CN115767503A - Be applied to eSIM chip of thing networking - Google Patents

Be applied to eSIM chip of thing networking Download PDF

Info

Publication number
CN115767503A
CN115767503A CN202211422955.7A CN202211422955A CN115767503A CN 115767503 A CN115767503 A CN 115767503A CN 202211422955 A CN202211422955 A CN 202211422955A CN 115767503 A CN115767503 A CN 115767503A
Authority
CN
China
Prior art keywords
module
esim
unit
isd
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211422955.7A
Other languages
Chinese (zh)
Inventor
郭艳龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Kedang Technology Co ltd
Original Assignee
Hangzhou Kedang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Kedang Technology Co ltd filed Critical Hangzhou Kedang Technology Co ltd
Priority to CN202211422955.7A priority Critical patent/CN115767503A/en
Publication of CN115767503A publication Critical patent/CN115767503A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an eSIM chip applied to the Internet of things, which comprises an eSIM chip, wherein an eSIM unit, a dual-core RISC-V CPU unit, a WiFi6 protocol unit, an RF unit, a protocol processing unit, a neural network processor unit, a PPU unit and a bus interface are integrated on the eSIM chip, and the eSIM unit comprises an ISD-R, an ECASD, an ISD-P and a safety module. The security module only receives the special character string information in the FileProfile data, generates the special key, and acts on the activation of the authentication parameter in the FileProfile data in cooperation with the activation module, although the FileProfile data can be copied, the first FileProfile data and the FileProfile data are already activated and cannot be activated again, and the second special key is generated in relation to time, so that the special key for activating the authentication parameter cannot be accurately acquired, and the security of the eSIM card is greatly improved.

Description

Be applied to eSIM chip of thing networking
Technical Field
The invention relates to the technical field of the Internet of things, in particular to an eSIM chip applied to the Internet of things.
Background
The internet of things means that any object or process needing monitoring, connection and interaction is collected in real time through various devices and technologies such as various information sensors, radio frequency identification technologies, global positioning systems, infrared sensors, laser scanners and the like, and the ubiquitous connection of objects and people is realized through various possible network accesses, so that the intelligent sensing, identification and management of the objects and the processes are realized.
The connection mode of the internet of things mainly comprises an Ethernet, a wireless network mainly based on a WiFi protocol, a low-power-consumption wide area network and a digital cellular network. The SIM card is representative of a digital cellular network by being inserted into a terminal device to provide digital cellular network services. The traditional entity SIM card occupies the space of the terminal equipment, so that the equipment shell is provided with holes, and then the substantial problems of waterproof performance and the like are caused. To solve such problems, eSIM cards have appeared, which are essentially one SIM chip or one SIM unit in an SOC chip.
However, in the prior art, as shown in an exclusive eSIM chip of the internet of things of patent CN114448912A, although the eSIM chip of the internet of things is designed based on a RISC-V architecture, and a hardware unit of a PPU based on a task scheduling algorithm is constructed, so as to implement quick response and processing of an external device of the internet of things to access an eSIM digital cellular network task, the security is poor, a lawless person can completely copy data in the eSIM, and perfect migration of the eSIM is performed by rewriting device serial codes, so as to replace the original device to work, thereby causing great potential safety hazard.
Disclosure of Invention
The invention aims to provide an eSIM chip applied to the Internet of things, so as to solve the problems in the background technology.
In order to achieve the purpose, the invention provides the following technical scheme: the electronic device comprises an eSIM chip, wherein an eSIM unit, a dual-core RISC-V CPU unit, a WiFi6 protocol unit, an RF unit, a protocol processing unit, a neural network processor unit, a PPU unit and a bus interface are integrated on the eSIM chip, the eSIM unit comprises an ISD-R, an ECASD, an ISD-P and a security module, the output end of the ISD-R is respectively connected with the input ends of the ISD-P and the security module, the connecting end of the security module is bidirectionally connected with the connecting end of the ISD-P, the output end of the ISD is respectively connected with the security module, the ISD comprises an information locking module, a decryption module, a storage module, a special key generation module, a time module and an activation module, the output end of the information locking module is connected with the input end of the decryption module, the output ends of the decryption module and the time module are respectively connected with the input ends of the special key generation module, and the output end of the special key generation module is respectively connected with the input ends of the storage module and the activation module.
Preferably, the number of the ISD-P connected with the output end of the ISD-R is at least two, the ISD-P is used for managing FileProfile, NAA, SSD, APPs and CASD, and the ISD-P is also used for controlling the security mode to delete the internal storage data.
Preferably, the FileProfile data downloaded by the eSIM chip includes connection parameters, policies, a file system, authentication parameters, time, and a special string, where the authentication parameters include an activation lock, so that the authentication parameters need a special key to activate the authentication parameters.
Preferably, the PPU unit carries a task scheduling algorithm to optimize network access request scheduling to ensure stable operation of the eSIM chip, and the task scheduling algorithm processes data from the eSIM unit, the WiFi6 protocol unit, and the RF unit, so that a network access requirement from the wireless device evaluates whether the current network is in a congested state or an idle state according to a data transmission amount, a network transmission quality, and a device access amount per unit time; when the external equipment is in the period of intensively accessing the network, the external network access request is actively optimized and scheduled, so that the network is smooth.
Preferably, the information locking module is configured to separate a special character string from FileProfile data downloaded by the eSIM chip, and the decryption module is configured to decrypt the special character string and transmit the decrypted data to the special key generation module.
Preferably, the time module is configured to perform identification and calibration according to time information in FileProfile data downloaded by the eSIM chip, and transmit the time information to the special key generation module.
Preferably, the special key generation module is configured to generate a one-time special key according to the character data transmitted by the decryption module and the time data transmitted by the time module, and the activation module is configured to unlock an activation lock in the authentication parameters with the activation key, so that the authentication parameters are activated.
Compared with the prior art, the invention has the beneficial effects that:
1. the security module only receives the special character string information in the FileProfile data, decrypts the special character string information by the security module and generates a special key, the activation module is matched to act on activation of authentication parameters in the FileProfile data, the mobile phone cannot copy the special key, although the FileProfile data can be copied, the first FileProfile data and the FileProfile data are already activated and cannot be activated again by the special key even if the FileProfile data is copied, and the generation of the second special key is related to time, so that the special key for activating the authentication parameters cannot be accurately acquired, and the security of the eSIM card is greatly improved.
Drawings
Fig. 1 is a schematic block diagram of an overall structure of an eSIM chip applied to the internet of things;
fig. 2 is a block diagram illustrating a control structure of an eSIM unit of an eSIM chip according to an embodiment of the present invention;
fig. 3 is a control block diagram of an eSIM chip security module structure applied to the internet of things according to the present invention;
fig. 4 is an overall structural diagram of an eSIM chip applied to the internet of things according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Taking a mobile phone as an example, a lawbreaker firstly copies data of an eSIM card of the mobile phone, and then the data is embedded in the mobile phone, and authentication information is downloaded from an internet of things to the mobile phone, so that the authentication information in the eSIM card is in a reproducible state, and therefore, as long as the lawbreaker copies the data of the eSIM card and modifies a serial code of another mobile phone, so that the serial codes of the two mobile phones are completely consistent, the eSIM can be perfectly transplanted at the moment, and at the moment, both the two mobile phones can access the internet, which easily causes connection failure of the internet of things and illegal access of the lawbreaker to the internet of things, so that a larger vulnerability still exists in the prior art.
The eSIM system architecture in fig. 4 includes roles such as an MNO (operator), a CI digital signature authentication center, an EUM (eSIM manufacturer), an eSIM unit, an SM-DP (subscription data preparation), and an SM-SR (subscription data secure routing).
The main roles are as follows:
(1) CI: the CA center is responsible for issuing digital certificates and root certificate verification for MNO, SM-DP, SM-SR and EUM;
(2) And (4) EUM: the method is responsible for eSIM production, downloading of a root certificate and an EUM production certificate, and initializing PRO-FILE of operator communication;
(3) SM-DP: preparing signing data, wherein the signing data is responsible for generating FileProfile and managing the content of an ISD-P card in eSIM;
(4) SM-SR: signing a data security route, providing a security route for SM-DP and MNO to access the eSIM, and storing eSIM security information;
(5) An eSIM unit: and the access network identity authentication module is responsible for identity authentication and loading the card for application.
(6) MNO: a network operator.
SM-DP, MNO, SM-SR in the system framework call ES5, ES6, ES8 interface access eSIM unit to carry out FileProfile or application dynamic management through data short message, BIP-CATTP, HTTPs transport layer protocol.
Referring to fig. 1-4, the present invention provides a technical solution: the system comprises an eSIM chip, wherein an eSIM unit, a dual-core RISC-V CPU unit, a WiFi6 protocol unit, an RF unit, a protocol processing unit, a neural network processor unit, a PPU unit and a bus interface are integrated on the eSIM chip, the eSIM unit comprises an ISD-R, an ECASD, an ISD-P and a security module, the output end of the ISD-R is respectively connected with the input ends of the ISD-P and the security module, the connecting end of the security module is bidirectionally connected with the connecting end of the ISD-P, the output end of the ISD is respectively connected with the security module and comprises an information locking module, a decryption module, a storage module, a special key generation module, a time module and an activation module, the output end of the information locking module is connected with the input end of the decryption module, the output ends of the decryption module and the time module are respectively connected with the input end of the special key generation module, and the output end of the special key generation module is respectively connected with the input ends of the storage module and the activation module.
The number of the ISD-P connected with the output end of the ISD-R is at least two, the ISD-P is used for managing FileProfile, NAA, SSD, APPs and CASD, and the ISD-P is also used for controlling the security mode to delete the internal storage data.
The FileProfile data downloaded by the eSIM chip includes connection parameters, policies, a file system, authentication parameters, time, and a special string, where the authentication parameters include an activation lock, so that the authentication parameters require a special key to activate them.
The PPU unit carries a task scheduling algorithm to optimize network access request scheduling so as to ensure the stable operation of the eSIM chip, and the task scheduling algorithm processes data from the eSIM unit, the WiFi6 protocol unit and the RF unit, so that the network access requirement from the wireless equipment evaluates whether the current network is in a congestion state or an idle state according to the data transmission quantity, the network transmission quality and the equipment access quantity in unit time; when the external equipment is in the period of intensively accessing the network, the external network access request is actively optimized and scheduled, so that the network is smooth.
The information locking module is used for separating special character strings in FileProfile data downloaded by the eSIM chip, and the decryption module is used for decrypting the special character strings and transmitting the decrypted data to the special key generation module.
The time module is used for identifying and calibrating the time information in the FileProfile data downloaded by the eSIM chip and transmitting the time information to the special key generation module.
The special key generation module is used for generating a disposable special key according to the character data transmitted by the decryption module and the time data transmitted by the time module, and the activation module is used for unlocking the activation lock in the authentication parameters by the activation key so as to activate the authentication parameters.
As shown in fig. 2, the eSIM unit has an AM authorization management authority mode, and ISD-R, ISD-P, MNO-SD having AM management authority can autonomously manage card contents under itself.
Wherein ISD-R: and the SMSR realizes the representative of managing the eSIM by the AM management authority. ISD-R configures global management authorities of eSIM global space recovery, deletion, registration, locking and the like; the ISD-R is established by a card sender and completes key initialization, and is in an activated state after the eSIM completes production and card sending; ISD-R is responsible for creating, activating/deactivating ISD-P; the ISD-R configures SCP80 with 15 sets of keys of 30-3F in two versions of the key of the secure channel protocol.
ISD-P: with AM management authority, the SM-SP implements a delegate that manages esims. The ISD-P is created by ISD-R, and the ISD-P can create MNO-SD through AM authority. Multiple ISD-ps can be allowed to exist in the eSIM, but only one ISD-P is allowed to be in an active state and the rest ISD-ps are not allowed to be in an active state at the same time in order to ensure normal use of the communication function. Each ISD-P may have created inside it an MNO-SD, a set of telecom operator PROFILEs, a CASD, and the rest of the SSD and applications. Different ISD-P internal applications and PROFILEs may use the same AID. ISD-P configures SCP03 secure channel protocol. After the eSIM finishes producing the cards, at least one ISD-P must be in an activated state.
MNO-SD: the operator with AM management authority is created by ISD-P, and configures SCP80 secure channel protocol, and under MNO-SD, operator PROFILE and other operator applications can be continuously created and loaded.
CASD: and controlling authorization management, supporting an asymmetric algorithm and loading a digital certificate. When the application management of the eSIM card is carried out, digital signature verification and key exchange are carried out through the CASD. CASD can be respectively created under ISD-R and MNO-SD in the eSIM for global and local digital signature authentication.
The eSIM realizes dynamic management of loading, installing, deleting and the like of the card content through the framework, the configuration authority and the secret key, calls a corresponding CASD to carry out digital signature identity authentication in the dynamic management process, and can carry out card content management and application access after the identity authentication is completed.
The working principle is as follows: when the mobile phone is used, firstly, a user needs to go to an operator to obtain the use right and the card number of the eSIM of the Internet of things, at the moment, the information of the user, such as the face information and the card number, is bound, because the face information is common, normal mobile phone equipment has a face recognition function, when activation is needed, the mobile phone is operated on a mobile phone, the operator is selected and a card opening application is sent, the eSIM card of the technical scheme is accessed to an operator network, at the moment, the face recognition function of the mobile phone is activated, the face recognition is carried out on the user, the recognized result is uploaded to the operator, at the moment, the operator sends FileProfile data to the eSIM card, wherein the FileProfile data comprises a connection parameter, a strategy, a file system, an authentication parameter, time and a special character string, the authentication parameter comprises an activation lock, and the activation condition of the activation lock and the time for the operator to send the eSIM card with the FileProfile data, the activation keys of the authentication parameters which are not sent at the same time are different, the activation time of the authentication parameters is 1 minute, namely when the mobile phone receives FileProfile data sent to an eSIM card by an operator, the mobile phone needs to complete the activation of the authentication parameters within 1 minute, because the mutual working time among the information locking module, the decryption module, the special key generation module and the activation module is very short, the activation of the authentication parameters within 1 minute basically has no influence, and only the malicious cracking of a lawless person on a passenger is prevented, at the moment, the time module calibrates the time for the eSIM card to receive the FileProfile data according to the time information and transmits the time information to the special key generation module, meanwhile, the information locking module separates the information of special character strings in the FileProfile data received by the eSIM card and transmits the information to the decryption module, so that the decryption module can decrypt the special character strings in the FileProfile data according to the time information transmitted by the time module, the method includes that a special key is generated, the special key is related to special character string information in FileProfile data and is related to time, namely the special character string information in the same FileProfile data sent at different times is completely different from the special key generated by a special key generation module, the generated special key related to time is transmitted to an activation module through the special key generation module, the activation module activates authentication parameters in the FileProfile data to enable the eSIM to be normally connected with the Internet of things, once the authentication parameters are activated, the authentication parameters and the special key are in an absolute binding state, namely no matter any one of the authentication parameters is reduced, the eSIM card cannot be connected with the Internet of things, meanwhile, the security module is integrated in the eSIM card and does not interact with information of a mobile phone, the security module only receives the special character string information in the FileProfile data and decrypts the special key by the security module to generate the special key, the activation module is matched with the activation module to act on the activation of the authentication parameters in the FileProfile data, the mobile phone cannot copy the special key, although the FileProfile data can be copied, the first special key and the special key cannot be accurately copied, the second special key cannot be accurately generated, and the second special key cannot be accurately generated.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that various changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (7)

1. The utility model provides an eSIM chip for thing networking, includes the eSIM chip, integrated eSIM unit, dual-core RISC-V CPU unit, wiFi6 protocol unit, RF unit, protocol processing unit, neural network processor unit, PPU unit and bus interface on the eSIM chip, its characterized in that: the ESIM unit comprises an ISD-R, an ECASD, an ISD-P and a security module, wherein the output end of the ISD-R is respectively connected with the input ends of the ISD-P and the security module, the connecting end of the security module is bidirectionally connected with the connecting end of the ISD-P, the output end of the ISD is respectively connected with the security module, the security module comprises an information locking module, a decryption module, a storage module, a special key generation module, a time module and an activation module, the output end of the information locking module is connected with the input end of the decryption module, the output ends of the decryption module and the time module are respectively connected with the input end of the special key generation module, and the output end of the special key generation module is respectively connected with the input ends of the storage module and the activation module.
2. The eSIM chip applied to the Internet of things of claim 1, wherein: the number of ISD-P connected with the output end of the ISD-R is at least two, the ISD-P is used for managing fileProfile, NAA, SSD, APPs and CASD, and the ISD-P is also used for controlling a security mode to delete internal storage data.
3. The eSIM chip applied to the Internet of things according to claim 2, wherein: the FileProfile data downloaded by the eSIM chip comprises connection parameters, strategies, a file system, authentication parameters, time and special character strings, wherein the authentication parameters comprise activation locks, so that the authentication parameters need special keys to be activated.
4. The eSIM chip applied to the Internet of things according to claim 3, wherein: the PPU unit carries a task scheduling algorithm to optimize network access request scheduling so as to ensure the stable operation of the eSIM chip, and the task scheduling algorithm processes data from the eSIM unit, the WiFi6 protocol unit and the RF unit, so that the network access requirement from the wireless equipment evaluates whether the current network is in a congestion state or an idle state according to the data transmission quantity, the network transmission quality and the equipment access quantity in unit time; when the external equipment is in the period of intensively accessing the network, the external network access request is actively optimized and scheduled, so that the network is smooth.
5. The eSIM chip applied to the Internet of things according to claim 4, wherein: the information locking module is used for separating special character strings in FileProfile data downloaded by the eSIM chip, and the decryption module is used for decrypting the special character strings and transmitting the decrypted data to the special key generation module.
6. The eSIM chip applied to the Internet of things according to claim 5, wherein: the time module is used for identifying and calibrating the time information in the FileProfile data downloaded by the eSIM chip and transmitting the time information to the special key generation module.
7. The eSIM chip applied to the Internet of things according to claim 6, wherein: the special key generation module is used for generating a disposable special key according to the character data transmitted by the decryption module and the time data transmitted by the time module, and the activation module is used for unlocking the activation lock in the authentication parameters by the activation key so as to activate the authentication parameters.
CN202211422955.7A 2022-11-14 2022-11-14 Be applied to eSIM chip of thing networking Pending CN115767503A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211422955.7A CN115767503A (en) 2022-11-14 2022-11-14 Be applied to eSIM chip of thing networking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211422955.7A CN115767503A (en) 2022-11-14 2022-11-14 Be applied to eSIM chip of thing networking

Publications (1)

Publication Number Publication Date
CN115767503A true CN115767503A (en) 2023-03-07

Family

ID=85370661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211422955.7A Pending CN115767503A (en) 2022-11-14 2022-11-14 Be applied to eSIM chip of thing networking

Country Status (1)

Country Link
CN (1) CN115767503A (en)

Similar Documents

Publication Publication Date Title
CN107251106B (en) Method for secure transmission of virtual keys and method for authentication of mobile terminals
CN109272606B (en) Intelligent lock supervision equipment and method based on block chain and storage medium
CN100515135C (en) Method for establishing and managing a trust model between a chip card and a radio terminal
CN105447928B (en) Access control method and control system
KR101315670B1 (en) Method for smart phone registration when accessing security authentication device and method for access authentication of registered smart phone
US9319413B2 (en) Method for establishing resource access authorization in M2M communication
US9319412B2 (en) Method for establishing resource access authorization in M2M communication
CN108701384B (en) Method for monitoring access to electronically controllable devices
CN104956638A (en) Restricted certificate enrollment for unknown devices in hotspot networks
CN101005699A (en) Method and system for managing terminal open platform power information
JP2010158030A (en) Method, computer program, and apparatus for initializing secure communication among and for exclusively pairing device
CN108605034B (en) Wireless firmware update
WO2009074082A1 (en) Access controlling method?system and device
KR20190002613A (en) A method for managing the status of connected devices
US11122434B2 (en) Method for delegating access rights
CN105684483A (en) Registry apparatus, agent device, application providing apparatus and corresponding methods
WO2018010480A1 (en) Network locking method for esim card, terminal, and network locking authentication server
CN102833068A (en) Method for bidirectional authentication of terminal and smart card, protocol and smart card
JP2013515301A (en) Method, system and smart card for realizing general-purpose card system
CN107566112A (en) Dynamic encryption and decryption method and server
EP2741465B1 (en) Method and device for managing secure communications in dynamic network environments
CN108447149A (en) A kind of unlocking method and device in shared house
JP4536051B2 (en) Authentication system, authentication method, authentication server, wireless LAN terminal, and program for authenticating wireless LAN terminal
JP5988841B2 (en) COMMUNICATION DEVICE, COMMUNICATION SYSTEM, INFORMATION PROCESSING METHOD, AND PROGRAM
EP1854260B1 (en) Access rights control in a device management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination