CN113098933A - Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request) - Google Patents

Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request) Download PDF

Info

Publication number
CN113098933A
CN113098933A CN202110308684.1A CN202110308684A CN113098933A CN 113098933 A CN113098933 A CN 113098933A CN 202110308684 A CN202110308684 A CN 202110308684A CN 113098933 A CN113098933 A CN 113098933A
Authority
CN
China
Prior art keywords
authentication application
authentication
installing
euicc
platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110308684.1A
Other languages
Chinese (zh)
Other versions
CN113098933B (en
Inventor
韩玲
王湘宁
梁昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202110308684.1A priority Critical patent/CN113098933B/en
Publication of CN113098933A publication Critical patent/CN113098933A/en
Application granted granted Critical
Publication of CN113098933B publication Critical patent/CN113098933B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • H04W8/205Transfer to or from user equipment or user record carrier

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a method for remotely installing an authentication application, an eUICC and an SM-SR, wherein the method comprises the following steps: receiving an authentication application download installation request sent by a secure routing network element SM-SR of a signing relationship management platform, wherein the authentication application download installation request carries an authentication application identifier, an authentication application installation file and an authentication platform certificate, and the authentication application installation file is used for installing an authentication application in a control security domain ECASD of an eUICC; and verifying the certificate of the authentication platform, and if the certificate passes the verification, installing the authentication application in the ECASD according to an authentication application installation file. The method, the eUICC and the SM-SR can solve the problems that an existing private solution based on the smart card usually needs to cooperate with a designated card manufacturer and an operator, and the designated authentication application and sensitive data such as certificates and keys need to be preset during card manufacturing, so that the method can only be suitable for users in a specific range, and the authentication application cannot be downloaded and installed remotely in real time.

Description

Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request)
Technical Field
The invention relates to the technical field of smart cards, in particular to a method for remotely installing an authentication application, an eUICC and an SM-SR.
Background
With the national pace of accelerating 'new infrastructure', the 5G communication network will increasingly blend into the aspects of social management. The series of 5G application scenes all put forward higher requirements on information security than the traditional Internet, particularly in the field of industrial Internet of things, massive and diversified terminals under the ubiquitous connection scene are easy to attack and utilize, and threaten the network operation security. On the other hand, smart cards as the basic portal of mobile communication networks are also gradually developing from production components of mobile communication to important carriers of mobile communication services and service innovation, and becoming important platforms of mobile informatization.
Based on the important position and security attribute of the smart card in the mobile communication network, the industry provides an identity authentication solution based on the smart card, the smart card is used as a security bearing module of a user side to store authentication application and sensitive data such as certificates and keys, and a terminal interacts with an authentication server through the authentication application to perform identity authentication.
However, the existing security authentication solution based on the smart card is a private solution, and usually needs to cooperate with a designated card manufacturer and an operator, preset a designated authentication application and sensitive data such as certificates and keys during card manufacturing, establish a private closed security system, or perform data transmission through a private interface, and is only suitable for users within a specific range. These solutions therefore have many limitations on business models, product categories, and audience users.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method for remotely installing an authentication application, an eUICC and an SM-SR, so as to solve the problem that the existing private solution based on an intelligent card usually needs to cooperate with a specific card manufacturer and an operator, and the specific authentication application and sensitive data such as a certificate and a key need to be preset during card manufacturing, and the method can only be applied to users within a specific range, and cannot remotely download and install the authentication application in real time.
In a first aspect, an embodiment of the present invention provides a method for remotely installing an authentication application, where the method is applied to an embedded universal integrated circuit card eUICC, and the method includes:
receiving an authentication application download installation request sent by a secure routing network element SM-SR of a signing relationship management platform, wherein the authentication application download installation request carries an authentication application identifier, an authentication application installation file and an authentication platform certificate, and the authentication application installation file is used for installing an authentication application in a control security domain ECASD of an eUICC;
and verifying the certificate of the authentication platform, and if the certificate passes the verification, installing the authentication application in the ECASD according to an authentication application installation file.
Preferably, the certification platform certificate includes a certification platform public key, and if the certification platform public key passes the verification, the method further includes:
extracting and storing the authentication platform public key from the authentication platform certificate;
generating a random challenge RC according to a preset algorithm, and signing the RC;
and sending an authentication application downloading and installing success message to the SM-SR, wherein the authentication application downloading and installing success message carries the RC and the signature.
Preferably, if the verification fails, the method further comprises:
and sending an authentication application downloading and installing failure message to the SM-SR, wherein the authentication application downloading and installing failure message carries an error code.
In a second aspect, an embodiment of the present invention provides a method for remotely installing an authentication application, where the method is applied to a secure routing network element SM-SR of a subscription relationship management platform, and the method includes:
receiving an authentication application downloading and installing request sent by an authentication platform, wherein the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of an eUICC;
and forwarding the authentication application downloading and installing request to the eUICC.
Preferably, before forwarding the authentication application download installation request to the eUICC, the method further includes:
carrying out validity verification on the authentication application downloading and installing request;
the forwarding the authentication application download installation request to the eUICC specifically includes:
and if the verification is passed, forwarding the authentication application downloading and installing request to the eUICC.
Preferably, the authentication application download installation request further carries an eUICC identifier EID, and if the verification passes, the method further includes:
acquiring eUICC card information set EIS information of the corresponding eUICC according to the EID;
acquiring an eUICC certificate corresponding to the EID from the EIS information;
and returning the certificate of the eUICC to an authentication platform.
Preferably, after forwarding the authentication application download installation request to the eUICC, the method further includes:
receiving an authentication application downloading and installing success message sent by the eUICC, wherein the authentication application downloading and installing success message carries the RC and the signature;
updating the EIS information based on the authentication application download installation success message;
and returning an authentication application installation result notification to the authentication platform, wherein the authentication application installation result notification carries the EID, the authentication application identifier, the RC and the signature.
In a third aspect, an embodiment of the present invention provides an eUICC, including: a root security domain ISD-R and a control security domain ECASD of the eUICC;
the ISD-R is used for receiving an authentication application downloading and installing request sent by the SM-SR, the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
the ISD-R is further configured to send the authentication platform credential and an authentication application installation file to the ECASD;
and the ECASD is used for receiving the authentication platform certificate and the authentication application installation file sent by the ISD-R, verifying the authentication platform certificate and installing the authentication application according to the authentication application installation file after the verification is passed.
Preferably, the authentication platform certificate comprises an authentication platform public key;
the ECASD is also used for extracting and storing the authentication platform public key from the authentication platform certificate, generating a random challenge RC according to a preset algorithm, signing the RC, and sending a verification success message to the ISD-R, wherein the RC and the signature are carried in the verification success message;
and the ISD-R is further used for sending an authentication application downloading and installing success message to the SM-SR after receiving the verification success message, wherein the authentication application downloading and installing success message carries the RC and the signature.
In a fourth aspect, an embodiment of the present invention provides an SM-SR, including:
the system comprises a receiving module, a downloading and installing module and an authentication platform, wherein the receiving module is used for receiving an authentication application downloading and installing request sent by an authentication platform, the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
and the forwarding module is used for forwarding the authentication application downloading and installing request to the eUICC.
The method for remotely installing the authentication application, the eUICC and the SM-SR provided by the embodiment of the invention utilize the security architecture of the eUICC system to verify the certificate of the authentication platform in the authentication application download installation request after receiving the authentication application download installation request sent by the SM-SR, and install the authentication application in the control security domain ECASD of the eUICC after the verification is passed, thereby not needing to additionally configure a set of private security system for the mobile identity authentication service, ensuring the transmission security by utilizing the security system of the eUICC, avoiding the pre-writing of sensitive data such as the authentication application and the like during factory card manufacturing, ensuring that the service platform safely downloads and installs the authentication application and the platform certificate required by the authentication service of the eUICC to be authenticated in real time and through the authentication platform according to the service requirement after issuing the card, supporting flexible business mode, being beneficial to the construction of security and the opening of the mobile identity authentication ecological environment, the problem that an existing private solution based on the smart card usually needs to cooperate with a designated card manufacturer and an operator, and needs to preset designated authentication application and sensitive data such as certificates and keys during card manufacturing, so that the existing private solution can only be suitable for users in a specific range, and cannot remotely download and install the authentication application in real time is solved.
Drawings
FIG. 1: a flow chart of a method for remotely installing an authentication application according to embodiment 1 of the present invention;
FIG. 2: the invention discloses an interactive schematic diagram of a remote installation authentication application;
FIG. 3: a flowchart of a method for remotely installing an authentication application according to embodiment 2 of the present invention;
FIG. 4: is a schematic structural diagram of an eUICC in embodiment 3 of the present invention;
FIG. 5: is a schematic structural diagram of an SM-SR in embodiment 4 of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example 1:
this embodiment provides a method for remotely installing an authentication application, which is applied to an eUICC (Embedded Universal Integrated Circuit Card), and as shown in fig. 1, the method includes:
step S102: receiving an authentication application download installation request sent by a secure routing network element SM-SR (subscription Manager Security routing), wherein the authentication application download installation request carries an authentication application identifier, an authentication application installation file and an authentication platform certificate, and the authentication application installation file is used for installing an authentication application in a control Security domain ECASD (eUICC Controlling authorization Security domain) of an eUICC;
step S104: and verifying the certificate of the authentication platform, and if the certificate passes the verification, installing the authentication application in the ECASD according to an authentication application installation file.
It should be noted that, the present invention mainly utilizes a secure channel of an eUICC architecture to remotely download, install, and authenticate applications, where the eUICC architecture mainly includes an SM-SR, a root Security Domain ISD-r (issue Security Domain root), and an ECASD, and the complete eUICC architecture may also include other network elements, which is not limited to this.
In this embodiment, the terminal uses the authentication service for the first time, or the service provider needs to install the authentication application on the terminal purchased or managed by the terminal, the service platform sends an authentication application request to the authentication platform, the authentication platform can perform qualification verification on the service platform after receiving the authentication application request, and after the verification is passed, sends an authentication application download installation request to the SM-SR; and the SM-SR forwards the authentication application downloading and installing request to the eUICC after receiving the authentication application downloading and installing request.
Optionally, the certificate of the authentication platform includes a public key of the authentication platform, and if the verification passes, the method may further include:
extracting and storing the certification platform public key from the certification platform certificate;
generating a random challenge RC according to a preset algorithm, and signing the RC;
and sending an authentication application downloading and installing success message to the SM-SR, wherein the authentication application downloading and installing success message carries the RC and the signature.
In this embodiment, for subsequent secure interaction and connection between the eUICC and the authentication platform, the authentication platform public key pk.auserver.ecdsa is extracted from the authentication platform certificate and stored. Meanwhile, in order to further ensure the transmission safety, a random challenge RC is generated according to a preset algorithm, the specific generation algorithm is not specified at will, and the eUICC can sign the RC by using a private key SK.
Optionally, if the verification fails, the method may further include:
and sending an authentication application downloading and installing failure message to the SM-SR, wherein the authentication application downloading and installing failure message carries an error code.
In this embodiment, if the verification fails, the eUICC sends an authentication application download installation failure message to the SM-SR, the SM-SR returns an authentication application installation result notification carrying an error code to the authentication platform, and the authentication platform may try again according to the error code after receiving the notification.
The method for remotely installing the authentication application provided in this embodiment utilizes the security architecture of the eUICC system, verifies the certificate of the authentication platform in the authentication application download installation request after receiving the authentication application download installation request sent by the SM-SR, and installs the authentication application in the control security domain ECASD of the eUICC after the verification is passed, so that there is no need to additionally configure a set of private security system for the mobile identity authentication service, the security system of the eUICC is utilized to ensure the transmission security, thereby avoiding the pre-writing of sensitive data such as the authentication application and the like during factory card manufacturing, after issuing the card, the service platform can safely download and install the authentication application and the platform certificate required by the authentication service to the eUICC of the terminal to be authenticated through the authentication platform in real time according to the service requirements, can support a flexible business model, and is favorable for building a secure and open mobile identity authentication ecological environment, the problem that an existing private solution based on the smart card usually needs to cooperate with a designated card manufacturer and an operator, and needs to preset designated authentication application and sensitive data such as certificates and keys during card manufacturing, so that the existing private solution can only be suitable for users in a specific range, and cannot remotely download and install the authentication application in real time is solved.
Specifically, referring to fig. 2, an interaction diagram of remotely installing an authentication application according to an embodiment of the present invention is shown, where a service platform may provide a specific service, and an authentication platform may provide an authentication service. The two providers can be the same provider or belong to different providers. Under an ideal commercial mode, the authentication platform can be used as an independent third-party service platform to provide uniform authentication service for a plurality of business platforms. In this embodiment, the method includes the following steps:
step S01: the service platform sends an authentication application request to the authentication platform;
it should be noted that, the service platform of the authentication service is connected to the newly added interface of the authentication platform, and meanwhile, the authentication platform is connected to the newly added interface of the secure routing network element SM-SR of the subscription relationship management platform of the eUICC remote management platform, and the SM-SR is an important network element of the eUICC remote management platform. The public key of the authentication platform is PK.AuServer.ECDSA, the certificate of the authentication platform is CERT.AuServer.ECDSA, and the certificate is issued by a certificate issuer CI (certificate issuer) or SM-SR, and the authentication platform is stored with a CI root certificate in advance.
Specifically, a service platform using the authentication service sends an authentication application request to an authentication platform for the eUICC to apply for an authentication application CAP packet, i.e., an installation file of the authentication application. The authentication application request carries an eUICC identifier EID (eUICC-ID) and an application type, and according to a service requirement, the service platform applies for the application to install the application in an ECASD security domain of the eUICC through the application type.
Step S02: the authentication platform performs qualification verification on the service platform;
specifically, the authentication platform checks whether the service platform has the qualification to acquire the authentication application, and the specific checking mode is optional without stipulation. Generally, the service platform uses the authentication service provided by the authentication platform, and both parties need to agree with each other from the commercial industry in advance, for example, the service platform can be implemented by means of off-line or on-line subscription. At this moment, the authentication platform determines whether the service platform is qualified to obtain the authentication application through auditing so that the service platform can use the next authentication service. If the qualification audit is not passed, the authentication platform informs the service platform that the audit is failed, and the process is finished.
Step S03: and after the qualification verification is passed, the authentication platform sends an authentication application downloading and installing request to the SM-SR.
Specifically, the authentication application download installation request carries the EID, an authentication application installation file, an authentication application identifier and an authentication platform certificate, wherein the authentication platform stores the authentication application installation file, the authentication application identifier and the authentication platform certificate in advance.
Step S04: the SM-SR carries out validity verification on the authentication application download installation request and inquires EIS information;
specifically, after receiving an authentication application download installation request sent by an authentication platform, the SM-SR extracts the EID, and queries the Information set eis (eUICC Information set) of the eUICC according to the EID. The SM-SR stores all EISs of the euiccs in advance, and the EISs includes a series of information of the euiccs, such as eUICC certificates. The SM-SR may perform validity verification on the authentication application download installation request according to the EIS, for example, may perform verification in a certificate manner, or may perform validity verification on the authentication application download installation request in other manners, for example, other business agreements, a certificate manner such as PKI (Public Key Infrastructure) certificate verification, and the like. If the verification fails, the SM-SR notifies the authentication platform of the verification failure, and the process is finished.
Step S05: and the SM-SR returns the certificate of the eUICC to the authentication platform.
Specifically, if the verification passes, the SM-SR returns the certificate of the eUICC to the authentication platform for the next authentication procedure: cert, ecasd, ecka.
Step S06: the SM-SR sends the authentication application downloading and installing request to the ISD-R;
specifically, the SM-SR sends an authenticated application download installation request to the ISD-R through the ES5 interface.
Step S07: the ISD-R forwards the authentication platform certificate and the authentication application installation file to the ECASD;
specifically, after receiving the authentication application download installation request, the ISD-R extracts the authentication platform certificate and the authentication application installation file, and forwards them to the ECASD.
Step S08: and the ECASD verifies the certificate of the authentication platform, if the certificate passes the verification, the public key of the authentication platform in the certificate of the authentication platform is extracted, the authentication application is installed, the random challenge RC is generated, and the RC is signed. If the verification fails, an error code is generated.
Wherein, ECASD uses public key PK.CI.ECDSA of CI to verify CERT.AuServer.ECDSA, if the verification fails, then error code is generated. If the verification is successful, for subsequent secure interaction and connection between the eUICC and the authentication platform, extracting and storing an authentication platform public key PK.AuServer.ECDSA from the authentication platform certificate, installing authentication application, generating the RC, and signing the RC by using a private key SK.ECASD.ECKA of the eUICC.
Step S09: if the verification is passed, the ECASD sends a verification success message to the ISD-R;
specifically, if the verification passes, the ECASD sends a verification success message to the ISD-R, where the verification success message carries the RC and the signature, and if the verification fails, the ECASD sends a verification failure message to the ISD-R, where the verification failure message carries the error code.
Step S10: and the ISD-R returns an authentication application downloading and installing success message to the SM-SR.
Specifically, according to the received verification success message or verification failure message, the ISD-R returns an authentication application download installation success message or an authentication application download installation failure message to the SM-SR.
Step S11: and if the installation is successful, the SM-SR updates EIS information.
Specifically, the SM-SR may perform information update on the EIS information of the eUICC according to the received result, such as indicating that the authentication application is installed in the eUICC, the remaining available space of the eUICC, and the like.
Step S12: and the SM-SR returns an authentication application installation result notice to the authentication platform.
Specifically, the authentication application installation result notification may carry the EID, the authentication application identification, the RC, the signature, or the error code.
Step S13: and the authentication platform uses the public key PK, ECASD and ECKA of the eUICC to check and sign, if the public key PK, ECASD and ECKA passes, the installation is successful, and otherwise, the installation fails.
Specifically, if the authentication platform receives the RC and the signature, the pk.ecasd.ecka is used for signature verification, if the RC and the signature pass, the installation is successful, otherwise, the installation fails.
Step S12: and the authentication platform sends an authentication application result to the service platform.
Specifically, the authentication application result may carry the EID and the application type, and if the installation is successful, the authentication platform sends the authentication application result to the service platform. Otherwise, a retry may be made based on the error code.
The invention utilizes the security architecture of the eUICC system, does not need to additionally configure a set of private security system for the mobile identity authentication service, ensures the transmission security by utilizing the security system of the eUICC, further prevents man-in-the-middle attack on the authentication service by bidirectional verification, and is particularly suitable for the construction of the security system of the infrastructure of the industrial Internet of things under the condition of no manual verification.
In the invention, an authentication service provider is mutually independent of an operator and an intelligent card manufacturer, and an authentication platform installs authentication application in an eUICC in real time through an eUICC system architecture. According to the invention, sensitive data such as authentication application and the like do not need to be written in advance during card manufacturing in a factory, and after card issuing, the service platform can safely download and install the application and platform certificate required by the authentication service to the terminal to be authenticated in real time through the authentication platform according to service requirements. The method can support a flexible business mode, and is beneficial to building a safe and open mobile identity authentication ecological environment.
Example 2:
referring to fig. 3, the present embodiment provides a method for remotely installing an authentication application, which is applied to an SM-SR, and the method includes:
step S202: receiving an authentication application downloading and installing request sent by an authentication platform, wherein the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
step S204: and forwarding the authentication application downloading and installing request to the eUICC.
Optionally, before forwarding the authentication application download installation request to the eUICC, the method further includes:
verifying the validity of the download installation request of the authentication application;
forwarding an authentication application download installation request to the eUICC, specifically comprising:
and if the verification is passed, forwarding an authentication application downloading and installing request to the eUICC.
Optionally, the request for downloading and installing the authentication application further carries an eUICC identifier EID, and if the request passes the verification, the method further includes:
acquiring eUICC card information set EIS information of the corresponding eUICC according to the EID;
acquiring an eUICC certificate corresponding to the EID from the EIS information;
and returning the certificate of the eUICC to the authentication platform.
Optionally, after forwarding the authentication application download installation request to the eUICC, the method further includes:
receiving an authentication application downloading and installing success message sent by the eUICC, wherein the authentication application downloading and installing success message carries the RC and the signature;
updating the EIS information based on the authentication application download installation success message;
and returning an authentication application installation result notification to the authentication platform, wherein the authentication application installation result notification carries the EID, the authentication application identifier, the RC and the signature.
Example 3:
referring to fig. 4, the present embodiment provides an eUICC, including: a root security domain ISD-R31 and a control security domain ECASD 32 of the eUICC;
the ISD-R31 is used for receiving an authentication application downloading and installing request sent by the SM-SR, the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD 32 of the eUICC;
the ISD-R31 is also used to send the authentication platform certificate and the authentication application installation file to the ECASD 32;
the ECASD 32 is configured to receive the authentication platform certificate and the authentication application installation file sent by the ISD-R31, verify the authentication platform certificate, and install the authentication application according to the authentication application installation file after the verification is passed.
Optionally, the authentication platform certificate comprises an authentication platform public key;
the ECASD 32 is also used for extracting and storing the authentication platform public key from the authentication platform certificate, generating a random challenge RC according to a preset algorithm, signing the RC, and sending a verification success message to the ISD-R31, wherein the verification success message carries the RC and the signature;
and the ISD-R31 is also used for sending an authentication application downloading and installing success message to the SM-SR after receiving the verification success message, wherein the authentication application downloading and installing success message carries the RC and the signature.
Example 4:
referring to fig. 5, the present embodiment provides an SM-SR including:
a receiving module 41, configured to receive an authentication application download installation request sent by an authentication platform, where the authentication application download installation request carries an authentication application identifier, an authentication application installation file, and an authentication platform certificate, and the authentication application installation file is used to install an authentication application in a control security domain ECASD 32 of an eUICC;
and a forwarding module 42 connected to the receiving module 41, configured to forward the authentication application download installation request to the eUICC.
Embodiments 2 to 4 provide a method for remotely installing an authentication application, an eUICC and an SM-SR, which utilize a security framework of an eUICC system, verify an authentication platform certificate in an authentication application download installation request after receiving an authentication application download installation request sent by the SM-SR, and install the authentication application in a control security domain ECASD of the eUICC after the verification is passed, so that there is no need to additionally configure a set of private security system for a mobile identity authentication service, secure transmission is ensured by utilizing the security system of the eUICC, sensitive data such as the authentication application and the like are prevented from being written in advance during factory card manufacturing, after card issuing, the service platform securely downloads and installs the authentication application and platform certificate required by the authentication service in real time to the eUICC of a terminal to be authenticated through the authentication platform according to service requirements, a flexible business model can be supported, and it is beneficial to establish a secure business model, and to establish a secure environment-friendly system, The method has the advantages that the ecological environment of mobile identity authentication is opened, and the problems that the existing private solution based on the smart card usually needs to cooperate with a designated card manufacturer and an operator, and the designated authentication application and sensitive data such as certificates and keys need to be preset during card manufacturing, so that the method can only be suitable for users in a specific range, and the authentication application cannot be downloaded and installed remotely in real time are solved.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims (10)

1. A method for remotely installing an authentication application is applied to an embedded universal integrated circuit card (eUICC), and comprises the following steps:
receiving an authentication application download installation request sent by a secure routing network element SM-SR of a signing relationship management platform, wherein the authentication application download installation request carries an authentication application identifier, an authentication application installation file and an authentication platform certificate, and the authentication application installation file is used for installing an authentication application in a control security domain ECASD of an eUICC;
and verifying the certificate of the authentication platform, and if the certificate passes the verification, installing the authentication application in the ECASD according to an authentication application installation file.
2. The method of claim 1, wherein the certification platform certificate comprises a certification platform public key, and if the certification platform public key passes the verification, the method further comprises:
extracting and storing the authentication platform public key from the authentication platform certificate;
generating a random challenge RC according to a preset algorithm, and signing the RC;
and sending an authentication application downloading and installing success message to the SM-SR, wherein the authentication application downloading and installing success message carries the RC and the signature.
3. The method of claim 1, wherein if the verification fails, the method further comprises:
and sending an authentication application downloading and installing failure message to the SM-SR, wherein the authentication application downloading and installing failure message carries an error code.
4. A method for remotely installing an authentication application is applied to a secure routing network element SM-SR of a subscription relationship management platform, and comprises the following steps:
receiving an authentication application downloading and installing request sent by an authentication platform, wherein the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of an eUICC;
and forwarding the authentication application downloading and installing request to the eUICC.
5. The method of remotely installing an authentication application according to claim 4, wherein prior to forwarding the authentication application download installation request to the eUICC, the method further comprises:
carrying out validity verification on the authentication application downloading and installing request;
the forwarding the authentication application download installation request to the eUICC specifically includes:
and if the verification is passed, forwarding the authentication application downloading and installing request to the eUICC.
6. The method for remotely installing an authentication application according to claim 4, wherein the authentication application download installation request further carries an EUICC Identifier (EID), and if the verification is passed, the method further comprises:
acquiring eUICC card information set EIS information of the corresponding eUICC according to the EID;
acquiring an eUICC certificate corresponding to the EID from the EIS information;
and returning the certificate of the eUICC to an authentication platform.
7. The method of claim 6, wherein after forwarding the authentication application download installation request to the eUICC, the method further comprises:
receiving an authentication application downloading and installing success message sent by the eUICC, wherein the authentication application downloading and installing success message carries the RC and the signature;
updating the EIS information based on the authentication application download installation success message;
and returning an authentication application installation result notification to the authentication platform, wherein the authentication application installation result notification carries the EID, the authentication application identifier, the RC and the signature.
8. An eUICC, comprising: a root security domain ISD-R and a control security domain ECASD of the eUICC;
the ISD-R is used for receiving an authentication application downloading and installing request sent by the SM-SR, the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
the ISD-R is further configured to send the authentication platform credential and an authentication application installation file to the ECASD;
and the ECASD is used for receiving the authentication platform certificate and the authentication application installation file sent by the ISD-R, verifying the authentication platform certificate and installing the authentication application according to the authentication application installation file after the verification is passed.
9. The eUICC of claim 8, wherein the authentication platform certificate comprises an authentication platform public key;
the ECASD is also used for extracting and storing the authentication platform public key from the authentication platform certificate, generating a random challenge RC according to a preset algorithm, signing the RC, and sending a verification success message to the ISD-R, wherein the RC and the signature are carried in the verification success message;
and the ISD-R is further used for sending an authentication application downloading and installing success message to the SM-SR after receiving the verification success message, wherein the authentication application downloading and installing success message carries the RC and the signature.
10. An SM-SR, comprising:
the system comprises a receiving module, a downloading and installing module and an authentication platform, wherein the receiving module is used for receiving an authentication application downloading and installing request sent by an authentication platform, the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
and the forwarding module is used for forwarding the authentication application downloading and installing request to the eUICC.
CN202110308684.1A 2021-03-23 2021-03-23 Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request) Active CN113098933B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110308684.1A CN113098933B (en) 2021-03-23 2021-03-23 Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110308684.1A CN113098933B (en) 2021-03-23 2021-03-23 Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request)

Publications (2)

Publication Number Publication Date
CN113098933A true CN113098933A (en) 2021-07-09
CN113098933B CN113098933B (en) 2022-12-20

Family

ID=76669066

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110308684.1A Active CN113098933B (en) 2021-03-23 2021-03-23 Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request)

Country Status (1)

Country Link
CN (1) CN113098933B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114879985A (en) * 2022-07-12 2022-08-09 广州朗国电子科技股份有限公司 Method, device, equipment and storage medium for installing certificate file

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808092A (en) * 2010-03-12 2010-08-18 中国电信股份有限公司 Multi-certificate sharing method and system as well as intelligent card
US20110211699A1 (en) * 2008-10-28 2011-09-01 Zte Corporation Key distribution method and system
US20140075524A1 (en) * 2012-09-11 2014-03-13 Authenticade Llc System and method to establish and use credentials for a common lightweight identity through digital certificates
CN105282732A (en) * 2014-07-17 2016-01-27 三星电子株式会社 Method and device for updating profile management server
CN108476399A (en) * 2015-12-28 2018-08-31 三星电子株式会社 Method and apparatus for sending and receiving profile in a communications system
CN109495429A (en) * 2017-09-12 2019-03-19 华为技术有限公司 A kind of method for authenticating, terminal and server
CN109492371A (en) * 2018-10-26 2019-03-19 中国联合网络通信集团有限公司 A kind of digital certificate sky forwarding method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110211699A1 (en) * 2008-10-28 2011-09-01 Zte Corporation Key distribution method and system
CN101808092A (en) * 2010-03-12 2010-08-18 中国电信股份有限公司 Multi-certificate sharing method and system as well as intelligent card
US20140075524A1 (en) * 2012-09-11 2014-03-13 Authenticade Llc System and method to establish and use credentials for a common lightweight identity through digital certificates
CN105282732A (en) * 2014-07-17 2016-01-27 三星电子株式会社 Method and device for updating profile management server
CN108476399A (en) * 2015-12-28 2018-08-31 三星电子株式会社 Method and apparatus for sending and receiving profile in a communications system
CN109495429A (en) * 2017-09-12 2019-03-19 华为技术有限公司 A kind of method for authenticating, terminal and server
CN109492371A (en) * 2018-10-26 2019-03-19 中国联合网络通信集团有限公司 A kind of digital certificate sky forwarding method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114879985A (en) * 2022-07-12 2022-08-09 广州朗国电子科技股份有限公司 Method, device, equipment and storage medium for installing certificate file
CN114879985B (en) * 2022-07-12 2022-11-11 广州朗国电子科技股份有限公司 Method, device, equipment and storage medium for installing certificate file

Also Published As

Publication number Publication date
CN113098933B (en) 2022-12-20

Similar Documents

Publication Publication Date Title
RU2515809C2 (en) Methods for facilitating secure self-initialisation of subscriber devices in communication system
EP2243311B1 (en) Method and system for mobile device credentialing
US9450951B2 (en) Secure over-the-air provisioning solution for handheld and desktop devices and services
KR101243073B1 (en) Method for terminal configuration and management and terminal apparatus
RU2391796C2 (en) Limited access to functional sets of mobile terminal
US20060039564A1 (en) Security for device management and firmware updates in an operator network
CN108848496B (en) TEE-based virtual eSIM card authentication method, TEE terminal and management platform
EP2258098A1 (en) Credential generation system and method for communications devices and device management servers
KR20190004499A (en) Apparatus and methods for esim device and server to negociate digital certificates
CN110535665B (en) Method, device and system for signing and issuing same-root certificate on line
CN112533211B (en) Certificate updating method and system of eSIM card and storage medium
CN109120419B (en) Upgrading method and device for ONU version of optical network unit and storage medium
CN113098933B (en) Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request)
CN113490211B (en) Auxiliary security domain establishing method, SM-SR and system
US20220385483A1 (en) Credential bootstrapping
CN113079037B (en) Method and system for remotely updating authentication application certificate
CN113079503B (en) Method and system for remotely downloading authentication application certificate
CN112637848B (en) Method, device and system for managing authentication application certificate
CN112672346B (en) Method, device and system for downloading authentication application
CN110048857B (en) Public key infrastructure management system, smart card and equipment system
EP4380102A1 (en) A method to allow traceability of usim profile tranfer from a source device to a target device, corresponding system an remote server
EP1494395A1 (en) Method and authentication module for providing access to a target network via a wireless local area network WLAN
CN114189334A (en) Controllable eSIM terminal certificate online signing and issuing method and system
CN114930325A (en) Method for securely diversifying general-purpose applications stored in a secure processor of a terminal
WO2024115484A1 (en) A method to allow traceability of usim profile transfer from a source device to a target device, corresponding system and remote server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant