CN113098933B - Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request) - Google Patents

Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request) Download PDF

Info

Publication number
CN113098933B
CN113098933B CN202110308684.1A CN202110308684A CN113098933B CN 113098933 B CN113098933 B CN 113098933B CN 202110308684 A CN202110308684 A CN 202110308684A CN 113098933 B CN113098933 B CN 113098933B
Authority
CN
China
Prior art keywords
authentication application
authentication
installing
euicc
platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110308684.1A
Other languages
Chinese (zh)
Other versions
CN113098933A (en
Inventor
韩玲
王湘宁
梁昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202110308684.1A priority Critical patent/CN113098933B/en
Publication of CN113098933A publication Critical patent/CN113098933A/en
Application granted granted Critical
Publication of CN113098933B publication Critical patent/CN113098933B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • H04W8/205Transfer to or from user equipment or user record carrier

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a method for remotely installing an authentication application, an eUICC and an SM-SR, wherein the method comprises the following steps: receiving an authentication application download installation request sent by a secure routing network element SM-SR of a signing relationship management platform, wherein the authentication application download installation request carries an authentication application identifier, an authentication application installation file and an authentication platform certificate, and the authentication application installation file is used for installing an authentication application in a control security domain ECASD of an eUICC; and verifying the certificate of the authentication platform, and if the certificate passes the verification, installing the authentication application in the ECASD according to an authentication application installation file. The method, the eUICC and the SM-SR can solve the problems that an existing private solution based on the smart card usually needs to cooperate with a specified card manufacturer and an operator, and the specified authentication application and sensitive data such as certificates and keys need to be preset during card manufacturing, so that the method can only be applied to users in a specific range, and the authentication application cannot be downloaded and installed remotely in real time.

Description

Method for remotely installing authentication application, eUICC (embedded Universal Integrated Circuit card) and SM-SR (secure message Relay-secure) device
Technical Field
The invention relates to the technical field of smart cards, in particular to a method for remotely installing authentication application, an eUICC and an SM-SR.
Background
With the national pace of accelerating 'new infrastructure', the 5G communication network will increasingly blend into the aspects of social management. The series of 5G application scenes all put forward higher requirements on information security than the traditional Internet, particularly in the field of industrial Internet of things, massive and diversified terminals under the ubiquitous connection scene are easy to attack and utilize, and threaten the network operation security. On the other hand, smart cards as the basic portal of mobile communication networks are also gradually developing from production components of mobile communication to important carriers of mobile communication services and service innovation, and becoming important platforms of mobile informatization.
Based on the important position and security attribute of the smart card in the mobile communication network, the industry provides an identity authentication solution based on the smart card, the smart card is used as a security bearing module of a user side to store sensitive data such as authentication application, certificates and keys, and the terminal interacts with an authentication server through the authentication application to perform identity authentication.
However, the existing security authentication solution based on the smart card is a private solution, and usually needs to cooperate with a designated card manufacturer and an operator, preset a designated authentication application and sensitive data such as certificates and keys during card manufacturing, establish a private closed security system, or perform data transmission through a private interface, and is only suitable for users within a specific range. These solutions therefore have many limitations on business models, product categories, and audience users.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method for remotely installing an authentication application, an eUICC and an SM-SR, so as to solve the problems that the existing private solution based on a smart card usually needs to cooperate with a specific card vendor and an operator, and the specific authentication application and sensitive data such as a certificate and a key need to be preset during card manufacturing, and the existing private solution is only suitable for users within a specific range, and cannot remotely download and install the authentication application in real time.
In a first aspect, an embodiment of the present invention provides a method for remotely installing an authentication application, where the method is applied to an embedded universal integrated circuit card eUICC, and the method includes:
receiving an authentication application download installation request sent by a secure routing network element SM-SR of a signing relationship management platform, wherein the authentication application download installation request carries an authentication application identifier, an authentication application installation file and an authentication platform certificate, and the authentication application installation file is used for installing an authentication application in a control security domain ECASD of an eUICC;
and verifying the certificate of the authentication platform, and if the certificate passes the verification, installing the authentication application in the ECASD according to an authentication application installation file.
Preferably, the certificate of the certification platform includes a public key of the certification platform, and if the certification is passed, the method further includes:
extracting and storing the authentication platform public key from the authentication platform certificate;
generating a random challenge RC according to a preset algorithm, and signing the RC;
and sending an authentication application downloading and installing success message to the SM-SR, wherein the authentication application downloading and installing success message carries the RC and the signature.
Preferably, if the verification fails, the method further comprises:
and sending an authentication application downloading and installing failure message to the SM-SR, wherein the authentication application downloading and installing failure message carries an error code.
In a second aspect, an embodiment of the present invention provides a method for remotely installing an authentication application, where the method is applied to a secure routing network element SM-SR of a subscription relationship management platform, and the method includes:
receiving an authentication application downloading and installing request sent by an authentication platform, wherein the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of an eUICC;
and forwarding the authentication application downloading and installing request to the eUICC.
Preferably, before forwarding the authentication application download installation request to the eUICC, the method further includes:
carrying out validity verification on the authentication application downloading and installing request;
the forwarding the authentication application download installation request to the eUICC specifically includes:
and if the verification is passed, forwarding the authentication application downloading and installing request to the eUICC.
Preferably, the authentication application download installation request further carries an eUICC identifier EID, and if the verification passes, the method further includes:
acquiring eUICC card information set EIS information of the corresponding eUICC according to the EID;
acquiring an eUICC certificate corresponding to the EID from the EIS information;
and returning the certificate of the eUICC to an authentication platform.
Preferably, after forwarding the authentication application download installation request to the eUICC, the method further comprises:
receiving an authentication application downloading and installing success message sent by the eUICC, wherein the authentication application downloading and installing success message carries the RC and the signature;
updating the EIS information based on the authentication application download installation success message;
and returning an authentication application installation result notice to the authentication platform, wherein the authentication application installation result notice carries the EID, the authentication application identifier, the RC and the signature.
In a third aspect, an embodiment of the present invention provides an eUICC, including: a root security domain ISD-R and a control security domain ECASD of the eUICC;
the ISD-R is used for receiving an authentication application downloading and installing request sent by the SM-SR, the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
the ISD-R is further configured to send the authentication platform credential and an authentication application installation file to the ECASD;
and the ECASD is used for receiving the authentication platform certificate and the authentication application installation file sent by the ISD-R, verifying the authentication platform certificate and installing the authentication application according to the authentication application installation file after the authentication platform certificate and the authentication application installation file pass verification.
Preferably, the authentication platform certificate comprises an authentication platform public key;
the ECASD is also used for extracting and storing the authentication platform public key from the authentication platform certificate, generating a random challenge RC according to a preset algorithm, signing the RC, and sending a verification success message to the ISD-R, wherein the RC and the signature are carried in the verification success message;
and the ISD-R is also used for sending an authentication application downloading and installing success message to the SM-SR after receiving the verification success message, wherein the authentication application downloading and installing success message carries the RC and the signature.
In a fourth aspect, an embodiment of the present invention provides an SM-SR, including:
the system comprises a receiving module, a downloading and installing module and an authentication platform, wherein the receiving module is used for receiving an authentication application downloading and installing request sent by an authentication platform, the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
and the forwarding module is used for forwarding the authentication application downloading and installing request to the eUICC.
According to the method for remotely installing the authentication application, the eUICC and the SM-SR provided by the embodiment of the invention, the security architecture of an eUICC system is utilized, after an authentication application downloading and installing request sent by the SM-SR is received, the authentication platform certificate in the authentication application downloading and installing request is verified, and after the verification is passed, the authentication application is installed in the control security domain ECASD of the eUICC, so that a set of private security system is not required to be additionally configured for the mobile identity authentication service, the transmission security is ensured by utilizing the security system of the eUICC, sensitive data such as the authentication application and the like are prevented from being written in advance during factory card manufacturing, after card issuing, the service platform safely downloads and installs the authentication application and the platform certificate required by the authentication service to the eUICC to be authenticated in real time through the authentication platform according to service requirements, a flexible business mode can be supported, the construction of a secure and open mobile identity authentication ecological environment is facilitated, the problem that the existing private solution based on the smart card is usually required to cooperate with an appointed card manufacturer and an appointed card is needed to preset, the appointed authentication application and the sensitive data such as the certificate, the authentication application and the authentication in a specific range can only be installed in a remote authentication range, and the remote authentication application can not be installed.
Drawings
FIG. 1: a flow chart of a method for remotely installing an authentication application according to embodiment 1 of the present invention;
FIG. 2: the invention discloses an interactive schematic diagram of a remote installation authentication application;
FIG. 3: a flowchart of a method for remotely installing an authentication application according to embodiment 2 of the present invention;
FIG. 4 is a schematic view of: is a schematic structural diagram of an eUICC in embodiment 3 of the present invention;
FIG. 5: is a schematic structural diagram of an SM-SR in embodiment 4 of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order to make the technical solutions of the present application better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example 1:
this embodiment provides a method for remotely installing an authentication application, which is applied to an eUICC (Embedded Universal Integrated Circuit Card), and as shown in fig. 1, the method includes:
step S102: receiving an authentication application download installation request sent by a Subscription relationship management platform secure Routing network element SM-SR (Subscription Manager Security Routing), wherein the authentication application download installation request carries an authentication application identifier, an authentication application installation file and an authentication platform certificate, and the authentication application installation file is used for installing an authentication application in a control Security Domain ECASD (eUICC Controlling authorization Security Domain) of an eUICC;
step S104: and verifying the certificate of the authentication platform, and if the certificate passes the verification, installing the authentication application in the ECASD according to an authentication application installation file.
It should be noted that, the present invention mainly utilizes a secure channel of an eUICC architecture to remotely download, install, and authenticate applications, where the eUICC architecture mainly includes an SM-SR, a Root Security Domain ISD-R (Root Security Domain Root), and an ECASD, and the complete eUICC architecture may also include other network elements, which is not limited to this.
In this embodiment, if the terminal uses the authentication service for the first time, or the service provider needs to install the authentication application on the terminal purchased or managed by the terminal, the service platform sends an authentication application request to the authentication platform, and after receiving the authentication application request, the authentication platform can perform qualification verification on the service platform and send an authentication application download installation request to the SM-SR after the verification is passed; and the SM-SR forwards the authentication application downloading and installing request to the eUICC after receiving the authentication application downloading and installing request.
Optionally, the certificate of the certification platform includes a public key of the certification platform, and if the certification is verified, the method may further include:
extracting and storing the certification platform public key from the certification platform certificate;
generating a random challenge RC according to a preset algorithm, and signing the RC;
and sending an authentication application downloading and installing success message to the SM-SR, wherein the authentication application downloading and installing success message carries the RC and the signature.
In this embodiment, for subsequent secure interaction and connection between the eUICC and the authentication platform, the authentication platform public key pk.auserver.ecdsa is extracted from the authentication platform certificate and stored. Meanwhile, in order to further ensure the transmission safety, a random challenge RC is generated according to a preset algorithm, the specific generation algorithm is not specified at will, and the eUICC can sign the RC by using a private key SK.
Optionally, if the verification fails, the method may further include:
and sending an authentication application downloading and installing failure message to the SM-SR, wherein the authentication application downloading and installing failure message carries an error code.
In this embodiment, if the verification fails, the eUICC sends an authentication application download installation failure message to the SM-SR, the SM-SR returns an authentication application installation result notification carrying an error code to the authentication platform, and the authentication platform may try again according to the error code after receiving the notification.
The method for remotely installing the authentication application provided by this embodiment utilizes a security framework of the eUICC system, after receiving an authentication application download installation request sent by an SM-SR, verifies an authentication platform certificate in the authentication application download installation request, and after the verification passes, installs the authentication application in a control security domain ECASD of the eUICC, so that there is no need to additionally configure a set of private security system for the mobile identity authentication service, the security system of the eUICC is utilized to ensure transmission security, sensitive data such as the authentication application and the like are prevented from being written in advance during factory card manufacturing, after card issuing, a service platform can securely download and install the authentication application and the platform certificate required by the authentication service in real time to the eUICC of a terminal to be authenticated through the authentication platform according to service requirements, a flexible business mode can be supported, construction of a secure and open mobile identity authentication ecological environment is facilitated, an existing private solution based on a smart card is solved, generally, a designated card vendor and an operator need to cooperate, the authentication application and sensitive data such as the certificate and a secret key need to be preset during card manufacturing, and only can be applicable to a user in a specific range, and the problem that the remote authentication application cannot be installed in real-time.
Specifically, referring to fig. 2, an interaction diagram of remotely installing an authentication application according to an embodiment of the present invention is shown, where a service platform may provide a specific service, and an authentication platform may provide an authentication service. The two providers can be the same provider or belong to different providers. Under an ideal commercial mode, the authentication platform can be used as an independent third-party service platform to provide uniform authentication service for a plurality of business platforms. In this embodiment, the method includes the following steps:
step S01: the service platform sends an authentication application request to the authentication platform;
it should be noted that, the service platform of the authentication service is connected to the newly added interface of the authentication platform, and meanwhile, the authentication platform is connected to the newly added interface of the secure routing network element SM-SR of the subscription relationship management platform of the eUICC remote management platform, and the SM-SR is an important network element of the eUICC remote management platform. The public key of the authentication platform is PK.AuServer.ECDSA, the Certificate of the authentication platform is CERT.AuServer.ECDSA, and the Certificate is issued by a Certificate Issuer CI (Certificate Issuer) or SM-SR, and the authentication platform is stored with a CI root Certificate in advance.
Specifically, a service platform using the authentication service sends an authentication application request to the authentication platform for the eUICC to apply for an authentication application CAP packet, that is, an installation file of the authentication application. The authentication application request carries an eUICC identifier EID (eUICC-ID) and an application type, and according to a service requirement, the service platform applies for the application to install the application in an ECASD security domain of the eUICC through the application type.
Step S02: the authentication platform performs qualification verification on the service platform;
specifically, the authentication platform checks whether the service platform has qualification to acquire the authentication application, and the specific checking mode can be any mode without regulation. Generally, the service platform uses the authentication service provided by the authentication platform, and both parties need to agree from the commercial industry in advance, for example, the service platform can be implemented by means of offline or online subscription. At this moment, the authentication platform determines whether the service platform is qualified to obtain the authentication application through auditing so that the service platform can use the next authentication service. If the qualification audit is not passed, the authentication platform informs the service platform of the failure of audit, and the process is ended.
Step S03: and after the qualification audit is passed, the authentication platform sends an authentication application downloading and installing request to the SM-SR.
Specifically, the authentication application download installation request carries the EID, an authentication application installation file, an authentication application identifier and an authentication platform certificate, where the authentication platform stores the authentication application installation file, the authentication application identifier and the authentication platform certificate in advance.
Step S04: the SM-SR carries out validity verification on the authentication application download installation request and inquires EIS information;
specifically, after receiving an authentication application download installation request sent by an authentication platform, the SM-SR extracts the EID, and queries Information of an eUICC card Information Set EIS (eUICC Information Set) of the eUICC according to the EID. The SM-SR stores all EISs of the euiccs in advance, where the EIS includes a series of information of the euiccs, such as eUICC certificates. The SM-SR may perform validity verification on the authentication application download installation request according to the EIS, for example, may perform verification in a certificate manner, or may perform validity verification on the authentication application download installation request in other manners, for example, other business agreements, a certificate manner such as PKI (Public Key Infrastructure) certificate verification, and the like. If the verification fails, the SM-SR notifies the authentication platform of the verification failure, and the process is ended.
Step S05: and the SM-SR returns the certificate of the eUICC to the authentication platform.
Specifically, if the verification passes, the SM-SR returns the certificate of the eUICC to the authentication platform for the next authentication procedure: cert, ecasd, ecka.
Step S06: the SM-SR sends the authentication application downloading and installing request to the ISD-R;
specifically, the SM-SR sends an authentication application download installation request to the ISD-R through the ES5 interface.
Step S07: the ISD-R forwards the authentication platform certificate and the authentication application installation file to the ECASD;
specifically, after receiving the authentication application download installation request, the ISD-R extracts the authentication platform certificate and the authentication application installation file, and forwards them to the ECASD.
Step S08: and the ECASD verifies the certificate of the authentication platform, if the certificate passes the verification, the public key of the authentication platform in the certificate of the authentication platform is extracted, the authentication application is installed, the random challenge RC is generated, and the RC is signed. If the verification fails, an error code is generated.
Wherein, ECASD uses public key PK.CI.ECDSA of CI to verify CERT.AuServer.ECDSA, if the verification fails, then error code is generated. If the verification is successful, for subsequent secure interaction and connection between the eUICC and the authentication platform, extracting and storing an authentication platform public key PK.AuServer.ECDSA from the authentication platform certificate, installing authentication application, generating the RC, and signing the RC by using a private key SK.ECASD.ECKA of the eUICC.
Step S09: if the verification is passed, the ECASD sends a verification success message to the ISD-R;
specifically, if the verification passes, the ECASD sends a verification success message to the ISD-R, where the verification success message carries the RC and the signature, and if the verification fails, the ECASD sends a verification failure message to the ISD-R, where the verification failure message carries an error code.
Step S10: and the ISD-R returns an authentication application downloading and installing success message to the SM-SR.
Specifically, according to the received verification success message or verification failure message, the ISD-R returns an authentication application download installation success message or an authentication application download installation failure message to the SM-SR.
Step S11: and if the installation is successful, the SM-SR updates EIS information.
Specifically, the SM-SR may perform information update on the EIS information of the eUICC according to the received result, such as indicating that the authentication application is installed in the eUICC, the remaining available space of the eUICC, and the like.
Step S12: and the SM-SR returns the installation result notice of the authentication application to the authentication platform.
Specifically, the authentication application installation result notification may carry the EID, the authentication application identification, the RC, the signature, or the error code.
Step S13: and the authentication platform uses the public key PK, ECASD and ECKA of the eUICC to check and sign, if the public key PK, ECASD and ECKA passes, the installation is successful, and otherwise, the installation fails.
Specifically, if the authentication platform receives the RC and the signature, the pk.ecasd.ecka is used to check the signature, if the RC and the signature pass, the installation is successful, otherwise, the installation fails.
Step S12: and the authentication platform sends an authentication application result to the service platform.
Specifically, the authentication application result may carry the EID and the application type, and if the installation is successful, the authentication platform sends the authentication application result to the service platform. Otherwise, a retry may be made based on the error code.
The invention utilizes the security architecture of the eUICC system, does not need to additionally configure a set of private security system for the mobile identity authentication service, ensures the transmission security by utilizing the security system of the eUICC, further prevents man-in-the-middle attack on the authentication service by bidirectional verification, and is particularly suitable for the construction of the security system of the infrastructure of the industrial Internet of things under the condition of no manual verification.
In the invention, an authentication service provider is independent of an operator and an intelligent card manufacturer, and an authentication platform installs an authentication application in an eUICC in real time through an eUICC system architecture. According to the invention, sensitive data such as authentication application and the like do not need to be written in advance during card manufacturing in a factory, and after card issuing, the service platform can safely download and install the application and platform certificate required by the authentication service to the terminal to be authenticated in real time through the authentication platform according to service requirements. The method can support a flexible business mode, and is beneficial to building a safe and open mobile identity authentication ecological environment.
Example 2:
referring to fig. 3, the present embodiment provides a method for remotely installing an authentication application, which is applied to an SM-SR, and the method includes:
step S202: receiving an authentication application downloading and installing request sent by an authentication platform, wherein the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
step S204: and forwarding the authentication application downloading and installing request to the eUICC.
Optionally, before forwarding the authentication application download installation request to the eUICC, the method further includes:
verifying the validity of the download installation request of the authentication application;
forwarding an authentication application download installation request to the eUICC, specifically comprising:
and if the verification is passed, forwarding an authentication application downloading and installing request to the eUICC.
Optionally, the request for downloading and installing the authentication application further carries an eUICC identifier EID, and if the request passes the verification, the method further includes:
acquiring eUICC card information set EIS information of a corresponding eUICC according to the EID;
acquiring an eUICC certificate corresponding to the EID from the EIS information;
and returning the certificate of the eUICC to the authentication platform.
Optionally, after forwarding the authentication application download installation request to the eUICC, the method further includes:
receiving an authentication application downloading and installing success message sent by the eUICC, wherein the authentication application downloading and installing success message carries the RC and the signature;
downloading an installation success message based on the authentication application to update the EIS information;
and returning an authentication application installation result notification to the authentication platform, wherein the authentication application installation result notification carries the EID, the authentication application identifier, the RC and the signature.
Example 3:
referring to fig. 4, the present embodiment provides an eUICC, including: a root security domain ISD-R31 and a control security domain ECASD 32 of the eUICC;
the ISD-R31 is used for receiving an authentication application downloading and installing request sent by the SM-SR, the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD 32 of the eUICC;
the ISD-R31 is also used to send the authentication platform certificate and the authentication application installation file to the ECASD 32;
the ECASD 32 is configured to receive the authentication platform certificate and the authentication application installation file sent by the ISD-R31, verify the authentication platform certificate, and install the authentication application according to the authentication application installation file after the verification is passed.
Optionally, the authentication platform certificate comprises an authentication platform public key;
the ECASD 32 is also used for extracting and storing the authentication platform public key from the authentication platform certificate, generating a random challenge RC according to a preset algorithm, signing the RC, and sending a verification success message to the ISD-R31, wherein the verification success message carries the RC and the signature;
and the ISD-R31 is also used for sending an authentication application downloading and installing success message to the SM-SR after receiving the verification success message, wherein the authentication application downloading and installing success message carries the RC and the signature.
Example 4:
referring to fig. 5, the present embodiment provides an SM-SR including:
a receiving module 41, configured to receive an authentication application download installation request sent by an authentication platform, where the authentication application download installation request carries an authentication application identifier, an authentication application installation file, and an authentication platform certificate, and the authentication application installation file is used to install an authentication application in a control security domain ECASD 32 of an eUICC;
and a forwarding module 42 connected to the receiving module 41, configured to forward the authentication application download installation request to the eUICC.
Embodiments 2 to 4 provide a method for remotely installing an authentication application, an eUICC and an SM-SR, where a security architecture of an eUICC system is used, after receiving an authentication application download installation request sent by the SM-SR, an authentication platform certificate in the authentication application download installation request is verified, and after the verification is passed, the authentication application is installed in a control security domain ECASD of the eUICC, so that a set of private security system does not need to be additionally configured for a mobile identity authentication service, transmission security is ensured by using the security system of the eUICC, it is avoided that sensitive data such as the authentication application and the like are written in advance when a factory card is manufactured, after card issuing, a service platform securely downloads and installs the authentication application and platform certificate required by the authentication service to the eUICC of a terminal to be authenticated in real time through the authentication platform according to service requirements, a flexible business model can be supported, which is beneficial to establish a secure and open mobile identity authentication ecological environment, and solves the problem that an existing private solution based on a smart card generally needs to cooperate with an assigned card manufacturer and an operator, and requires to preset the assigned authentication application, and the method is only applicable to remote authentication application installation in a specific range.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims (10)

1. A method for remotely installing an authentication application is applied to an embedded universal integrated circuit card (eUICC), wherein the eUICC comprises a root security domain ISD-R and a control security domain ECASD of the eUICC, and the method comprises the following steps:
the ISD-R receives an authentication application downloading and installing request sent by a secure routing network element SM-SR of a signing relationship management platform, wherein the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
and the ECASD verifies the certificate of the authentication platform, and if the certificate passes the verification, the authentication application is installed in the ECASD according to an authentication application installation file.
2. The method of claim 1, wherein the certification platform certificate comprises a certification platform public key, and if the certification platform public key passes the verification, the method further comprises:
extracting and storing the authentication platform public key from the authentication platform certificate;
generating a random challenge RC according to a preset algorithm, and signing the RC;
and sending an authentication application downloading and installing success message to the SM-SR, wherein the authentication application downloading and installing success message carries the RC and the signature.
3. The method of claim 1, wherein if the verification fails, the method further comprises:
and sending an authentication application downloading and installing failure message to the SM-SR, wherein the authentication application downloading and installing failure message carries an error code.
4. A method for remotely installing an authentication application, which is applied to the secure routing network element SM-SR of the subscription relationship management platform as claimed in any one of claims 1 to 3, the method comprising:
receiving an authentication application downloading and installing request sent by an authentication platform, wherein the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of an eUICC;
and forwarding the authentication application downloading and installing request to the eUICC.
5. The method of remotely installing an authentication application according to claim 4, wherein prior to forwarding the authentication application download installation request to the eUICC, the method further comprises:
carrying out validity verification on the authentication application downloading and installing request;
the forwarding the authentication application download installation request to the eUICC specifically includes:
and if the verification is passed, forwarding the authentication application downloading and installing request to the eUICC.
6. The method of claim 4, wherein the authentication application download installation request further carries an EUICC Identification (EID), and if the authentication is passed, the method further comprises:
acquiring eUICC card information set EIS information of the corresponding eUICC according to the EID;
acquiring an eUICC certificate corresponding to the EID from the EIS information;
and returning the certificate of the eUICC to an authentication platform.
7. The method of claim 6, wherein after forwarding the authentication application download installation request to the eUICC, the method further comprises:
receiving an authentication application downloading and installing success message sent by the eUICC, wherein the authentication application downloading and installing success message carries the RC and the signature;
updating the EIS information based on the authentication application download installation success message;
and returning an authentication application installation result notification to the authentication platform, wherein the authentication application installation result notification carries the EID, the authentication application identifier, the RC and the signature.
8. An eUICC, comprising: a root security domain ISD-R and a control security domain ECASD of the eUICC;
the ISD-R is used for receiving an authentication application downloading and installing request sent by the SM-SR, the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
the ISD-R is further configured to send the authentication platform credential and an authentication application installation file to the ECASD;
and the ECASD is used for receiving the authentication platform certificate and the authentication application installation file sent by the ISD-R, verifying the authentication platform certificate and installing the authentication application according to the authentication application installation file after the verification is passed.
9. The eUICC of claim 8, wherein the authentication platform certificate comprises an authentication platform public key;
the ECASD is also used for extracting and storing the authentication platform public key from the authentication platform certificate, generating a random challenge RC according to a preset algorithm, signing the RC, and sending a verification success message to the ISD-R, wherein the RC and the signature are carried in the verification success message;
and the ISD-R is further used for sending an authentication application downloading and installing success message to the SM-SR after receiving the verification success message, wherein the authentication application downloading and installing success message carries the RC and the signature.
10. A secure routing network element SM-SR according to any of claims 1-3, comprising:
the system comprises a receiving module, a downloading and installing module and an authentication platform, wherein the receiving module is used for receiving an authentication application downloading and installing request sent by an authentication platform, the authentication application downloading and installing request carries an authentication application identifier, an authentication application installing file and an authentication platform certificate, and the authentication application installing file is used for installing an authentication application in a control security domain ECASD of the eUICC;
and the forwarding module is used for forwarding the authentication application downloading and installing request to the eUICC.
CN202110308684.1A 2021-03-23 2021-03-23 Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request) Active CN113098933B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110308684.1A CN113098933B (en) 2021-03-23 2021-03-23 Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110308684.1A CN113098933B (en) 2021-03-23 2021-03-23 Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request)

Publications (2)

Publication Number Publication Date
CN113098933A CN113098933A (en) 2021-07-09
CN113098933B true CN113098933B (en) 2022-12-20

Family

ID=76669066

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110308684.1A Active CN113098933B (en) 2021-03-23 2021-03-23 Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request)

Country Status (1)

Country Link
CN (1) CN113098933B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114879985B (en) * 2022-07-12 2022-11-11 广州朗国电子科技股份有限公司 Method, device, equipment and storage medium for installing certificate file

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105282732A (en) * 2014-07-17 2016-01-27 三星电子株式会社 Method and device for updating profile management server
CN108476399A (en) * 2015-12-28 2018-08-31 三星电子株式会社 Method and apparatus for sending and receiving profile in a communications system
CN109495429A (en) * 2017-09-12 2019-03-19 华为技术有限公司 A kind of method for authenticating, terminal and server
CN109492371A (en) * 2018-10-26 2019-03-19 中国联合网络通信集团有限公司 A kind of digital certificate sky forwarding method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729493B (en) * 2008-10-28 2012-09-05 中兴通讯股份有限公司 Method and system for distributing key
CN101808092B (en) * 2010-03-12 2013-03-20 中国电信股份有限公司 Multi-certificate sharing method and system as well as intelligent card
US9122865B2 (en) * 2012-09-11 2015-09-01 Authenticade Llc System and method to establish and use credentials for a common lightweight identity through digital certificates

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105282732A (en) * 2014-07-17 2016-01-27 三星电子株式会社 Method and device for updating profile management server
CN108476399A (en) * 2015-12-28 2018-08-31 三星电子株式会社 Method and apparatus for sending and receiving profile in a communications system
CN109495429A (en) * 2017-09-12 2019-03-19 华为技术有限公司 A kind of method for authenticating, terminal and server
CN109492371A (en) * 2018-10-26 2019-03-19 中国联合网络通信集团有限公司 A kind of digital certificate sky forwarding method and device

Also Published As

Publication number Publication date
CN113098933A (en) 2021-07-09

Similar Documents

Publication Publication Date Title
US9450951B2 (en) Secure over-the-air provisioning solution for handheld and desktop devices and services
EP2243311B1 (en) Method and system for mobile device credentialing
KR101243073B1 (en) Method for terminal configuration and management and terminal apparatus
US8438391B2 (en) Credential generation management servers and method for communications devices and device management servers
KR100937166B1 (en) Limited supply access to mobile terminal features
CN108848496B (en) TEE-based virtual eSIM card authentication method, TEE terminal and management platform
US20060039564A1 (en) Security for device management and firmware updates in an operator network
CN110535665B (en) Method, device and system for signing and issuing same-root certificate on line
CN112533211B (en) Certificate updating method and system of eSIM card and storage medium
CN109120419B (en) Upgrading method and device for ONU version of optical network unit and storage medium
CN113098933B (en) Method for remotely installing authentication application, eUICC (universal integrated circuit card) and SM-SR (secure message request)
CN113079037B (en) Method and system for remotely updating authentication application certificate
US20220385483A1 (en) Credential bootstrapping
CN113079503B (en) Method and system for remotely downloading authentication application certificate
CN113490211B (en) Auxiliary security domain establishing method, SM-SR and system
CN112637848B (en) Method, device and system for managing authentication application certificate
CN112672346B (en) Method, device and system for downloading authentication application
CN114830702A (en) Method for managing profiles for accessing a communication network
CN110048857B (en) Public key infrastructure management system, smart card and equipment system
EP4380102A1 (en) A method to allow traceability of usim profile tranfer from a source device to a target device, corresponding system an remote server
EP1494395A1 (en) Method and authentication module for providing access to a target network via a wireless local area network WLAN
CN114189334A (en) Controllable eSIM terminal certificate online signing and issuing method and system
CN114930325A (en) Method for securely diversifying general-purpose applications stored in a secure processor of a terminal
WO2023237187A1 (en) Provisioning of a subscription profile to a subscriber module
CN113890742A (en) Client public key certificate updating method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant