CN116070221A - Hard protection method, system, device, equipment and storage medium for network certificate sensitive data - Google Patents

Hard protection method, system, device, equipment and storage medium for network certificate sensitive data Download PDF

Info

Publication number
CN116070221A
CN116070221A CN202111279411.5A CN202111279411A CN116070221A CN 116070221 A CN116070221 A CN 116070221A CN 202111279411 A CN202111279411 A CN 202111279411A CN 116070221 A CN116070221 A CN 116070221A
Authority
CN
China
Prior art keywords
nissa
data
sim card
server
related data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111279411.5A
Other languages
Chinese (zh)
Inventor
郭冲冲
杨玲
王馨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ziguang Tongxin Microelectronics Co Ltd
Original Assignee
Ziguang Tongxin Microelectronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ziguang Tongxin Microelectronics Co Ltd filed Critical Ziguang Tongxin Microelectronics Co Ltd
Priority to CN202111279411.5A priority Critical patent/CN116070221A/en
Publication of CN116070221A publication Critical patent/CN116070221A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Telephone Function (AREA)

Abstract

The application provides a network certificate sensitive data hard protection method, a system, a device, equipment and a storage medium, wherein the network certificate sensitive data hard protection method applied to a server of a chip manufacturer comprises the following steps: the identification information of the SIM card is sent to the NISSA server, so that the NISSA server generates NISSA related data based on the identification information of the SIM card, the NISSA related data is sent to the chip manufacturer server, the NISSA related data is received, and the NISSA related data is written into a read-only memory area of the SIM card. According to the method and the device for updating the NISSA related data, after the NISSA related data are generated according to the identification information of the SIM card, the NISSA related data are written into the read-only memory area of the SIM card, and the read-only memory area of the SIM card is not affected by the Applet updating, so that the NISSA related data in the read-only memory area of the SIM card can be kept even if the Applet updating is carried out.

Description

Hard protection method, system, device, equipment and storage medium for network certificate sensitive data
Technical Field
The present disclosure relates to the field of information processing technologies, and in particular, to a method, a system, an apparatus, a device, and a storage medium for hard protecting network certificate sensitive data.
Background
The network certificate sensitive data is NISSA sensitive data, which refers to secret information items in the network certificate, and is generated and stored by an NISSA server in the NISSA platform. And writing the NISSA sensitive data into the SIM card in the delivery stage of the SIM card so as to perform network card opening, network card reading, network card authentication and other processes based on the NISSA sensitive data in the SIM card.
At present, NISSA sensitive data is written into a SIM card by adopting a network card sensitive data soft protection method, wherein the network card sensitive data soft protection method comprises the following steps: after the NISSA server generates NISSA sensitive data, the NISSA sensitive data is sent to an operator server (namely a server where an operator is located), the operator server sends the NISSA sensitive data to a card operator server (namely a server where a card operator is located), and finally the card operator server encrypts the NISSA sensitive data to obtain NISSA ciphertext data, and then the NISSA ciphertext data is written into an application file system of the SIM card.
The soft protection method for the network certificate sensitive data has the following defects: the NISSA ciphertext data is placed in an application file system (i.e., applet file system) of the SIM card, and the NISSA ciphertext data cannot be retained when the Applet is upgraded.
Disclosure of Invention
In view of this, the present application provides a method, a system, a device, and a storage medium for hard protection of network certificate sensitive data, which are used for solving the problem that NISSA ciphertext data cannot be retained during Applet upgrading in the prior art, and the technical scheme is as follows:
a hard protection method for network certificate sensitive data is applied to a server of a chip manufacturer and comprises the following steps:
the method comprises the steps of sending identification information of a SIM card to a NISSA server so that the NISSA server generates NISSA related data based on the identification information of the SIM card and sends the NISSA related data to a chip manufacturer server, wherein the NISSA related data are NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data are obtained by encrypting the NISSA sensitive data;
and receiving the NISSA related data and writing the NISSA related data into a read-only memory area of the SIM card.
Optionally, the NISSA-related data is NISSA-sensitive data, and writing the NISSA-sensitive data into a read-only memory area of the SIM card includes:
encrypting the NISSA sensitive data to obtain NISSA ciphertext data;
writing the NISSA ciphertext data into a read-only memory area of the SIM card;
optionally, the identification information of the SIM card is a subscriber personal identification number of the SIM card.
A hard protection method for network certificate sensitive data is applied to an NISSA server and comprises the following steps:
acquiring identification information of the SIM card;
generating NISSA related data according to the identification information of the SIM card, and sending the NISSA related data to a chip manufacturer server so that the chip manufacturer server can write the NISSA related data into a read-only memory area of the SIM card, wherein the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data.
Optionally, the NISSA-related data is NISSA ciphertext data, and generating the NISSA-related data according to the identification information of the SIM card includes:
generating NISSA sensitive data according to the identification information of the SIM card;
acquiring a root key corresponding to identification information of the SIM card from a pre-stored root key set;
and encrypting the NISSA sensitive data according to the root key to obtain NISSA ciphertext data.
A network credential sensitive data hard protection system comprising: the NISSA server and the chip manufacturer server;
the chip manufacturer server is used for sending the identification information of the SIM card to the NISSA server;
the NISSA server is used for acquiring the identification information of the SIM card, generating NISSA related data according to the identification information of the SIM card, and sending the NISSA related data to the chip manufacturer server, wherein the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data;
the chip manufacturer server is also used for receiving the NISSA related data and writing the NISSA related data into a read-only memory area of the SIM card.
A hard protecting device for network certificate sensitive data is applied to a server of a chip manufacturer, and comprises: the NISSA related data receiving and writing module is used for receiving the NISSA related data;
the device comprises an identification information sending module, a storage module and a storage module, wherein the identification information sending module is used for sending the identification information of the SIM card to the NISSA server so that the NISSA server generates NISSA related data based on the identification information of the SIM card and sends the NISSA related data to the chip manufacturer server, the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data;
and the NISSA related data receiving and writing module is used for receiving the NISSA related data and writing the NISSA related data into a read-only memory area of the SIM card.
A hard protecting device for network certificate sensitive data is applied to an NISSA server, and comprises: the system comprises an identification information acquisition module and a NISSA related data generation and transmission module;
the identification information acquisition module is used for acquiring the identification information of the SIM card;
the NISSA related data generation and transmission module is used for generating NISSA related data according to the identification information of the SIM card and transmitting the NISSA related data to the chip manufacturer server so that the chip manufacturer server can write the NISSA related data into a read-only storage area of the SIM card, wherein the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data.
A hard protection device for network certificate sensitive data comprises a memory and a processor;
a memory for storing a program;
and the processor is used for executing a program to realize the steps of the network certificate sensitive data hard protection method according to any one of the above steps.
A readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of a method for hard protecting network authentication sensitive data as in any one of the above.
According to the technical scheme, the network card sensitive data hard protection method applied to the chip manufacturer server can send the identification information of the SIM card to the NISSA server, so that the NISSA server generates NISSA related data based on the identification information of the SIM card and sends the NISSA related data to the chip manufacturer server, and the chip manufacturer server receives the NISSA related data and writes the NISSA related data into a read-only memory area of the SIM card. Therefore, the embodiment of the application can write the NISSA related data into the read-only memory area of the SIM card after generating the NISSA related data according to the identification information of the SIM card, and the read-only memory area of the SIM card is not affected by the Applet upgrading, so that the NISSA related data in the read-only memory area of the SIM card can be kept even if the Applet upgrades.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
Fig. 1 is a schematic flow chart of a method for hard protecting network certificate sensitive data according to an embodiment of the present application;
fig. 2 is a schematic diagram of an application architecture of a network certificate system according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a network certificate sensitive data hard protection device applied to a server of a chip manufacturer according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a network certificate sensitive data hard protection device applied to a NISSA server according to an embodiment of the present application;
fig. 5 is a hardware block diagram of a network card sensitive data hard protection device applied to a server of a chip manufacturer according to an embodiment of the present application
Fig. 6 is a hardware block diagram of a network certificate sensitive data hard protection device applied to a NISSA server according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
In view of the problems existing in the existing soft protection method for the network certificate sensitive data, the inventor conducts intensive research and finally provides a hard protection method, a system, a device, equipment and a storage medium for the network certificate sensitive data. Next, the method for hard protecting the network certificate sensitive data provided in the present application will be described in detail by the following examples.
Referring to fig. 1, a flow chart of a method for protecting network card sensitive data hard according to an embodiment of the present application is shown, where the method for protecting network card sensitive data hard may include:
step S101, the chip manufacturer server sends the identification information of the SIM card to the NISSA server.
In the prior art, after the NISSA server generates NISSA sensitive data, the NISSA sensitive data needs to be sent to the merchant server through the operator server, and in the process, the NISSA sensitive data is handed over for a plurality of times, so that a certain leakage risk exists. In order to reduce the risk of leakage of NISSA sensitive data, in an alternative embodiment, the embodiments of the present application may set up a secure channel between the NISSA server and the chip manufacturer server, so that the NISSA server and the chip manufacturer server interact directly.
In this step, the chip manufacturer server may send the identification information of the SIM card to the NISSA server through the above-mentioned built secure channel.
Here, the identification information of the SIM card refers to a unique identification of the SIM card. Alternatively, the identification information of the SIM card may be a personal identification code of the user of the SIM card (i.e. the UID of the SIM card), and then the chip manufacturer server may send the UID of the SIM card to the NISSA server through the secure channel.
Step S102, the NISSA server acquires the identification information of the SIM card.
Alternatively, the chip vendor server may send the identification information of the SIM card to the NISSA server, so that the NISSA server may obtain the identification information of the SIM card, e.g., the chip vendor server sends the UID of the SIM card to the NISSA server, and the NISSA server may obtain the UID of the SIM card. Of course, the NISSA server may also obtain the identification information of the SIM card in other manners, which is not limited in this application.
Step S103, the NISSA server generates NISSA related data according to the identification information of the SIM card.
In an alternative embodiment, the NISSA-related data may be NISSA ciphertext data obtained by encrypting NISSA-sensitive data (which is plaintext data).
In the prior art, NISSA sensitive data is transmitted without encryption, which has a certain risk of leakage, and the control right of the NISSA sensitive data is not in the NISSA server, but in the operator server, which has a certain risk of uncontrollability. In order to solve the above problems, in this step, the NISSA server may generate NISSA ciphertext data according to the identification information of the SIM card, so that the NISSA ciphertext data corresponding to the NISSA sensitive data may be sent to other devices if necessary, thereby reducing the risk of leakage of the NISSA sensitive data, and the NISSA sensitive data is only stored in the NISSA server, so that the control right of the NISSA sensitive data is in the NISSA server, and improving the security and controllability of the NISSA sensitive data.
Optionally, if the NISSA related data may be NISSA ciphertext data, the specific implementation process of this step may include the following steps S1031 to S1033:
step S1031, the NISSA server generates NISSA sensitive data according to the identification information of the SIM card.
Optionally, the NISSA sensitive data may be composed of a plurality of sensitive data such as identification information of the SIM card and a manufacturer code, and the process of generating the NISSA sensitive data according to the identification information of the SIM card in this step may specifically include: the NISSA-sensitive data is generated from a plurality of sensitive data including identification information of the SIM card and a vendor code.
In step S1032, the NISSA server obtains the root key corresponding to the identification information of the SIM card from the pre-stored root key set.
In this step, the NISSA server is located on the NISSA platform and includes a root key system, where a root key set is pre-stored in the root key system, where a root key included in the root key set corresponds to identification information of the SIM card one by one, so that after obtaining the identification information of the SIM card, the NISSA server can obtain a root key corresponding to the identification information from the root key set.
And step S1033, the NISSA server encrypts the NISSA sensitive data according to the root key to obtain NISSA ciphertext data.
In another alternative embodiment, the NISSA-related data may be NISSA-sensitive data (the NISSA-sensitive data being plaintext data).
That is, the NISSA server generates NISSA-sensitive data according to the identification information of the SIM card after acquiring the identification information of the SIM card, and then directly transmits the NISSA-sensitive data to the chip vendor server. Here, the process of generating the NISSA sensitive data by the NISSA server according to the identification information of the SIM card is the same as that of step S1031, and the detailed description thereof will be referred to above, and details thereof will not be repeated.
Step S104, the NISSA server sends the NISSA related data to the chip manufacturer server.
Step S105, the chip manufacturer server writes the NISSA related data into a read-only memory area of the SIM card.
Optionally, if the NISSA-related data is NISSA ciphertext data, the chip manufacturer server may write the NISSA ciphertext data into the read-only memory area of the SIM card.
Optionally, if the NISSA-related data is NISSA-sensitive data, the process of writing the NISSA-related data into the read-only memory area of the SIM card by the chip manufacturer server in this step may include the following steps S1051 to S1052:
in step S1051, the chip manufacturer server encrypts the NISSA sensitive data to obtain NISSA ciphertext data.
The specific implementation of this step is related to the prior art and will not be described in detail here.
Step S1052, the server of the chip manufacturer writes the NISSA ciphertext data into the read-only memory area of the SIM card.
Specifically, after obtaining the NISSA ciphertext data, the chip manufacturer server may safely write the NISSA ciphertext data into the read-only memory area of the SIM card at the factory stage of the SIM card.
According to the network card sensitive data hard protection method, the chip manufacturer server can send the identification information of the SIM card to the NISSA server, the NISSA server can generate NISSA related data based on the identification information of the SIM card, the NISSA related data is sent to the chip manufacturer server, and the chip manufacturer server writes the NISSA related data into a read-only memory area of the SIM card. Therefore, after the NISSA server generates the NISSA related data according to the identification information of the SIM card, the NISSA related data is written into the read-only memory area of the SIM card by the chip manufacturer server, and the read-only memory area of the SIM card is not affected by the upgrading of the Applet, so that the NISSA related data in the read-only memory area of the SIM card can be kept even if the Applet upgrades the SIM card.
Meanwhile, the NISSA platform server generates NISSA ciphertext data in an encrypting mode according to the identification information of the SIM card, so that the identification information of the SIM card corresponds to the NISSA ciphertext data one by one, binding of the NISSA ciphertext data and the SIM card is achieved, and uniqueness and safety of the NISSA ciphertext data are guaranteed. And the NISSA ciphertext data is written into the read-only memory area of the SIM card by the server of the chip manufacturer, so that the NISSA sensitive data has the characteristics of non-falsification, non-falsification and unique authorization.
The embodiment of the application also provides a network card sensitive data hard protection system, which can comprise an NISSA server and a chip manufacturer server.
The chip manufacturer server can be used for sending the identification information of the SIM card to the NISSA server.
The NISSA server can be used for acquiring the identification information of the SIM card, generating NISSA related data according to the identification information of the SIM card, and sending the NISSA related data to the chip manufacturer server, wherein the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data.
The chip manufacturer server may be further configured to receive NISSA-related data and write the NISSA-related data into a read-only memory area of the SIM card.
The network card sensitive data hard protection system and the network card sensitive data hard protection method described above may be referred to correspondingly, and detailed description of the network card sensitive data hard protection method may be referred to, which is not described herein.
In order to make the person skilled in the art more understand the present application, taking NISSA related data as NISSA ciphertext data as an example, a network certificate system application framework implemented on the basis of the embodiment of the present application is given, and specific implementation processes of several application scenarios of the embodiment of the present application are given.
After the NISSA ciphertext data is written into the read-only storage area of the SIM card, the network card sensitive data hard protection method and system can realize the functions of network card opening, network card reading, network card authentication and the like based on the NISSA ciphertext data in the read-only storage area of the SIM card.
Based on this, the embodiment of the present application provides a network certificate system application framework, as shown in fig. 2, where the network certificate system application framework may include: trusted digital identity platform, SIM digital identity service platform, NISSA platform, gateway, terminal, channel, SIM card, etc.
The CTID platform is used for realizing the functions of issuing a trusted digital identity, verifying the identity, collecting and processing sensitive information and the like based on a CTID server, and verifying the identity of a user through identity information, living body detection information and NISSA ciphertext data when a network card is opened.
The SIM card digital identity service platform refers to a five-party platform, and can realize the management of CTID auxiliary security domains, CTID applets and the like based on a five-party platform server.
The NISSA platform is based on the functions of NISSA server NISSA sensitive data generation and storage, NISSA ciphertext data generation and the like.
The gateway provides network connection services.
The terminal is a terminal used by a user and mainly provides basic functions such as opening authorization, network card display, password input, biological characteristic acquisition and the like, and can control the flows of different functions such as network card opening, network card reading, network card authentication and the like through the network card application APP, and realize data transmission between a server and a SIM card network card application through the network card application APP.
The channel refers to a method of accessing the SIM card by each application supported by the mobile phone, for example, BIP, short message, OMA, etc.
The SIM card comprises three parts, namely a card application, a SIM card COS and a chip layer. The network certificate application should support the private instructions defined by the network certificate, and the NISSA data is stored in the chip layer securely. The network certificate application can only read the NISSA ciphertext data, and the COS platform does not provide a writing interface.
According to the network card system application framework, all layers depend on the existing standard specification and the security mechanism, multiple layers are matched with each other, secure communication is achieved, the SIM card chip stores NISSA ciphertext data, the operator server manages security domain keys, the CTID server grasps all data, and system data security is improved.
The application framework of the network card system provided by the application framework can store and read the NISSA ciphertext data, and the functions of network card opening, network card reading, network card authentication and the like can be realized based on the storage and reading functions of the NISSA ciphertext data.
Alternatively, the general procedure of opening the network certificate can be seen in the following a1 to a11:
a1: the NISSA ciphertext data is written into the read-only memory area of the SIM card through the embodiment of the application.
a2: the chip manufacturer server provides the SIM card chip for loading the NISSA ciphertext data to the operator server according to the original business mode.
a3: and the operator server completes the initialization of the auxiliary security domain, and realizes the secure transmission of data through the process key. And when the network card is opened, the operator server reads the NISSA ciphertext data from the read-only storage area of the SIM card and sends the NISSA ciphertext data to the five-party platform server.
In this step, after acquiring the SIM card, the operator server may initialize the auxiliary security domain first, and then establish the network certificate application after the initialization is completed, where, when the network certificate application is personalized, a key group corresponding to the auxiliary security domain (in this embodiment, each auxiliary security domain includes a plurality of auxiliary security domains, each auxiliary security domain corresponds to a key group) may be distributed, and a process key is generated according to a random number, so as to encrypt personalized data of the network certificate application through the process key, and since the process keys when writing data in each personalization are different, security of personalized data transmission is improved.
After the network license application is established, the network license opening can be realized according to the network license application, at the moment, the operator server can read the NISSA ciphertext data from the read-only memory area of the SIM card and send the NISSA ciphertext data to the five-party platform server.
Optionally, when sending the NISSA ciphertext data to the five-party platform server, the key set of the network certificate application may be distributed, generate a process key according to the random number, encrypt the NISSA ciphertext data by using the generated process key, and send the encrypted NISSA ciphertext data to the five-party platform server.
a4: the five-party platform server signs the NISSA ciphertext data and sends the NISSA ciphertext data to the NISSA server.
a5: and the NISSA server performs signature verification, authentication and decryption on the signed NISSA ciphertext data to obtain NISSA sensitive data.
In this step, the NISSA ciphertext data after signing may be checked and authenticated by the NISSA server, and after both the checked and authenticated are passed, a root key corresponding to the identification information of the SIM card may be obtained from a pre-stored root key set according to the identification information of the SIM card corresponding to the NISSA ciphertext data, and the NISSA ciphertext data may be decrypted according to the obtained root key, to obtain NISSA sensitive data (i.e., NISSA plaintext data).
a6: the NISSA server signs the NISSA-sensitive data and sends the NISSA-sensitive data and the signature to the five-party platform server.
a7: and the five-party platform server performs signature verification on the received signature, and after the signature verification is passed, the NISSA sensitive data, the user personal identity information, the biological characteristics and other data are sent to the CTID platform server.
In the step, the data such as personal identity information, biological characteristics and the like of the user can be acquired through the terminal used by the user, and then the acquired data can be sent to the five-party platform server through the gateway, so that the five-party platform server sends NISSA sensitive data, the data such as the personal identity information, the biological characteristics and the like of the user to the CTID platform server.
Optionally, after the five-party platform server performs signature verification on the received signature and the signature verification passes, the corresponding key group can be obtained by searching according to the NISSA sensitive data, so that the data are encrypted and the MAC (Message Authentication Code ) is calculated through the key group, and the communication safety is ensured.
a8: the CTID platform server generates a network card according to the NISSA sensitive data, the user personal identity information, the biological characteristics and other data, and sends the network card to the five-party platform server.
a9: the five-party platform server encrypts the network certificate and sends the encrypted network certificate to the network certificate application.
a10: the network card application decrypts the encrypted network card and writes the decrypted network card into an application file system of the SIM card.
a11: the terminal prompts the successful opening of the network certificate.
The opening flow of the whole network certificate can be completed through the steps a1 to a 11.
Alternatively, the general process of network authentication may include the following b 1-b 9:
b1: and when the terminal detects that the user needs to transact the service, the terminal detects the living body information so as to acquire the cipher text digital identity of the SIM card.
Specifically, the terminal can detect living body information of the user through the SIM digital identity APP, and if the living body detection passes, the terminal acquires the ciphertext digital identity of the SIM card. Here, the ciphertext digital identity of the SIM card includes NISSA ciphertext data and an encrypted network certificate, where the NISSA ciphertext data needs to be obtained from a read-only memory area of the SIM card.
Alternatively, the living body information detection includes, but is not limited to: and (5) sweeping the face.
b2: the terminal applies for identity authentication to the five-party platform server based on the cipher text digital identity of the SIM card.
In this step, the identity authentication is the network authentication.
b3: and the five-party platform server sends the ciphertext digital identity of the SIM card to the NISSA server.
b4: the NISSA server decrypts the cipher text digital identity of the SIM card, determines whether the decrypted NISSA sensitive data is legal or not according to the NISSA sensitive data stored by the NISSA server, and returns a legal result and the decrypted network certificate to the five-party platform server if the decrypted NISSA sensitive data is legal. Optionally, in this step, the NISSA server may authenticate the ciphertext digital identity of the SIM card, and decrypt the ciphertext digital identity of the SIM card after the authentication is passed; optionally, if the five-party platform server in b3 signs the ciphertext digital identity of the SIM card before sending the ciphertext digital identity of the SIM card to the NISSA server, the step may further perform signature verification on the signed ciphertext digital identity of the SIM card, and decrypt the ciphertext digital identity of the SIM card after the signature verification passes.
After decrypting the ciphertext digital identity of the SIM card, the NISSA server can also compare the NISSA sensitive data stored by the NISSA server with the decrypted NISSA sensitive data so as to determine whether the decrypted NISSA sensitive data is legal or not according to a comparison result, and if so, a legal result and the decrypted network certificate can be returned to the five-party platform server.
b5: the five-party platform server inquires the mobile phone number state of the SIM card to determine whether the inquired mobile phone number state is normal or not.
In the step, the decrypted NISSA sensitive data legally represents that the digital identity state of the user is normal, and the state of the mobile phone number can be inquired at the moment to determine whether the inquired state of the mobile phone number is normal or not.
b6: and if the five-party platform server determines that the mobile phone number is normal, sending the decrypted network certificate to the CTID server.
b7: and the CTID server compares the decrypted network certificate, completes digital identity authentication and sends an authentication result to the five-party platform server.
b8: and the five-party platform server sends the authentication result to the terminal.
b9: and the terminal displays the authentication result.
In this step, the terminal can display the authentication result through the SIM digital identity APP.
The whole network certificate authentication flow can be completed through the steps b1 to b 9.
Referring to fig. 3, a schematic structural diagram of a hard network card sensitive data protection device applied to a server of a chip manufacturer according to an embodiment of the present application is shown, and as shown in fig. 3, the hard network card sensitive data protection device applied to the server of the chip manufacturer may include: an identification information transmitting module 301, and a NISSA-related data receiving and writing module 302.
The identification information sending module 301 is configured to send identification information of the SIM card to the NISSA server, so that the NISSA server generates NISSA related data based on the identification information of the SIM card, and sends the NISSA related data to the chip manufacturer server, where the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data.
The NISSA related data receiving and writing module 302 is configured to receive NISSA related data and write the NISSA related data into a read-only memory area of the SIM card.
According to the network card sensitive data hard protection method applied to the chip manufacturer server, the identification information of the SIM card is sent to the NISSA server, so that the NISSA server generates NISSA related data based on the identification information of the SIM card, the NISSA related data is sent to the chip manufacturer server, the NISSA related data is received, and the NISSA related data is written into a read-only storage area of the SIM card. Therefore, the embodiment of the application can write the NISSA related data into the read-only memory area of the SIM card after generating the NISSA related data according to the identification information of the SIM card, and the read-only memory area of the SIM card is not affected by the Applet upgrading, so that the NISSA related data in the read-only memory area of the SIM card can be kept even if the Applet upgrades.
In one possible implementation, if the NISSA-related data is NISSA-sensitive data, the NISSA-related data receiving and writing module 302 may include: the system comprises a first NISSA sensitive data encryption module and a NISSA ciphertext data writing module.
The first NISSA sensitive data encryption module is used for encrypting the NISSA sensitive data to obtain NISSA ciphertext data.
And the NISSA ciphertext data writing module is used for writing the NISSA ciphertext data into a read-only memory area of the SIM card.
In one possible implementation manner, the identification information of the SIM card in the network card sensitive data hard protection device applied to the server of the chip manufacturer provided in the embodiment of the present application is a user personal identification code of the SIM card.
The embodiment of the application also provides a network card sensitive data hard protection device applied to the NISSA server, the network card sensitive data hard protection device applied to the NISSA server provided by the embodiment of the application is described below, and the network card sensitive data hard protection device applied to the NISSA server and the network card sensitive data hard protection method described above can be correspondingly referred to each other.
Referring to fig. 4, a schematic structural diagram of a network certificate sensitive data hard protection device applied to a NISSA server according to an embodiment of the present application is shown, and as shown in fig. 4, the network certificate sensitive data hard protection device applied to the NISSA server may include: an identification information acquisition module 401, and a NISSA related data generation and transmission module 402.
The identification information obtaining module 401 is configured to obtain identification information of the SIM card.
The NISSA-related data generating and transmitting module 402 is configured to generate NISSA-related data according to the identification information of the SIM card, and transmit the NISSA-related data to the chip manufacturer server, so that the chip manufacturer server writes the NISSA-related data into the read-only memory area of the SIM card, where the NISSA-related data is NISSA-sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA-sensitive data.
According to the network card sensitive data hard protection method applied to the NISSA server, the identification information of the SIM card is obtained, the NISSA related data is generated according to the identification information of the SIM card, and the NISSA related data is sent to the chip manufacturer server, so that the chip manufacturer server can write the NISSA related data into a read-only memory area of the SIM card. Therefore, the embodiment of the application can write the NISSA related data into the read-only memory area of the SIM card after generating the NISSA related data according to the identification information of the SIM card, and the read-only memory area of the SIM card is not affected by the Applet upgrading, so that the NISSA related data in the read-only memory area of the SIM card can be kept even if the Applet upgrades.
In one possible implementation, if the NISSA-related data is NISSA ciphertext data, the NISSA-related data generating and transmitting module 402 may include: the system comprises an NISSA sensitive data generation module, a root key acquisition module and a second NISSA sensitive data encryption module.
The NISSA sensitive data generation module is used for generating NISSA sensitive data according to the identification information of the SIM card.
The root key acquisition module is used for acquiring the root key corresponding to the identification information of the SIM card from the pre-stored root key set.
And the second NISSA sensitive data encryption module is used for encrypting the NISSA sensitive data according to the root key to obtain NISSA ciphertext data.
The embodiment of the application also provides a network card sensitive data hard protection device which can be applied to a chip manufacturer server. Optionally, fig. 5 shows a block diagram of a hardware structure of a network card sensitive data hard protection device applied to a server of a chip manufacturer, and referring to fig. 5, the hardware structure of the network card sensitive data hard protection device applied to the server of the chip manufacturer may include: at least one processor 501, at least one communication interface 502, at least one memory 503, and at least one communication bus 504;
in the embodiment of the present application, the number of the processor 501, the communication interface 502, the memory 503, and the communication bus 504 is at least one, and the processor 501, the communication interface 502, and the memory 503 complete communication with each other through the communication bus 504;
the processor 501 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present invention, etc.;
the memory 503 may include a high-speed RAM memory, and may further include a non-volatile memory (non-volatile memory), etc., such as at least one magnetic disk memory;
wherein the memory 503 stores a program, the processor 501 may call the program stored in the memory 503, the program being for:
the method comprises the steps of sending identification information of a SIM card to a NISSA server so that the NISSA server generates NISSA related data based on the identification information of the SIM card and sends the NISSA related data to a chip manufacturer server, wherein the NISSA related data are NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data are obtained by encrypting the NISSA sensitive data;
and receiving the NISSA related data and writing the NISSA related data into a read-only memory area of the SIM card.
Alternatively, the refinement function and the extension function of the program may be described with reference to the above.
The embodiment of the application also provides a network card sensitive data hard protection device which can be applied to the NISSA server. Optionally, fig. 6 shows a block diagram of a hardware structure of a network license sensitive data hard protection device applied to a NISSA server, and referring to fig. 6, the hardware structure of the network license sensitive data hard protection device applied to the NISSA server may include: at least one processor 601, at least one communication interface 602, at least one memory 603 and at least one communication bus 604;
in the embodiment of the present application, the number of the processor 601, the communication interface 602, the memory 603 and the communication bus 604 is at least one, and the processor 601, the communication interface 602 and the memory 603 complete communication with each other through the communication bus 604;
processor 601 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present invention, etc.;
the memory 603 may include a high-speed RAM memory, and may further include a non-volatile memory (non-volatile memory), etc., such as at least one disk memory;
wherein the memory 603 stores a program, the processor 601 may call the program stored in the memory 603, the program being for:
acquiring identification information of the SIM card;
generating NISSA related data according to the identification information of the SIM card, and sending the NISSA related data to a chip manufacturer server so that the chip manufacturer server can write the NISSA related data into a read-only memory area of the SIM card, wherein the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data.
Alternatively, the refinement function and the extension function of the program may be described with reference to the above.
The embodiment of the application also provides a storage medium, which may store a program adapted to be executed by a processor, the program being configured to: the method realizes each processing flow of the NISSA server in the network card sensitive data hard protection method, or realizes each processing flow of the chip manufacturer server in the network card sensitive data hard protection method.
Finally, it is further noted that relational terms such as second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A hard protection method for network certificate sensitive data is characterized by being applied to a server of a chip manufacturer and comprising the following steps:
transmitting identification information of a SIM card to an NISSA server so that the NISSA server generates NISSA related data based on the identification information of the SIM card and transmits the NISSA related data to the chip manufacturer server, wherein the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data;
and receiving the NISSA related data and writing the NISSA related data into a read-only memory area of the SIM card.
2. The method for hard protecting network certificate sensitive data according to claim 1, wherein the NISSA related data is the NISSA sensitive data, and the writing the NISSA sensitive data into the read-only memory area of the SIM card comprises:
encrypting the NISSA sensitive data to obtain the NISSA ciphertext data;
and writing the NISSA ciphertext data into a read-only memory area of the SIM card.
3. The method for hard protecting network card sensitive data according to claim 1, wherein the identification information of the SIM card is a personal identity code of a user of the SIM card.
4. The hard protection method for the network certificate sensitive data is characterized by being applied to an NISSA server and comprising the following steps:
acquiring identification information of the SIM card;
generating NISSA related data according to the identification information of the SIM card, and sending the NISSA related data to a chip manufacturer server so that the chip manufacturer server can write the NISSA related data into a read-only storage area of the SIM card, wherein the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data.
5. The method for hard protecting network certificate sensitive data according to claim 4, wherein the NISSA-related data is NISSA ciphertext data, and generating NISSA-related data according to the identification information of the SIM card comprises:
generating the NISSA sensitive data according to the identification information of the SIM card;
acquiring a root key corresponding to the identification information of the SIM card from a pre-stored root key set;
and encrypting the NISSA sensitive data according to the root key to obtain the NISSA ciphertext data.
6. A network evidence sensitive data hard protection system, comprising: the NISSA server and the chip manufacturer server;
the chip manufacturer server is used for sending the identification information of the SIM card to the NISSA server;
the NISSA server is used for acquiring the identification information of the SIM card, generating NISSA related data according to the identification information of the SIM card, and sending the NISSA related data to the chip manufacturer server, wherein the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data;
the chip manufacturer server is also used for receiving the NISSA related data and writing the NISSA related data into a read-only memory area of the SIM card.
7. The utility model provides a net certificate sensitive data hard protection device which is characterized in that is applied to chip manufacturer server, includes: the NISSA related data receiving and writing module is used for receiving the NISSA related data;
the identification information sending module is used for sending the identification information of the SIM card to the NISSA server so that the NISSA server generates NISSA related data based on the identification information of the SIM card and sends the NISSA related data to the chip manufacturer server, wherein the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data;
the NISSA related data receiving and writing module is used for receiving the NISSA related data and writing the NISSA related data into a read-only memory area of the SIM card.
8. A network certificate sensitive data hard protection device, which is applied to a NISSA server, and comprises: the system comprises an identification information acquisition module and a NISSA related data generation and transmission module;
the identification information acquisition module is used for acquiring the identification information of the SIM card;
the NISSA related data generation and transmission module is used for generating NISSA related data according to the identification information of the SIM card and transmitting the NISSA related data to a chip manufacturer server so that the chip manufacturer server can write the NISSA related data into a read-only storage area of the SIM card, wherein the NISSA related data is NISSA sensitive data or NISSA ciphertext data, and the NISSA ciphertext data is obtained by encrypting the NISSA sensitive data.
9. The hard protection device for the network certificate sensitive data is characterized by comprising a memory and a processor;
the memory is used for storing programs;
the processor is configured to execute the program to implement the steps of the network certificate sensitive data hard protection method as claimed in any one of claims 1 to 3, or claims 4 to 5.
10. A readable storage medium having stored thereon a computer program, which when executed by a processor, performs the steps of the method for hard protection of network authentication sensitive data according to any of claims 1 to 3 or claims 4 to 5.
CN202111279411.5A 2021-11-01 2021-11-01 Hard protection method, system, device, equipment and storage medium for network certificate sensitive data Pending CN116070221A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111279411.5A CN116070221A (en) 2021-11-01 2021-11-01 Hard protection method, system, device, equipment and storage medium for network certificate sensitive data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111279411.5A CN116070221A (en) 2021-11-01 2021-11-01 Hard protection method, system, device, equipment and storage medium for network certificate sensitive data

Publications (1)

Publication Number Publication Date
CN116070221A true CN116070221A (en) 2023-05-05

Family

ID=86171964

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111279411.5A Pending CN116070221A (en) 2021-11-01 2021-11-01 Hard protection method, system, device, equipment and storage medium for network certificate sensitive data

Country Status (1)

Country Link
CN (1) CN116070221A (en)

Similar Documents

Publication Publication Date Title
US10595201B2 (en) Secure short message service (SMS) communications
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
US7886355B2 (en) Subsidy lock enabled handset device with asymmetric verification unlocking control and method thereof
EP3522580B1 (en) Credential provisioning
CN100533459C (en) Data safety reading method and safety storage apparatus thereof
US20140365781A1 (en) Receiving a Delegated Token, Issuing a Delegated Token, Authenticating a Delegated User, and Issuing a User-Specific Token for a Resource
US20130145455A1 (en) Method for accessing a secure storage, secure storage and system comprising the secure storage
US20040266395A1 (en) Process for securing a mobile terminal and applications of the process for executing applications requiring a high degree of security
US20110131421A1 (en) Method for installing an application on a sim card
WO2006109307A2 (en) Method, device, and system of selectively accessing data
JP2004040717A (en) Equipment authentication system
CN106878245A (en) The offer of graphic code information, acquisition methods, device and terminal
CN103812649B (en) Method and system for safety access control of machine-card interface, and handset terminal
JP5135509B2 (en) Safe operation of computer equipment
CN111401901B (en) Authentication method and device of biological payment device, computer device and storage medium
CN103684786A (en) Method and system for storing digital certificate and binding digital certificate to hardware carrier
WO2019109640A1 (en) Method and device for locking sim card
CN108460597B (en) Key management system and method
KR20070059891A (en) Application authentication security system and method thereof
JPH10336172A (en) Managing method of public key for electronic authentication
JP2016012902A (en) Electronic data utilization system, portable terminal device, and method for electronic data utilization system
JP2010117995A (en) System, device and method for issuing application
CN110287725A (en) A kind of equipment and its authority control method, computer readable storage medium
CN116070221A (en) Hard protection method, system, device, equipment and storage medium for network certificate sensitive data
CN107682147B (en) Security management method and system for smart card chip operating system file

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination