identification, the AID of the authentication application (i.e., AuApplet-AID), RC2, the new public key pk2.AuApplet of the authentication application, the fourth signature body, and the new certificate cert2.AuApplet of the authentication application.
(11) And the operator server carries out validity verification on the certificate updating response. The specific verification method is not specified in the present application, and the profile information may be confirmed or other business agreements may be further performed. In the case where the validity verification fails, the operator server notifies the SM-SR of a result indicating that the verification fails, and the flow ends.
(12) In case of passing the validity verification, the operator server sends to the MNO-SD a MO-SMS message encrypted using the SCP80 protocol, the MO-SMS message comprising: a credential update response comprising: the ID of the authentication server (i.e., AuServer-ID), the eUICC identifier, the AID of the authentication application (AuApplet-AID), RC2, the new public key pk2.AuApplet of the authentication application, the fourth signature body, and the new certificate cert2.AuApplet of the authentication application.
(13) And the MNO-SD sends a certificate update response to the authentication application, and the authentication application verifies the fourth signature body by using the public key PK.AuServer of the authentication server and compares the generated RC2 with the RC2 in the certificate update response. In the case that the verification is passed and the generated RC2 is the same as the RC2 in the certificate update response, the new certificate cert2.auapplet of the authentication application is extracted from the certificate update response, and the new certificate cert2.auapplet of the authentication application is saved.
(14) The authentication application returns a third result notice for indicating that the authentication application certificate is downloaded successfully to the MNO-SD; wherein the third result notification comprises: eUICC identification, ICCID, AID of the authentication application.
(15) The MNO-SD returns a third result notice for indicating that the authentication application certificate is downloaded successfully to the operator server; wherein the third result notification comprises: eUICC identification, ICCID, AID of the authentication application.
(16) And the operator server updates the profile according to the information in the third result notice.
(17) The operator server returns a third result notice for indicating that the authentication application certificate is downloaded successfully to the SM-SR; wherein the third result notification comprises: eUICC identification, ICCID, AID of the authentication application.
(18) And the SM-SR updates the EIS of the eUICC according to the information in the third result notice.
(19) The SM-SR returns a second result notice for indicating the downloading of the authentication application certificate to the authentication server; wherein the second result notification comprises: eUICC identification, and AID of the authentication application.
(20) The authentication server returns a first result notice for indicating that the authentication application certificate is successfully downloaded to the service server; wherein the first result notification comprises: and identifying the eUICC.
In order to save space in the drawings, the above (14) to (20) are not shown in the drawings.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
Fig. 7 is a schematic structural component diagram of an eUICC according to another embodiment of the present application.
As shown in fig. 7, another embodiment of the present application provides an embedded eUICC, which includes:
a first sending module 701, configured to send a certificate application request to an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
a first receiving module 702, configured to receive an authentication application certificate download request sent by the operator server; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
an obtaining module 703 is configured to extract the certificate of the authentication application from the authentication application certificate downloading request, and store the certificate of the authentication application.
The specific implementation process of the eUICC in the embodiment of the present application is the same as the specific implementation process of the method for managing authentication application certificates applied to the eUICC in the foregoing embodiment, and details are not described here again.
Fig. 8 is a schematic structural diagram of an operator server according to another embodiment of the present application.
As shown in fig. 8, another embodiment of the present application provides an operator server, including:
a second receiving module 801, configured to receive a certificate application request sent by an embedded universal integrated circuit card eUICC; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
a second sending module 802, configured to forward the certificate application request to a secure route SM-SR of a subscription relationship management platform;
the second receiving module 801 is further configured to: receiving an authentication application certificate downloading request sent by the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
the second sending module 802 is further configured to: and sending the authentication application certificate downloading request to the eUICC.
The specific implementation process of the operator server in the embodiment of the present application is the same as the specific implementation process of the method for managing and authenticating an application certificate applied to the operator server in the foregoing embodiment, and details are not repeated here.
Fig. 9 is a schematic structural diagram of an SM-SR according to another embodiment of the present application.
As shown in fig. 9, another embodiment of the present application provides a secure routing SM-SR for a subscription relationship management platform, including:
a third receiving module 901, configured to receive a certificate application request sent by an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
a third sending module 902, configured to route the authentication server according to the ID of the authentication server, and send the certificate application request to the authentication server;
the third receiving module 901 is further configured to: receiving an authentication application certificate downloading request sent by the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
the third sending module 902 is further configured to: and forwarding the authentication application certificate downloading request to the operator server according to the address of the operator server corresponding to the eUICC identification and the address of the operator server.
The specific implementation process of the SM-SR in the embodiment of the present application is the same as the specific implementation process of the method for managing the authentication application certificate applied to the SM-SR in the foregoing embodiment, and details are not described here.
Fig. 10 is a schematic structural diagram of an authentication server according to another embodiment of the present application.
As shown in fig. 10, another embodiment of the present application provides an authentication server, including:
a fourth receiving module 1001, configured to receive a certificate application request sent by a secure route SM-SR of a subscription relationship management platform; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
a certificate generation module 1002, configured to generate a certificate of the authentication application using a private key of the authentication server;
a fourth sending module 1003, configured to send an authentication application certificate download request to the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and the certificate of the authentication application.
The specific implementation process of the authentication server in the embodiment of the present application is the same as the specific implementation process of the method for managing the authentication application certificate applied to the authentication server in the foregoing embodiment, and is not described herein again.
Fig. 11 is a schematic structural component diagram of a method for managing certificate of authenticated application according to another embodiment of the present application.
As shown in fig. 11, another embodiment of the present application provides a system for managing certificate of an authentication application, including:
an embedded universal integrated circuit card eUICC 1101 to:
sending a certificate application request to an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
receiving an authentication application certificate downloading request sent by the operator server; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
extracting the certificate of the authentication application from the authentication application certificate downloading request, and storing the certificate of the authentication application;
an operator server 1102 configured to:
receiving a certificate application request sent by an eUICC;
forwarding the certificate application request to a secure route SM-SR of a signing relationship management platform;
receiving an authentication application certificate downloading request sent by the SM-SR;
sending the authentication application certificate download request to the eUICC;
SM-SR 1103, for:
receiving a certificate application request sent by an operator server;
the authentication server is routed according to the ID of the authentication server, and the certificate application request is sent to the authentication server;
receiving an authentication application certificate downloading request sent by the SM-SR;
forwarding the authentication application certificate downloading request to an operator server according to the address of the operator server corresponding to the eUICC identification and the address of the operator server;
an authentication server 1104 for:
receiving a certificate application request sent by a secure route SM-SR of a signing relationship management platform;
generating a certificate of the authentication application using a private key of the authentication server;
and sending an authentication application certificate downloading request to the SM-SR.
Each module in the present embodiment is a logical module, and in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, or may be implemented by a combination of a plurality of physical units. In addition, in order to highlight the innovative part of the present application, a unit that is not so closely related to solving the technical problem proposed by the present application is not introduced in the present embodiment, but it does not indicate that no other unit exists in the present embodiment.
The present embodiments also provide an electronic device, comprising one or more processors; the storage device stores one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors implement the method for managing the authentication application certificate provided in this embodiment, so that detailed steps of the method for managing the authentication application certificate are not described herein again to avoid repeated descriptions.
The present embodiment further provides a computer readable medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for managing an authentication application certificate provided in this embodiment, and in order to avoid repeated descriptions, specific steps of the method for managing an authentication application certificate are not described herein again.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising" is used to specify the presence of stated features, integers, steps, operations, elements, components, operations.
Those skilled in the art will appreciate that although some embodiments described herein include some features included in other embodiments instead of others, combinations of features of different embodiments are meant to be within the scope of the embodiments and form different embodiments.
It is to be understood that the above embodiments are merely exemplary embodiments that are employed to illustrate the principles of the present application, and that the present application is not limited thereto. It will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the application, and these changes and modifications are to be considered as the scope of the application.
Claims (13)
1.A method for managing and authenticating application certificate is applied to an embedded universal integrated circuit card (eUICC), and comprises the following steps:
sending a certificate application request to an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
receiving an authentication application certificate downloading request sent by the operator server; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
and extracting the certificate of the authentication application from the authentication application certificate downloading request, and storing the certificate of the authentication application.
2. The method of claim 1, further comprising:
sending a certificate update request to the operator server; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application;
receiving a certificate update response sent by the operator server; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application;
and extracting the new certificate of the authentication application from the certificate updating response, and storing the new certificate of the authentication application.
3. A method of managing authentication application certificates, applied to an operator server, the method comprising:
receiving a certificate application request sent by an embedded universal integrated circuit card (eUICC); wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
forwarding the certificate application request to a secure route SM-SR of a signing relationship management platform;
receiving an authentication application certificate downloading request sent by the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
and sending the authentication application certificate downloading request to the eUICC.
4. The method of claim 3, further comprising:
receiving a certificate updating request sent by the eUICC; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application;
forwarding the certificate update request to the SM-SR;
receiving a certificate update response sent by the SM-SR; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application;
sending the certificate update response to the eUICC.
5. A method for managing and authenticating an application certificate is applied to a secure routing SM-SR of a signing relationship management platform, and comprises the following steps:
receiving a certificate application request sent by an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
the authentication server is routed according to the ID of the authentication server, and the certificate application request is sent to the authentication server;
receiving an authentication application certificate downloading request sent by the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
and forwarding the authentication application certificate downloading request to the operator server according to the address of the operator server corresponding to the eUICC identification and the address of the operator server.
6. The method of claim 5, further comprising:
receiving a certificate updating request sent by the operator server; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application;
routing the authentication server according to the ID of the authentication server, and sending the certificate updating request to the authentication server;
receiving a certificate updating response sent by the authentication server; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application;
and acquiring the address of the corresponding operator server according to the eUICC identification, and forwarding the certificate updating response to the operator server according to the address of the operator server.
7. A method for managing certificate of authentication application, which is applied to an authentication server, comprises the following steps:
receiving a certificate application request sent by a secure route SM-SR of a signing relationship management platform; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
generating a certificate of the authentication application using a private key of the authentication server;
sending an authentication application certificate downloading request to the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and the certificate of the authentication application.
8. The method of claim 7, further comprising:
receiving a certificate updating request sent by the SM-SR; wherein the certificate update request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and a new certificate of the authentication application;
generating a new certificate for the authentication application using a private key of the authentication server;
sending a certificate update response to the SM-SR; wherein the certificate update response comprises: the ID of the authentication server, the eUICC identification and the AID of the authentication application.
9. An embedded universal integrated circuit card (eUICC), comprising:
the first sending module is used for sending a certificate application request to an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
a first receiving module, configured to receive an authentication application certificate download request sent by the operator server; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
and the acquisition module is used for extracting the certificate of the authentication application from the authentication application certificate downloading request and storing the certificate of the authentication application.
10. An operator server, comprising:
the second receiving module is used for receiving a certificate application request sent by an embedded universal integrated circuit card (eUICC); wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
the second sending module is used for forwarding the certificate application request to a secure route SM-SR of a signing relationship management platform;
the second receiving module is further configured to: receiving an authentication application certificate downloading request sent by the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
the second sending module is further configured to: and sending the authentication application certificate downloading request to the eUICC.
11. A secure routing SM-SR of a subscription relationship management platform comprises:
the third receiving module is used for receiving a certificate application request sent by the operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
a third sending module, configured to route the authentication server according to the ID of the authentication server, and send the certificate application request to the authentication server;
the third receiving module is further configured to: receiving an authentication application certificate downloading request sent by the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
the third sending module is further configured to: and forwarding the authentication application certificate downloading request to the operator server according to the address of the operator server corresponding to the eUICC identification and the address of the operator server.
12. An authentication server, comprising:
the fourth receiving module is used for receiving a certificate application request sent by the secure route SM-SR of the signing relationship management platform; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
a certificate generation module for generating a certificate of the authentication application using a private key of the authentication server;
a fourth sending module, configured to send an authentication application certificate download request to the SM-SR; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application, and the certificate of the authentication application.
13. A system for managing authentication application credentials, comprising:
an embedded universal integrated circuit card (eUICC) for:
sending a certificate application request to an operator server; wherein the certificate application request comprises: the identification ID of the authentication server, the eUICC identification and the application identification AID of the authentication application;
receiving an authentication application certificate downloading request sent by the operator server; wherein the authenticating the application certificate download request comprises: the ID of the authentication server, the eUICC identification, the AID of the authentication application and the certificate of the authentication application;
extracting the certificate of the authentication application from the authentication application certificate downloading request, and storing the certificate of the authentication application;
an operator server to:
receiving a certificate application request sent by an eUICC;
forwarding the certificate application request to a secure route SM-SR of a signing relationship management platform;
receiving an authentication application certificate downloading request sent by the SM-SR;
sending the authentication application certificate download request to the eUICC;
SM-SR for:
receiving a certificate application request sent by an operator server;
the authentication server is routed according to the ID of the authentication server, and the certificate application request is sent to the authentication server;
receiving an authentication application certificate downloading request sent by the SM-SR;
forwarding the authentication application certificate downloading request to an operator server according to the address of the operator server corresponding to the eUICC identification and the address of the operator server;
an authentication server to:
receiving a certificate application request sent by a secure route SM-SR of a signing relationship management platform;
generating a certificate of the authentication application using a private key of the authentication server;
and sending an authentication application certificate downloading request to the SM-SR.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011513469.7A CN112637848B (en) | 2020-12-18 | 2020-12-18 | Method, device and system for managing authentication application certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011513469.7A CN112637848B (en) | 2020-12-18 | 2020-12-18 | Method, device and system for managing authentication application certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112637848A true CN112637848A (en) | 2021-04-09 |
| CN112637848B CN112637848B (en) | 2023-03-14 |
Family
ID=75318024
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011513469.7A Active CN112637848B (en) | 2020-12-18 | 2020-12-18 | Method, device and system for managing authentication application certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637848B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160283216A1 (en) * | 2013-12-05 | 2016-09-29 | Huawei Device Co., Ltd. | Method and device for downloading profile of operator |
| US20180123803A1 (en) * | 2015-04-13 | 2018-05-03 | Samsung Electronics Co., Ltd. | Technique for managing profile in communication system |
| WO2018209986A1 (en) * | 2017-05-19 | 2018-11-22 | 中兴通讯股份有限公司 | Method and device for downloading euicc subscription data |
| CN109302291A (en) * | 2018-10-26 | 2019-02-01 | 江苏恒宝智能系统技术有限公司 | A kind of method of multi-certificate and determining required Certification system |
| CN109691151A (en) * | 2016-09-09 | 2019-04-26 | 三星电子株式会社 | For controlling the method and system of UICC and EUICC |
| US20190373448A1 (en) * | 2017-01-13 | 2019-12-05 | Huawei Technologies Co., Ltd. | Subscription Profile Downloading Method, Device, and Server |
-
2020
- 2020-12-18 CN CN202011513469.7A patent/CN112637848B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160283216A1 (en) * | 2013-12-05 | 2016-09-29 | Huawei Device Co., Ltd. | Method and device for downloading profile of operator |
| US20180123803A1 (en) * | 2015-04-13 | 2018-05-03 | Samsung Electronics Co., Ltd. | Technique for managing profile in communication system |
| CN109691151A (en) * | 2016-09-09 | 2019-04-26 | 三星电子株式会社 | For controlling the method and system of UICC and EUICC |
| US20190373448A1 (en) * | 2017-01-13 | 2019-12-05 | Huawei Technologies Co., Ltd. | Subscription Profile Downloading Method, Device, and Server |
| WO2018209986A1 (en) * | 2017-05-19 | 2018-11-22 | 中兴通讯股份有限公司 | Method and device for downloading euicc subscription data |
| CN109302291A (en) * | 2018-10-26 | 2019-02-01 | 江苏恒宝智能系统技术有限公司 | A kind of method of multi-certificate and determining required Certification system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112637848B (en) | 2023-03-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3800909B1 (en) | Remote management method, and device | |
| CN108028758B (en) | Method and apparatus for downloading profiles in a communication system | |
| KR102382851B1 (en) | Apparatus and methods for esim device and server to negociate digital certificates | |
| US10111089B2 (en) | Method and apparatus for downloading a profile in a wireless communication system | |
| US20190245704A1 (en) | Template based credential provisioning | |
| US9426654B2 (en) | Method for forming a trust relationship, and embedded UICC therefor | |
| EP2243311B1 (en) | Method and system for mobile device credentialing | |
| KR102082854B1 (en) | Methods, servers, and systems for downloading updated profiles | |
| US20160127132A1 (en) | Method and apparatus for installing profile | |
| US10038998B2 (en) | Profile deletion codes in subscription management systems | |
| US20160352698A1 (en) | Security control method for euicc and euicc | |
| KR102293683B1 (en) | Apparatus and Methods for Access Control on eSIM | |
| KR20070114839A (en) | Limited supply access to mobile terminal features | |
| US11838752B2 (en) | Method and apparatus for managing a profile of a terminal in a wireless communication system | |
| EP3824594B1 (en) | Apparatus and method for ssp device and server to negotiate digital certificates | |
| US20210136560A1 (en) | Method and apparatus for handling remote profile management exception | |
| CN110381103B (en) | Method, device and system for downloading operator configuration file | |
| CN111434087A (en) | Method and electronic device for providing communication service | |
| KR20190002598A (en) | A method and apparatus for issuing assertions within a distributed database of a mobile communication network and personalizing object Internet devices | |
| CN112913263A (en) | Method and apparatus for handling remote profile management exceptions | |
| KR101443161B1 (en) | Method for provisioning profile of embedded universal integrated circuit card using capability information and mobile terminal thereof | |
| CN113098933B (en) | Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request) | |
| CN112637848B (en) | Method, device and system for managing authentication application certificate | |
| CN112672346B (en) | Method, device and system for downloading authentication application | |
| CN113079037B (en) | Method and system for remotely updating authentication application certificate |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |