CN115278644B - eUICC downloading method suitable for off-line production - Google Patents
eUICC downloading method suitable for off-line production Download PDFInfo
- Publication number
- CN115278644B CN115278644B CN202210706369.9A CN202210706369A CN115278644B CN 115278644 B CN115278644 B CN 115278644B CN 202210706369 A CN202210706369 A CN 202210706369A CN 115278644 B CN115278644 B CN 115278644B
- Authority
- CN
- China
- Prior art keywords
- euicc
- data
- profile
- production line
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Abstract
The application relates to an eUICC downloading method suitable for off-line production, which comprises the steps of obtaining and sending Profile preparation data through deployment of a production line dp+; acquiring eUICC equipment information of equipment to be produced through a production line tool, and acquiring ciphertext Profile data matched with the eUICC equipment information from the Profile preparation data; mutually identifying the production line tool and the equipment to be produced, calculating an authentication key, preprocessing the key and the ciphertext Profile data, obtaining the processed Profile data and sending the processed Profile data to the equipment to be produced; and the equipment to be produced completes the writing of the eUICC according to the writing data of the eUICC. And special software is deployed on the production line, necessary certificates and keys are provided by matching with the USBKey, and the ciphertext Profile derived from the DP+ is produced in an offline environment, so that off-line reading and writing of the eUICC are realized.
Description
Technical Field
The disclosure relates to the technical field of eUICC (integrated circuit card) and particularly relates to an eUICC downloading method and system suitable for off-line production, and a use method and a control system of the eUICC off-line downloading system.
Background
eUICC (Embedded Universal Integrated Circuit Card) equipment capable of supporting over-the-air code number is increasingly applied to the field of Internet of things, each large ODM manufacturer also actively supports the eUICC standard, GSMA (GSM Association) organization issues two sets of standards, namely M2M (Machine to Machine) and Consumer, an M2M scheme is realized in a short message mode, the Consumer downloads in an Https mode, the short message mode is very tedious for non-operator enterprises, and the Consumer scheme is about to be discussed.
In the application scene of the internet of things, an ODM manufacturer uses the number card of an operator to carry out the pasting when producing equipment, and a plurality of SIM cards issued by operators are required to be prepared for the equipment which is sent to different countries and regions, so that the production of equipment hardware cannot be finished in advance, and the ODM manufacturer also needs to manage various SIM card material numbers. In order to address these issues, the need to use eUICC technology for in-line production is highly stringent. However, the number writing in the air is very unfavorable for the ODM production line production, not only can the production efficiency be affected, but also the risk of downloading failure can be greatly increased.
In the current eUICC technical system, no offline downloading method exists, good security features are maintained on the premise of not changing the original eUICC system architecture, and the problem that an ODM manufacturer urgently solves how to realize offline downloading is solved.
Disclosure of Invention
In order to solve the problems, the application provides an off-line download method and an off-line download system for an off-line production, as well as a use method and a control system thereof, which can produce the ciphertext Profile exported on DP+ in an off-line environment of the production line by deploying special software on the production line and providing necessary certificates and keys in cooperation with the USBKey.
In one aspect of the present application, an eUICC downloading method suitable for offline production is provided, including the following steps:
s100, deploying a production line DP+, and acquiring and transmitting Profile preparation data;
s200, acquiring eUICC equipment information of equipment to be produced through a production line tool, and acquiring ciphertext Profile data matched with the eUICC equipment information from the Profile preparation data;
s300, mutual identification is carried out on the production line tool and the equipment to be produced, an authentication key is calculated, the key and the ciphertext Profile data are preprocessed, and eUICC write data are obtained and sent to the equipment to be produced;
s400, the equipment to be produced receives the eUICC write number data, and completes the eUICC write number according to the eUICC write number data.
As an optional embodiment of the present application, optionally, in step S100, deploying the production line dp+, obtaining and sending Profile preparation data includes:
s101, deploying a production line DP+, and encrypting Profile data stored on the DP+ through an encKey dispersion method and a dispersion key on the DP+ to obtain Profile preparation data;
s102, preparing and generating a USBKey based on the EPDK+ encKey dispersion method and the dispersion key;
and S103, connecting the USBKey with the production line tool, exporting the Profile preparation data through the USBKey, and sending the Profile preparation data to the production line tool.
As an optional embodiment of the present application, optionally, in step S200, acquiring eUICC device information of a device to be produced by a production line tool, and acquiring ciphertext Profile data matched with the eUICC device information from the Profile preparation data, including:
s201, presetting a serial port connection mode, and connecting equipment to be produced with the eUICC with the production line tool according to the serial port connection mode;
s202, the production line tool accesses the equipment to be produced through a serial port, and acquires eUICC equipment information EID of the equipment to be produced;
s203, acquiring ciphertext Profile data matched with the eUICC equipment information EID from the Profile preparation data.
As an optional embodiment of the present application, optionally, in step S300, mutually identifying the production line tool and the to-be-produced device, calculating an authentication key, preprocessing the key and the ciphertext Profile data, obtaining eUICC write data, and sending the eUICC write data to the to-be-produced device, including:
s301, presetting authentication conditions, and enabling the production line tool and the equipment to be produced to be mutually identified according to the authentication conditions;
s302, calculating a one-time negotiation key encKey through the USBKey to obtain an authentication key and sending the authentication key to the production line tool;
and S303, the production line tool performs splicing processing on the secret key and the ciphertext Profile data according to a GSMA standard, obtains eUICC write number data and sends the eUICC write number data to the equipment to be produced.
In another aspect of the present application, an off-line eUICC downloading system generated by the off-line eUICC downloading method described above, includes:
the deployment module is used for deploying the production line DP+ and acquiring and transmitting Profile preparation data;
the eUICC equipment information acquisition module is used for acquiring eUICC equipment information of equipment to be produced through a production line tool, and acquiring ciphertext Profile data matched with the eUICC equipment information from the Profile preparation data;
the authentication module is used for mutually identifying the production line tool and the equipment to be produced, calculating an authentication key, preprocessing the key and the ciphertext Profile data, obtaining eUICC write data and sending the eUICC write data to the equipment to be produced;
and the eUICC read-write module is used for receiving the eUICC write number data through the equipment to be produced and finishing the eUICC write number according to the eUICC write number data.
In another aspect of the present application, a method for using the off-line download system of the eUICC is further provided, including the following steps:
s100, ordering Profile, encrypting the Profile through an encKey generation algorithm on the DP+ to obtain ciphertext Profile data and importing the ciphertext Profile data into a production line tool;
s200, connecting the production line tool with the equipment to be produced, carrying out a standard GSMA downloading flow, carrying out certificate mutual authentication, and exchanging a public key;
s300, the production line tool obtains a secret key through exchanging a public key, performs splicing processing on the secret key and the ciphertext Profile data, obtains eUICC write-number data and sends the eUICC write-number data to the equipment to be produced;
s400, the equipment to be produced receives the eUICC write-number data, reads and writes the eUICC code number according to the eUICC write-number data, and returns a read-write result to the production line tool.
As an optional implementation manner of the present application, optionally, in step S100, ordering Profile, encrypting the Profile by using the encKey generating algorithm on the dp+ to obtain ciphertext Profile data and deriving the ciphertext Profile data, including:
s101, ordering a Profile from DP+ through an ES < 2+ > interface;
s102, generating an encKey of the Profile through an encKey generation algorithm on the DP+, and encrypting the Profile by using the encKey to obtain ciphertext Profile data;
s103, importing the ciphertext Profile data to the production line tool.
As an optional implementation manner of the present application, optionally, in step S300, the production line tool obtains a key by exchanging a public key, performs a concatenation process on the key and the ciphertext Profile data, obtains eUICC write number data, and sends the eUICC write number data to the to-be-produced device, including:
s301, the production line tool obtains a negotiation key OTPK which is the same as the eUICC through an ECDH key negotiation algorithm;
s302, applying an encKey to the USBKey by using the EID, and encrypting the encKey by using the negotiation key OTPK to obtain a key;
s303, performing pattern splicing processing on the secret key and the ciphertext Profile data according to GSMA specification to obtain eUICC write number data, performing separation processing on the eUICC write number data to obtain eUICC identification data, and downloading the eUICC identification data to the equipment to be produced;
as an optional embodiment of the present application, optionally, in step S400, the to-be-produced device receives eUICC write data, performs eUICC code reading and writing according to the eUICC write data, and returns a reading and writing result to the production line tool, including:
s401, the equipment to be produced receives the eUICC identification data, decrypts the encKey in the eUICC identification data according to the negotiation key OTPK, and obtains the encKey of the plaintext;
s402, decrypting the plaintext Profile from the eUICC identification data by using the obtained plaintext encKey and writing the plaintext Profile into an eUICC card to realize off-line downloading of the eUICC;
s403, feeding the downloading result back to the production line tool through the equipment to be produced, marking the Profile through the production line tool, and ending the flow.
In another aspect of the present application, a control system is also provided, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the use method described above when executing the executable instructions.
The application has the technical effects that:
the method comprises the steps of obtaining and sending Profile preparation data through a deployment production line DP+; acquiring eUICC equipment information of equipment to be produced through a production line tool, and acquiring ciphertext Profile data matched with the eUICC equipment information from the Profile preparation data; mutually identifying the production line tool and the equipment to be produced, calculating an authentication key, preprocessing the key and the ciphertext Profile data, obtaining eUICC write data and sending the eUICC write data to the equipment to be produced; and the equipment to be produced receives the eUICC write number data and completes the eUICC write number according to the eUICC write number data. The special software can be deployed on the production line, necessary certificates and keys are provided by matching with the USBKey, and the ciphertext Profile derived from DP+ is produced in an offline environment of the production line, so that the off-line reading and writing of the eUICC are realized.
The offline mode is adopted to make production line production, so that the data request through a network is omitted, the speed is higher than that of downloading the number through OTA, and the production efficiency is improved; the method also greatly avoids the influence of unstable network on the production line; the data is prepared in advance, and production delay caused by service paralysis when the server is accessed can be avoided.
Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features and aspects of the present disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic flow chart of an eUICC download method applicable to off-line production according to embodiment 1 of the present application;
fig. 2 is a schematic diagram of a software architecture in embodiment 1 of the present application;
fig. 3 is a schematic flow chart illustrating a method for using the off-line eUICC download system in embodiment 3 of the present application;
fig. 4 is a schematic flow chart of off-line downloading Profile of the eUICC when downloading a code number in embodiment 3 of the present application;
fig. 5 shows a schematic diagram of a dispersion mechanism of enckeys in embodiment 3 of the present application.
Detailed Description
Various exemplary embodiments, features and aspects of the disclosure will be described in detail below with reference to the drawings. In the drawings, like reference numbers indicate identical or functionally similar elements. Although various aspects of the embodiments are illustrated in the accompanying drawings, the drawings are not necessarily drawn to scale unless specifically indicated.
The word "exemplary" is used herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
In addition, numerous specific details are set forth in the following detailed description in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements, and circuits well known to those skilled in the art have not been described in detail in order not to obscure the present disclosure.
In this embodiment, dp+ is the SM-dp+ service platform. Other letter designations or identifying terms are technical terms well known to those skilled in the art, and the present embodiment is not supplemented or described too much.
Example 1
According to the method, special software is deployed on the production line and matched with the USBKey to provide necessary certificates and keys, the ciphertext Profile derived from DP+ is produced in an offline environment of the production line, and off-line reading and writing of the eUICC are achieved. The offline mode is adopted to make production line production, so that the data request through a network is omitted, the speed is higher than that of downloading the number through OTA, and the production efficiency is improved; the method also greatly avoids the influence of unstable network on the production line; the data is prepared in advance, and production delay caused by service paralysis when the server is accessed can be avoided.
As shown in fig. 1, in one aspect, the present application provides an eUICC downloading method suitable for offline production, which includes the following steps:
s100, deploying a production line DP+, and acquiring and transmitting Profile preparation data;
s200, acquiring eUICC equipment information of equipment to be produced through a production line tool, and acquiring ciphertext Profile data matched with the eUICC equipment information from the Profile preparation data;
s300, mutual identification is carried out on the production line tool and the equipment to be produced, an authentication key is calculated, the key and the ciphertext Profile data are preprocessed, and eUICC write data are obtained and sent to the equipment to be produced;
s400, the equipment to be produced receives the eUICC write number data, and completes the eUICC write number according to the eUICC write number data.
The offline Profile downloading method relates to three part processes, namely: data preparation, data processing and data forwarding.
As shown in fig. 2:
a.: data preparation: in the data preparation flow, dp+ is the main implementation carrier, profile is in an unencrypted state before the flow starts, i.e. UPP (Unprotected Profile Package), when data starts to be prepared, profile is encrypted by the encKey dispersion method and the dispersion key on dp+ to enter ciphertext data, i.e. PPP (Protected Profile Package), and then Profile data can be exported;
b. and (3) data processing: after the ciphertext Profile data is imported into the production line tool, the download process may begin. After interaction with the eUICC OTPK (One Time Private Key), the line tool can obtain the required eUICC device information, at this time, the line tool can add relevant encKey and other information into the eUICC device information to generate BPP (Bound Profile Package), and finally the BPP is divided into data identifiable by the eUICC in a segment-by-segment manner, that is, SBPP (Segmented Bound Profile Package).
c. And (3) data forwarding: in the downloading process described above, the line tool needs to interact with the eUICC device multiple times, and in the interaction process, the device to be produced and the computer where the line tool is located need to be connected and communicated in a wired manner through a serial port or the like.
The technical steps of steps S100 to S400 will be described in detail below.
S100, deploying a production line DP+, and acquiring and transmitting Profile preparation data;
specifically, the user is required to subscribe Profile according to intention from a deployed production line SM-DP+ service platform, and then to derive ciphertext Profile data after encryption processing. Specifically, as an optional embodiment of the present application, optionally, in step S100, deploying the production line dp+, obtaining and sending Profile preparation data includes:
s101, deploying a production line DP+, and encrypting Profile data stored on the DP+ through an encKey dispersion method and a dispersion key on the DP+ to obtain Profile preparation data;
s102, preparing and generating a USBKey based on the EPDK+ encKey dispersion method and the dispersion key;
and S103, connecting the USBKey with the production line tool, exporting the Profile preparation data through the USBKey, and sending the Profile preparation data to the production line tool.
Firstly, before offline downloading by using a production line, the embodiment needs to export Profile data stored on dp+ in batches;
secondly, a USBKey for decrypting Profile is manufactured according to an encKey dispersing method and a dispersing key on the DP+; specifically, in this embodiment, encryption and separate preparation are performed to obtain the encKey dispersing method and the dispersing key on dp+ to obtain the USBKey, and in order to ensure safety, the algorithm and the dispersing key are manufactured into the USBKey in this embodiment;
further, the USBKey is inserted into a computer provided with a production tool, and the ciphertext Profile data is derived.
Specifically, as shown in fig. 2, the USBKey of the production number is inserted into a production line computer, so that the production line tool obtains the same encKey generation method as that on dp+, and batch Profile data derived from dp+ is imported into the production line tool. When the data starts to be prepared, the Profile is encrypted by the encKey dispersion method and the dispersion key on the dp+ to enter ciphertext data, namely PPP (Protected Profile Package), and the Profile data can be exported.
S200, acquiring eUICC equipment information of equipment to be produced through a production line tool, and acquiring ciphertext Profile data matched with the eUICC equipment information from the Profile preparation data;
and connecting the equipment to be produced with the eUICC of the Profile to be downloaded to a computer of a production line tool, and acquiring the information of the eUICCC equipment by using the production line tool. Specifically, as an optional embodiment of the present application, optionally, in step S200, obtaining eUICC device information of a device to be produced by a production line tool, and obtaining ciphertext Profile data matched with the eUICC device information from the Profile preparation data, including:
s201, presetting a serial port connection mode, and connecting equipment to be produced with the eUICC with the production line tool according to the serial port connection mode;
s202, the production line tool accesses the equipment to be produced through a serial port, and acquires eUICC equipment information (eUICC ID) of the equipment to be produced;
s203, acquiring ciphertext Profile data matched with the eUICC equipment information EID from the Profile preparation data.
Referring to fig. 2, the equipment to be produced with eUICC for Profile to be downloaded is connected to a computer of a production line tool; and accessing the equipment to be produced through a serial port, and acquiring the information of the eUICC equipment, namely the EID (eSIM ID). Matching corresponding ciphertext Profile data according to the eUICCC equipment information; the serial port connection mode is selected according to the production line tool to be selected and the equipment model of the equipment to be produced, and the serial port mode is not limited.
S300, mutual identification is carried out on the production line tool and the equipment to be produced, an authentication key is calculated, the key and the ciphertext Profile data are preprocessed, and eUICC write data are obtained and sent to the equipment to be produced;
after the information of the eUICCC equipment is obtained, after the equipment to be produced and the production line tool are mutually authenticated, the USBKey calculates a one-time negotiation key encKey to the production line tool. Specifically, as an optional embodiment of the present application, optionally, in step S300, the line tool and the device to be produced are mutually acknowledged, an authentication key is calculated, the key and the ciphertext Profile data are preprocessed, eUICC write data is obtained and sent to the device to be produced, and the method includes:
s301, presetting authentication conditions, and enabling the production line tool and the equipment to be produced to be mutually identified according to the authentication conditions;
s302, calculating a one-time negotiation key encKey through the USBKey to obtain an authentication key and sending the authentication key to the production line tool;
and S303, the production line tool performs splicing processing on the secret key and the ciphertext Profile data according to a GSMA standard, obtains eUICC write number data and sends the eUICC write number data to the equipment to be produced.
During specific authentication, the production line tool is connected with equipment to be produced for downloading the eUICC code number, the production line tool and the equipment perform standard GSMA downloading flow, certificate mutual authentication is performed, after the mutual authentication is completed, the production line tool generates a pair of public and private key pairs (elliptic curve algorithm), the eUICC also generates a pair of public and private key pairs, and the two parties exchange public keys.
As shown in fig. 2, after the line tool interacts OTPK (One Time Private Key) with the equipment to be produced with the eUICC, the line tool can obtain the required eUICC equipment information, at this time, the line tool will add relevant information such as encKey and the like into the information to generate BPP (Bound Profile Package), and finally the BPP is divided into data identifiable by the eUICC segment by segment to obtain SBPP (Segmented Bound Profile Package), namely eUICC write number data. And the production line tool splices the ciphertext Profile data and the secret key and then sends the spliced ciphertext Profile data and the secret key to the equipment to be produced.
S400, the equipment to be produced receives the eUICC write number data, and completes the eUICC write number according to the eUICC write number data
And the equipment to be produced receives the eUICC writing number data, completes the eUICC writing number, and ends the process. And the off-line downloading of the eUICC is realized. In the downloading process, the production line tool needs to interact with the equipment to be produced with the eUICC for multiple times, and in the interaction process, the equipment to be produced and a computer where the production line tool is located need to be connected in a wired mode and communicated through a serial port and the like. The method realizes the information of the eUICC equipment, the key exchange, the writing of the eUICC numbers and the like.
Therefore, the application adopts an off-line mode to make the production line production, and the data is saved by the network, so that the speed is faster than that of downloading the number by OTA, and the production efficiency is increased; the method also greatly avoids the influence of unstable network on the production line; the present embodiment also prepares the data in advance, avoiding delays in production caused by service paralysis when accessing the server.
It should be noted that although the manner of encryption and decryption as described above is described as an example, those skilled in the art will appreciate that the present disclosure should not be limited thereto. In fact, the user can flexibly set the encryption and decryption modes according to the actual application scene, so long as the technical function of the present application can be realized according to the technical method.
Example 2
Based on the implementation principle of embodiment 1, in another aspect, the present application provides an eUICC offline downloading system generated by the above-mentioned eUICC downloading method applicable to offline production, which includes:
the deployment module is used for deploying the production line DP+ and acquiring and transmitting Profile preparation data;
the eUICC equipment information acquisition module is used for acquiring eUICC equipment information of equipment to be produced through a production line tool, and acquiring ciphertext Profile data matched with the eUICC equipment information from the Profile preparation data;
the authentication module is used for mutually identifying the production line tool and the equipment to be produced, calculating an authentication key, preprocessing the key and the ciphertext Profile data, obtaining eUICC write data and sending the eUICC write data to the equipment to be produced;
and the eUICC read-write module is used for receiving the eUICC write number data through the equipment to be produced and finishing the eUICC write number according to the eUICC write number data.
By adopting the method for downloading the eUICC, which is suitable for off-line production and is provided in embodiment 1, an off-line eUICC downloading system can be built and generated.
In this embodiment, specific architecture and functional principles of the eUICC offline download system are specifically referred to the description of embodiment 1. And will not be described in detail here.
The deployment module, the eUICC device information acquisition module, the authentication module and the eUICC read-write module are constructed in a framework and a module design, and can be seen in a software framework shown in fig. 2.
The modules or steps of the application described above may be implemented in a general-purpose computing device, they may be centralized in a single computing device, or distributed across a network of computing devices, or they may alternatively be implemented in program code executable by a computing device, such that they may be stored in a memory device and executed by a computing device, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps within them may be fabricated into a single integrated circuit module. Thus, the present application is not limited to any specific combination of hardware and software.
It will be appreciated by those skilled in the art that the flow of the modules implementing all or part of the methods of the above embodiments may be implemented by a computer program for instructing the relevant hardware, and the program may be stored in a computer readable storage medium, and the program may include the flow of the embodiments of the control methods as described above when executed. The storage medium may be a magnetic disk, an optical disc, a Read-only memory (ROM), a random access memory (RandomAccessMemory, RAM), a flash memory (flash memory), a hard disk (HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
Example 3
In this embodiment, a specific off-line download procedure of the eUICC is provided.
As shown in fig. 3, in another aspect of the present application, a method for using the off-line eUICC downloading system in embodiment 2 is further provided, including the following steps:
s100, ordering Profile, encrypting the Profile through an encKey generation algorithm on the DP+ to obtain ciphertext Profile data and importing the ciphertext Profile data into a production line tool;
s200, connecting the production line tool with the equipment to be produced, carrying out a standard GSMA downloading flow, carrying out certificate mutual authentication, and exchanging a public key;
s300, the production line tool obtains a secret key through exchanging a public key, performs splicing processing on the secret key and the ciphertext Profile data, obtains eUICC write-number data and sends the eUICC write-number data to the equipment to be produced;
s400, the equipment to be produced receives the eUICC write-number data, reads and writes the eUICC code number according to the eUICC write-number data, and returns a read-write result to the production line tool.
As shown in fig. 4, this embodiment takes the example of deriving and downloading a code number from dp+ and implements a specific eUICC code number downloading procedure through the eUICC offline downloading system.
First, preparation:
preparation:
(1) USBKey: a dispersion algorithm and a root key of the encKey are preset, the corresponding encKey can be calculated by taking the EID transmitted by the eUICC as a dispersion factor, and the dispersion mechanism of the encKey is shown in a specific figure 5;
(2) Certificate: the production line tool is preset with CERT.DPpb.ECDSA, CERT.DPauth.ECDSA certificates for Profile binding and mutual authentication with the eUICC, respectively, which are prior art in the field, and the detailed process is described in section Common Mutual Authentication Procedure of SGP22 3.1.2.
S100, ordering Profile, encrypting the Profile through an encKey generation algorithm on the DP+ to obtain ciphertext Profile data and importing the ciphertext Profile data into a production line tool;
as shown in fig. 2 and fig. 4, before the user does not take place the order-deriving action, the Profile (i.e. the code number file) is stored in a clear text manner on dp+ (the sensitive data encryption means does not fall into the category discussed herein), and the Profile at this stage is a UPP (unprotected Profile package);
as an optional implementation manner of the present application, optionally, in step S100, ordering Profile, encrypting the Profile by using the encKey generating algorithm on the dp+ to obtain ciphertext Profile data and deriving the ciphertext Profile data, including:
s101, ordering a Profile from DP+ through an ES < 2+ > interface;
s102, generating an encKey of the Profile through an encKey generation algorithm on the DP+, and encrypting the Profile by using the encKey to obtain ciphertext Profile data;
s103, importing the ciphertext Profile data to the production line tool through a USBKey.
The data preparer, namely the user, subscribes to a Profile through the ES < 2+ > interface, and at the moment, the DP < + > generates an encKey corresponding to the Profile according to an encKey generating algorithm, and encrypts the Profile by using the encKey to generate ciphertext Profile data of a PPP file (protected Profile package) and exports the ciphertext Profile data.
When downloading starts, the root key and the dispersion algorithm for generating the encKey are written into the USBKey, and the USBKey is inserted into a production tool computer.
At this time, the line tool is connected to the eUICC device to be downloaded with the code number, and the line tool and the device perform a standard GSMA download procedure to start the plaintext download process.
S200, connecting the production line tool with the equipment to be produced, carrying out a standard GSMA downloading flow, carrying out certificate mutual authentication, and exchanging a public key;
the line worker generates the PPP data into an offline file and imports the offline file into the line worker.
The line tool is connected with the eUICC equipment for downloading the code number, the line tool and the equipment perform standard GSMA downloading flow, certificate mutual authentication is performed, after the mutual authentication is completed, the line tool generates a pair of public and private key pairs (elliptic curve algorithm), the eUICC also generates a pair of public and private key pairs, and the two parties exchange public keys; the production line tool obtains a negotiation key OTPK (One Time Private Key) which is the same as the eUICC through an ECDH key negotiation algorithm; and simultaneously applying an encKey to the USBKey by using the EID. The encKey algorithm is shown as 5.
S300, the production line tool obtains a secret key through exchanging a public key, performs splicing processing on the secret key and the ciphertext Profile data, obtains eUICC write-number data and sends the eUICC write-number data to the equipment to be produced;
and e, after the encKey is obtained, encrypting the encKey by using the OTPK obtained through negotiation processing in the step e.
As an optional implementation manner of the present application, optionally, in step S300, the production line tool obtains a key by exchanging a public key, performs a concatenation process on the key and the ciphertext Profile data, obtains eUICC write number data, and sends the eUICC write number data to the to-be-produced device, including:
s301, the production line tool obtains a negotiation key OTPK which is the same as the eUICC through an ECDH key negotiation algorithm;
s302, applying an encKey to the USBKey by using the EID, and encrypting the encKey by using the negotiation key OTPK to obtain a key;
s303, performing pattern splicing processing on the secret key and the ciphertext Profile data according to GSMA specification to obtain eUICC write number data, performing separation processing on the eUICC write number data to obtain eUICC identification data, and downloading the eUICC identification data to the equipment to be produced;
as shown in fig. 4, the line tool encrypts the encKey generated by the USBKey using the negotiation key OTPK, adds the ciphertext Profile data, and concatenates the two into Profile data (i.e., BPP) with the decryption key.
And combining the encrypted encKey and the ciphertext Profile data according to a GSMA specified pattern to obtain BPP data (eUICC write number data). And splitting the BPP data to obtain SBPP data, namely the eUICC identification data, wherein the SBPP data is an ISO7816 command which can be identified by the eUICC and is downloaded to the eUICC.
S400, the equipment to be produced receives the eUICC write-number data, reads and writes the eUICC code number according to the eUICC write-number data, and returns a read-write result to the production line tool.
After the production equipment receives the eUICC write number data, firstly performing decryption processing, decrypting the plaintext Profile and writing the plaintext Profile into the card. Specifically, as an optional embodiment of the present application, optionally, in step S400, the to-be-produced device receives eUICC write number data, reads and writes eUICC code numbers according to the eUICC write number data, and returns a read and write result to the production line tool, including:
s401, the equipment to be produced receives the eUICC identification data, decrypts the encKey in the eUICC identification data according to the negotiation key OTPK, and obtains the encKey of the plaintext;
s402, decrypting the plaintext Profile from the eUICC identification data by using the obtained plaintext encKey and writing the plaintext Profile into an eUICC card to realize off-line downloading of the eUICC;
s403, feeding the downloading result back to the production line tool through the equipment to be produced, marking the Profile through the production line tool, and ending the flow.
E, after the equipment to be produced of the eUICC for downloading the Profile is taken up to the SBPP data, firstly decrypting the encKey by adopting the negotiation key OTPK calculated in the step e to obtain the encKey of the plaintext;
decrypting the encKey in the eUICC identification data by using the negotiation key OTPK to obtain a plaintext encKey, decrypting the eUICC identification data into a plaintext Profile, and writing the plaintext Profile into a prepared eUICC card; and feeding back the downloading result to the production line tool by the production equipment, marking the Profile as downloaded by the production line tool, and ending the flow.
It should be apparent to those skilled in the art that the implementation of all or part of the above-described embodiments of the method may be implemented by a computer program for instructing relevant hardware, and the program may be stored in a computer readable storage medium, and the program may include the steps of the embodiments of the control methods described above when executed.
It will be appreciated by those skilled in the art that implementing all or part of the above-described embodiment methods may be implemented by a computer program for instructing relevant hardware, and the program may be stored in a computer readable storage medium, and the program may include the embodiment flow of each control method as described above when executed. The storage medium may be a magnetic disk, an optical disc, a Read-only memory (ROM), a random access memory (RandomAccessMemory, RAM), a flash memory (flash memory), a hard disk (HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
Example 4
Still further, another aspect of the present application provides a control system, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of use described in embodiment 3 above when executing the executable instructions.
Embodiments of the present disclosure control a system that includes a processor and a memory for storing processor-executable instructions. The processor is configured to implement any of the methods described above for use with an eUICC offline production download system when executing executable instructions.
Here, it should be noted that the number of processors may be one or more. Meanwhile, in the control system of the embodiment of the present disclosure, an input device and an output device may be further included. The processor, the memory, the input device, and the output device may be connected by a bus, or may be connected by other means, which is not specifically limited herein.
The memory is a computer-readable storage medium that can be used to store software programs, computer-executable programs, and various modules, such as: the application method of the off-line production downloading system of the eUICC of the embodiment of the disclosure corresponds to a program or a module. The processor executes various functional applications and data processing of the control system by running software programs or modules stored in the memory.
The input device may be used to receive an input number or signal. Wherein the signal may be a key signal generated in connection with user settings of the device/terminal/server and function control. The output means may comprise a display device such as a display screen.
The foregoing description of the embodiments of the present disclosure has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various embodiments described. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or the technical improvement of the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (10)
1. An eUICC download method suitable for off-line production, comprising the steps of:
s100, deploying a production line DP+, acquiring Profile preparation data, exporting the Profile preparation data through a USBKey, and sending the Profile preparation data to a production line tool;
s200, acquiring eUICC equipment information of equipment to be produced through a production line tool, and acquiring ciphertext Profile data matched with the eUICC equipment information from the Profile preparation data;
s300, mutually identifying the production line tool and the equipment to be produced, calculating an authentication key, preprocessing the authentication key and the ciphertext Profile data, obtaining eUICC write data and sending the eUICC write data to the equipment to be produced;
s400, the equipment to be produced receives the eUICC write number data, and completes the eUICC write number according to the eUICC write number data.
2. The method according to claim 1, wherein in step S100, the deployment line dp+ acquires and transmits Profile preparation data, comprising:
s101, deploying a production line DP+, and encrypting Profile data stored on the DP+ through an encKey dispersion method and a dispersion key on the DP+ to obtain Profile preparation data;
s102, preparing and generating a USBKey based on the EPDK+ encKey dispersion method and the dispersion key;
and S103, connecting the USBKey with the production line tool, exporting the Profile preparation data through the USBKey, and sending the Profile preparation data to the production line tool.
3. The method according to claim 1, wherein in step S200, the step of obtaining eUICC device information of a device to be produced by a production line tool, and obtaining ciphertext Profile data matched with the eUICC device information from the Profile preparation data comprises:
s201, presetting a serial port connection mode, and connecting equipment to be produced with the eUICC with the production line tool according to the serial port connection mode;
s202, the production line tool accesses the equipment to be produced through a serial port, and acquires eUICC equipment information EID of the equipment to be produced;
s203, acquiring ciphertext Profile data matched with the eUICC equipment information EID from the Profile preparation data.
4. The method according to claim 2, wherein in step S300, the line tool and the device to be produced are mutually authenticated, an authentication key is calculated, the key and the ciphertext Profile data are preprocessed, eUICC write data are obtained and sent to the device to be produced, and the method comprises:
s301, presetting authentication conditions, and enabling the production line tool and the equipment to be produced to be mutually identified according to the authentication conditions;
s302, applying for an encKey through the USBKey, and encrypting the encKey by utilizing a negotiation key OTPK to obtain an authentication key and sending the authentication key to the production line tool;
and S303, the production line tool performs splicing processing on the secret key and the ciphertext Profile data according to a GSMA standard, obtains eUICC write number data and sends the eUICC write number data to the equipment to be produced.
5. The eUICC offline download system generated using the eUICC download method suitable for offline production according to any one of claims 1-4, comprising:
the deployment module is used for deploying the production line DP+ and acquiring and transmitting Profile preparation data;
the eUICC equipment information acquisition module is used for acquiring eUICC equipment information of equipment to be produced through a production line tool, and acquiring ciphertext Profile data matched with the eUICC equipment information from the Profile preparation data;
the authentication module is used for mutually identifying the production line tool and the equipment to be produced, calculating an authentication key, preprocessing the authentication key and the ciphertext Profile data, obtaining eUICC write data and sending the eUICC write data to the equipment to be produced;
and the eUICC read-write module is used for receiving the eUICC write number data through the equipment to be produced and finishing the eUICC write number according to the eUICC write number data.
6. The method of using the eUICC offline download system according to claim 5, comprising the steps of:
s100, ordering Profile, encrypting the Profile through an encKey generation algorithm on the DP+ to obtain ciphertext Profile data, and importing the ciphertext Profile data into the production line tool through a USBKey;
s200, connecting the production line tool with the equipment to be produced, carrying out a standard GSMA downloading flow, carrying out certificate mutual authentication, and exchanging a public key;
s300, the production line tool obtains a secret key through exchanging a public key, performs splicing processing on the secret key and the ciphertext Profile data, obtains eUICC write-number data and sends the eUICC write-number data to the equipment to be produced;
s400, the equipment to be produced receives the eUICC write-number data, reads and writes the eUICC code number according to the eUICC write-number data, and returns a read-write result to the production line tool.
7. The method according to claim 6, wherein in step S100, the Profile is ordered, and the Profile is encrypted by the encKey generation algorithm on the dp+ to obtain ciphertext Profile data and derive the ciphertext Profile data, and the method comprises:
s101, ordering a Profile from DP+ through an ES < 2+ > interface;
s102, generating an encKey of the Profile through an encKey generation algorithm on the DP+, and encrypting the Profile by using the encKey to obtain ciphertext Profile data;
s103, importing the ciphertext Profile data to the production line tool.
8. The method according to claim 6, wherein in step S300, the production line tool obtains a key by exchanging public keys, performs concatenation processing on the key and the ciphertext Profile data, obtains eUICC write signal data, and sends the eUICC write signal data to the device to be produced, and the method comprises:
s301, the production line tool obtains a negotiation key OTPK which is the same as the eUICC through an ECDH key negotiation algorithm;
s302, applying an encKey to the USBKey by using the EID, and encrypting the encKey by using the negotiation key OTPK to obtain a key;
s303, performing pattern splicing processing on the secret key and the ciphertext Profile data according to GSMA regulations to obtain eUICC write number data, performing separation processing on the eUICC write number data to obtain eUICC identification data, and downloading the eUICC identification data to the equipment to be produced.
9. The method according to claim 8, wherein in step S400, the device to be produced receives eUICC write data, reads and writes eUICC numbers according to the eUICC write data, and returns a read-write result to the production line tool, and the method comprises:
s401, the equipment to be produced receives the eUICC identification data, decrypts the encKey in the eUICC identification data according to the negotiation key OTPK, and obtains the encKey of the plaintext;
s402, decrypting the plaintext Profile from the eUICC identification data by using the obtained plaintext encKey and writing the plaintext Profile into an eUICC card to realize off-line downloading of the eUICC;
s403, feeding the downloading result back to the production line tool through the equipment to be produced, marking the Profile state through the production line tool, and ending the flow.
10. A control system, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of use of any one of claims 6 to 9 when executing the executable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210706369.9A CN115278644B (en) | 2022-06-21 | 2022-06-21 | eUICC downloading method suitable for off-line production |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210706369.9A CN115278644B (en) | 2022-06-21 | 2022-06-21 | eUICC downloading method suitable for off-line production |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115278644A CN115278644A (en) | 2022-11-01 |
| CN115278644B true CN115278644B (en) | 2023-09-15 |
Family
ID=83761634
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210706369.9A Active CN115278644B (en) | 2022-06-21 | 2022-06-21 | eUICC downloading method suitable for off-line production |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115278644B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013036011A2 (en) * | 2011-09-05 | 2013-03-14 | 주식회사 케이티 | Method for managing profile of embedded uicc, and embedded uicc, embedded uicc-equipped terminal, provision method, and method for changing mno using same |
| KR20170082122A (en) * | 2016-01-05 | 2017-07-13 | 엘지전자 주식회사 | SYSTEM AND METHOD FOR CONTROLLING PROFILE OF DEVICE COMPRISING eUICC |
| CN107016275A (en) * | 2017-04-14 | 2017-08-04 | 成都知道创宇信息技术有限公司 | A kind of USB security configurations method |
| CN108886683A (en) * | 2016-03-29 | 2018-11-23 | 高通股份有限公司 | Use embedded user identification module(eSIM)Configuration process to provide the system and method with activation equipment configuration packet on a wireless communication device |
| CN111935704A (en) * | 2020-09-14 | 2020-11-13 | 深圳杰睿联科技有限公司 | Profile downloading method, device and equipment |
| WO2021004392A1 (en) * | 2019-07-05 | 2021-01-14 | 华为技术有限公司 | Authentication method, device, and server |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102001869B1 (en) * | 2011-09-05 | 2019-07-19 | 주식회사 케이티 | Method and Apparatus for managing Profile of Embedded UICC, Provisioning Method and MNO-Changing Method using the same |
| US10700856B2 (en) * | 2013-11-19 | 2020-06-30 | Network-1 Technologies, Inc. | Key derivation for a module using an embedded universal integrated circuit card |
| US10205824B2 (en) * | 2016-08-22 | 2019-02-12 | National Instruments Corporation | Methods and systems for eSIM programming of cellular devices during wireless power provision |
-
2022
- 2022-06-21 CN CN202210706369.9A patent/CN115278644B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013036011A2 (en) * | 2011-09-05 | 2013-03-14 | 주식회사 케이티 | Method for managing profile of embedded uicc, and embedded uicc, embedded uicc-equipped terminal, provision method, and method for changing mno using same |
| KR20170082122A (en) * | 2016-01-05 | 2017-07-13 | 엘지전자 주식회사 | SYSTEM AND METHOD FOR CONTROLLING PROFILE OF DEVICE COMPRISING eUICC |
| CN108886683A (en) * | 2016-03-29 | 2018-11-23 | 高通股份有限公司 | Use embedded user identification module(eSIM)Configuration process to provide the system and method with activation equipment configuration packet on a wireless communication device |
| CN107016275A (en) * | 2017-04-14 | 2017-08-04 | 成都知道创宇信息技术有限公司 | A kind of USB security configurations method |
| WO2021004392A1 (en) * | 2019-07-05 | 2021-01-14 | 华为技术有限公司 | Authentication method, device, and server |
| CN111935704A (en) * | 2020-09-14 | 2020-11-13 | 深圳杰睿联科技有限公司 | Profile downloading method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115278644A (en) | 2022-11-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11533187B2 (en) | Device birth certificate | |
| EP3629610B1 (en) | Method and apparatus for managing embedded universal integrated circuit card configuration file | |
| EP2988470B1 (en) | Automatic purposed-application creation | |
| EP3742696A1 (en) | Identity management method, equipment, communication network, and storage medium | |
| EP2884692B1 (en) | Updating software on a secure element | |
| CN111935704B (en) | Profile downloading method, device and equipment | |
| CN110502887A (en) | Electric paying method and device | |
| US11849317B2 (en) | Apparatus and method for SSP device and server to negotiate digital certificates | |
| CN102710412B (en) | Method and device for compatible management of encryption algorithm | |
| CN108702386A (en) | A kind of management method and device of universal embedded integrated circuit card configuration file | |
| CN105025005A (en) | Providing network credentials | |
| EP3531322A1 (en) | Method and apparatus for verifying update of diagnostic connector of diagnostic device and diagnostic connector | |
| EP4068834A1 (en) | Initial security configuration method, security module, and terminal | |
| CN110598429B (en) | Data encryption storage and reading method, terminal equipment and storage medium | |
| TWI802084B (en) | Card management method, user terminal, server, system and storage medium | |
| CN111479259A (en) | SIM card configuration distribution method and system | |
| CN113242134A (en) | Digital certificate signature method, device, system and storage medium | |
| CN113766496B (en) | Cross-platform binding method and system for intelligent equipment and related equipment | |
| US11317343B2 (en) | Information processing device, information processing method, and information processing system for controlled transmission of content | |
| CN113766503A (en) | Binding method and system of intelligent equipment and related equipment | |
| CN115278644B (en) | eUICC downloading method suitable for off-line production | |
| CN114844860B (en) | WeChat enterprise signal processing method, device, equipment and medium | |
| CN115774883A (en) | Electronic chip and method for configuring such an electronic chip | |
| CN113868713A (en) | Data verification method and device, electronic equipment and storage medium | |
| US20170163417A1 (en) | Apparatus and method for key provisioning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |