CN117375870A - Active identification carrier, service equipment and system - Google Patents

Active identification carrier, service equipment and system Download PDF

Info

Publication number
CN117375870A
CN117375870A CN202210778576.5A CN202210778576A CN117375870A CN 117375870 A CN117375870 A CN 117375870A CN 202210778576 A CN202210778576 A CN 202210778576A CN 117375870 A CN117375870 A CN 117375870A
Authority
CN
China
Prior art keywords
service
security
active
active identification
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210778576.5A
Other languages
Chinese (zh)
Inventor
袁满
全建斌
王明儒
罗曼
高艺力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile IoT Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile IoT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile IoT Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202210778576.5A priority Critical patent/CN117375870A/en
Publication of CN117375870A publication Critical patent/CN117375870A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides an active identification carrier, service equipment and a system, and relates to the technical field of communication. The active identification carrier comprises: an application module and a security domain module; the application program module comprises: at least one first program unit which is in communication connection with the active identification carrier service device; the second program unit is in communication connection with at least one first program unit; the security domain module comprises at least: the active identification domain is in communication connection with at least one first program unit; a secure authentication domain communicatively coupled to the second program element; the security authentication domain stores N algorithm types and M service types. According to the scheme, different algorithm types are set in the security authentication domain, and corresponding security authentication and security encryption algorithm schemes can be flexibly provided according to different security requirement levels of the response message received by the first program unit.

Description

Active identification carrier, service equipment and system
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an active identifier carrier, a service device, and a system.
Background
Compared with a passive identification carrier, the active identification carrier in the prior art is more and more paid attention to, and active identification, commodity tracing, industrial equipment life cycle management, equipment authentication and the like are carried out through the active identification carrier, so that future life of people is greatly enriched and facilitated.
The prior art scheme realizes the security capability by adopting the method that the security capability is realized in the application service logic, and the encryption algorithm and the encryption service are realized according to the fixed logic fixed telephone in the application, and the application security code is filled into the card in the actual application, so that the security capability cannot be changed and replaced. If the encryption algorithm type needs to be upgraded or more service types are supported, the security module needs to be redeveloped, new service logic is refilled into a new active identification carrier medium, or the identification application in the active identification carrier is updated, so that the security capability can be expanded and upgraded.
Disclosure of Invention
The invention aims to provide an active identification carrier, service equipment and a system, which are used for filling the active identification carrier with safety codes in the prior art, and the defects that the active identification carrier cannot be changed and replaced or a safety module needs to be redeveloped are overcome.
To achieve the above object, an embodiment of the present invention provides an active identifier carrier, including: an application module and a security domain module;
the application program module comprises:
at least one first program unit, the at least one first program unit is in communication connection with the active identification carrier service device;
a second program element, said second program element being communicatively connected to said at least one first program element;
the security domain module comprises at least:
an active identification domain, the active identification domain being communicatively coupled to the at least one first program element;
a secure authentication domain communicatively coupled to the second program element; the security authentication domain stores N algorithm types and M service types;
the at least one first program unit is configured to send a first indication message to the active identifier carrier service device, and receive a first request response message sent by the active identifier carrier service device; the first indication message comprises an active identification carrier identification, a configured first target algorithm and a service request; the first request response message includes a target identity credential;
the second program unit is configured to configure a first target algorithm for the first indication message according to the first target algorithm sent by the security authentication domain;
the first target algorithm is determined according to the service request, N algorithm types and M service types.
Optionally, the first request response message further includes: the second target algorithm configured by the active identification carrier service equipment is determined according to the security module of the active identification carrier service equipment and the service request;
the second program unit is further configured to verify the second target algorithm according to a third target algorithm sent by the security authentication domain;
the third target algorithm is determined according to the service request, N algorithm types and M service types.
Optionally, the active identification domain is used for storing industrial identification carrier information and related configuration information;
the security authentication domain is used for storing a security certificate, a key and an encryption and decryption algorithm related to the user identity identification module card, and the security authentication domain determines a target algorithm required by the at least one first program unit according to the security certificate, the key and the encryption and decryption algorithm.
Optionally, the security authentication domain generates a key index table of M rows and N columns according to the N algorithm types and the M service types;
wherein each index parameter in the key index table has uniqueness.
Optionally, each index parameter in the key index table at least includes a first flag bit and a second flag bit;
the first flag bit represents an algorithm type; the second flag bit represents service type information.
Optionally, the active identifier carrier further includes:
the second program unit is connected with the at least one first program unit through the system interface.
Optionally, the system interface provides the at least one first program unit with the corresponding first target algorithm;
wherein the system interface supports at least one of the first target algorithms.
Optionally, the active identification domain and the security authentication domain are independent security domains.
To achieve the above object, an embodiment of the present invention provides an active identifier carrier service device, including:
the system comprises a service module and a safety module, wherein the service module is in communication connection with the safety module;
the service module stores identification information and identification expansion information;
the security module stores a preset encryption algorithm or a key certificate; the service module is configured to receive a first indication message sent by at least one first program unit in an active identification carrier, and send a first request response message to the at least one first program unit, where the first indication message includes an active identification carrier identification, a first target algorithm configured by the active identification carrier, and a service request; the first request response message includes a target identity credential;
the security module is configured to parse the first target algorithm.
Optionally, the security module is further configured to configure a second target algorithm for the first request response message; the second target algorithm is determined according to the service level of the service request.
To achieve the above object, an embodiment of the present invention provides an active identification carrier system, including an active identification carrier as described above, and an active identification carrier service device as described above.
The technical scheme of the invention has the following beneficial effects:
in the above technical solution, the active identifier carrier includes: an application module and a security domain module; the application program module comprises: at least one first program unit, the at least one first program unit is in communication connection with the active identification carrier service device; the at least one first program unit is configured to send a first indication message to the active identifier carrier service device, and receive a first request response message sent by the active identifier carrier service device; the first indication message comprises an active identification carrier identification, a configured first target algorithm and a service request; the first request response message includes a target identity credential; a second program element, said second program element being communicatively connected to said at least one first program element; the second program unit is configured to configure a first target algorithm for the first indication message according to the first target algorithm sent by the security authentication domain; the security domain module comprises at least: an active identification domain, the active identification domain being communicatively coupled to the at least one first program element; a secure authentication domain communicatively coupled to the second program element; the security authentication domain stores N algorithm types and M service types; the first target algorithm is determined according to the service request, the N algorithm types and the M service types, and can provide security and authentication supporting capability for a plurality of first program units on an active identification carrier, so that security capability supporting requirements on different encryption algorithms, different encryption scenes and different encryption complexity can be realized, and corresponding security authentication and security encryption algorithm schemes can be flexibly provided according to different security requirement levels of response messages received by the first program units.
Drawings
FIG. 1 is a diagram of one of the active identifier carriers provided in an embodiment of the present invention;
fig. 2 is a block diagram of an active identifier carrier service device according to an embodiment of the present invention;
FIG. 3 is a block diagram of an active identifier carrier system provided by an embodiment of the present invention;
FIG. 4 is a schematic diagram of a cryptographic index table according to an embodiment of the present invention;
fig. 5 is a second block diagram of an active identifier carrier according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages to be solved more apparent, the following detailed description will be given with reference to the accompanying drawings and specific embodiments.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
In various embodiments of the present invention, it should be understood that the sequence numbers of the following processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
In addition, the terms "system" and "network" are often used interchangeably herein.
It should be noted that regarding the security capability handling of the active identification carrier (card), the main schemes are:
the prior technical scheme is as follows: the first request message further includes a first password, and the active identification carrier service device includes a second password; before the active identification carrier service device determines the target identity credential according to the active identification carrier identification and the target algorithm, the active identification carrier service device further comprises: and determining that the first password is matched with the second password.
The prior technical scheme II: a key set (key set number, encryption algorithm name, encryption key value and encryption checksum algorithm name and key value, counter) is created to protect the mobile source message. The application on the SIM module of the mobile device receives the key via an SMS message or via another data channel. Triggering the SIM module to send a mobile originated message from the mobile device to the cloud server. If either process is used to protect the mobile source message, the counter value is incremented and the cryptographic checksum is calculated. Once the mobile-originated message is sent to the cloud server, the server uses the keyset to protect the message. However, for some FDD (frequency division duplex) systems with specific frequency bands, the interval between the uplink and downlink spectrums is relatively close, and for radio frequency systems, the third-order intermodulation interference products generated by the downlink transmission signals will be coupled and fall into the bandwidth of uplink reception, so that the noise floor of the receiver during uplink reception is improved, and the correct probability of uplink demodulation is affected.
It should be noted that, the active identification carrier: the industrial internet identification code and necessary security certificates, algorithms and keys thereof can be embedded into industrial equipment, have a networking communication function, and can actively initiate connection to an identification analysis service node or an identification data application platform and the like without triggering by means of identification read-write equipment. The active identification carrier can be a universal integrated circuit card (universal integrated circuit card, UICC), a communication module, a micro control unit (microcontroller unit, MCU) and the like.
In order to solve the above problems, the present disclosure proposes an active identification carrier, a service device and a system.
As shown in fig. 1 to 3, an active identifier carrier 1 according to an embodiment of the present invention is characterized by comprising: an application module 11 and a security domain module 12;
the application program module 11 includes:
at least one first program unit 111, said at least one first program unit 111 being communicatively connected to the active identification carrier service device 2; when the application program module 11 includes a first program unit 111, the first program unit 111 is an active industrial identification carrier unit;
a second program unit 112, said second program unit 112 being communicatively connected to said at least one first program unit 111;
the security domain module 12 comprises at least:
an active identification field 121, the active identification field 121 being communicatively connected to the at least one first program unit 111;
a secure authentication domain 122, said secure authentication domain 122 being communicatively connected to said second program element 112; the security authentication domain 122 stores N algorithm types and M service types;
wherein, the at least one first program unit 111 is configured to send a first indication message to the active identifier carrier service device 2, and receive a first request response message sent by the active identifier carrier service device 2; the first indication message comprises an active identification carrier 1 identification, a configured first target algorithm and a service request; the first request response message includes a target identity credential;
the second program unit 112 is configured to configure a first target algorithm for the first indication message according to the first target algorithm sent by the security authentication domain 122;
the first target algorithm is determined according to the service request, N algorithm types and M service types.
In this embodiment, the active identification carrier 1 is used for storing information related to industrial products, such as industrial identification of industrial products, etc.; the active identification carrier 1 is also used for communicating with the active identification carrier service device 2 to realize the management of the stored information thereof. The active identifier carrier 1 may be UICC (universal integrated circuit card), subscriber identity card (SIM card) or communication module.
It should be noted that, since the active identifier carrier 1 is usually a UICC or other component and does not have an independent communication capability, in practice, the active identifier carrier 1 needs to be configured with a corresponding terminal, so that the active identifier carrier 1 can communicate with the active identifier carrier service device and the enterprise information system through the terminal.
Optionally, a card unique identifier, a security service and an industrial identifier service (all in-card applications) are preset in the active identifier carrier 1.
In a specific embodiment, the at least one first program unit 111 is configured to send a first indication message to the active identifier carrier service device 2, where the first indication message includes an identifier of the active identifier carrier 1, a configured first target algorithm and a service request, and when a service level of the service request is low, the active identifier carrier service device 2 only needs to complete verification of the first target algorithm, and authentication with the active identifier carrier 1 and the active identifier carrier service device 2 can be completed, and the active identifier carrier service device 2 returns a first request response message, where the first request response message includes a target identity credential; the security authentication domain 122 achieves the purpose of matching the N algorithm types and the M service types with the first target algorithm, and can support security capability of requirements of different encryption algorithms, different encryption scenes and different encryption complexity, and flexibly provide corresponding security authentication and security encryption algorithm schemes.
Optionally, the active identification domain 121 and the security authentication domain 122 are independent security domains.
And in the security domain in the card, the corresponding independent security domain is independently allocated for the active identification service and the security authentication service. The industrial identification application and the secure SIM card application operate as independent applications.
In this embodiment, corresponding independent security authentication security domains are set for at least one first program unit 111 and one second program unit 112, so that security and authentication support capabilities can be provided for applications on a plurality of active identifier carriers, and security capability support for requirements of different encryption algorithms, different encryption scenes and different encryption complexity can be realized. Avoiding each merchant actively identifying the carrier, independently creating its own security capabilities and security key storage by at least one first program unit 111, wasting valuable on-card space and on-card computing resources, reducing duplicate development and modification.
Optionally, the first request response message further includes: a second target algorithm configured by the active identification carrier service device 2, the second target algorithm being determined according to the security module 22 of the active identification carrier service device 2 and the service request;
the second program unit 112 is further configured to verify the second target algorithm according to a third target algorithm sent by the security authentication domain 122;
the third target algorithm is determined according to the service request, N algorithm types and M service types.
In this embodiment, if the service level of the service request is higher, for example, the service request of the unlocking request in the intelligent door lock, the security module 22 of the active identifier carrier service device 2 configures a second target algorithm according to the service level of the service request and configures the second target algorithm in the first request response message, the first program unit 111 receives the first request response message, and the second program unit 112 verifies the second target algorithm through the third target algorithm sent by the security authentication domain 122, thereby improving the security performance of verification data.
Optionally, the active identifier field 121 is configured to store industrial identifier carrier information and related configuration information;
the security authentication domain 122 is configured to store a security certificate, a key and an encryption/decryption algorithm related to a SIM card, and the security authentication domain 122 determines a target algorithm required by the at least one first program unit according to the security certificate, the key and the encryption/decryption algorithm.
In this embodiment, a secure encryption algorithm and a corresponding service key are preset in the secure authentication domain 122, and the service key is distributed by the root key of the secure module 22 of the active identifier carrier service device 2 and card information, and the key distribution is a well-known technology, which is not described herein. Encryption algorithms include the usual AES,3DES; encryption algorithms such as SM4 and SM2 of national security service; one-way tamper-resistant MD5, SHA1, SHA2, etc.
Optionally, the key stored in the security authentication domain 122 includes: the asymmetric key is used for signing, encrypting and decrypting operations; the symmetric key is used for generating a temporary symmetric key for data encryption and decryption.
As shown in fig. 4, optionally, the security authentication domain 122 generates a key index table of M rows and N columns according to the N algorithm types and the M service types;
wherein each index parameter in the key index table has uniqueness.
Optionally, each index parameter in the key index table at least includes a first flag bit and a second flag bit;
the first flag bit represents an algorithm type; the second flag bit represents service type information.
In this embodiment, different encryption authentication algorithms and different services provide different keys (or algorithm types) in a matrix manner in a key index table, such as an algorithm type column in fig. 4, SM4, 3DES and AES represent each type of key (or algorithm type), wherein identity authentication, secure transmission, sensitive data transmission and the like all represent different service types, wherein a first flag bit "0" in each index parameter, such as "01", in fig. 4 represents an algorithm type, and a second flag bit "1" represents service type information.
Optionally, the active identification carrier 1 further includes:
the second program unit 112 is connected to the at least one first program unit 111 via a system interface.
In this embodiment, the security and authentication capability of the at least one first program unit 111 is provided by the second program unit 112 through a system interface, which may also be understood as an in-card interface, and the secure SIM card application provides the related capabilities of card identity authentication and encrypted storage, encrypted transmission, etc. of application sensitive data for other applications.
The invention provides flexible and rich authentication and encryption algorithm schemes and service type keys for a plurality of applications in the card through the system interface in the card, and realizes standard management and standard butt joint of the keys and the encryption algorithm.
Optionally, the system interface provides the at least one first program unit 111 with a target algorithm required by the at least one first program unit;
wherein the system interface supports at least one target algorithm.
The invention provides flexible and rich authentication and encryption algorithm schemes and service type keys for a plurality of applications in the card through the system interface in the card, realizes standard management and standard butt joint of the keys and the encryption algorithm, and can rapidly adapt to the security authentication and security encryption requirements of a plurality of applications. When the at least one first program unit 111 is more than two, other first program units except the active industrial identification carrier unit are not needed to repeatedly develop the key algorithm and repeatedly store the key, thereby saving valuable storage space and computing resources on the card side, avoiding repeated workload and being inconvenient to expand the personalized security encryption and authentication service of the docking.
It should be noted that the active identification carrier described above is only a broad concept, and the active identification carrier is suitable for all the currently known applications on cards. The active identification carrier can be applied to various intelligent terminals, including but not limited to: smart door locks, electric cars, cell phone terminals, smart watches, etc., including but not limited to traffic cards, SIM cards, USIM cards (universal subscriber identity cards), UICC cards (network universal integrated circuit cards), etc.
In another specific embodiment, as shown in fig. 5, the active identification carrier includes: application programs (application program modules), security domains (security domain modules), operating systems, and hardware layers. At least a first program element in the application program (application program module) comprises: application A, active industrial identification carrier application, other applications, etc.; the second program unit is the secure SIM card application; the security domain (security domain module) comprises an active identification domain corresponding to an active industrial identification carrier application, a security authentication domain corresponding to the secure SIM card application, other identification domains corresponding to other applications, and a communication domain; the operating system includes: an application management unit, a security management unit, a system framework, a system interface and the like; the hardware layer comprises: hardware management unit, algorithm management unit, configuration data unit, identification data unit, etc.
The above invention only describes the operations of communication, encryption, etc. between the second program element 112, at least one first program element 111, the active identification domain 121 and the security authentication domain 122, and the function of the system interface, and other components of the active identification carrier may be set according to specific communication requirements.
As shown in fig. 2 to 3, the present invention further provides an active identifier carrier service device 2, including:
a service module 21 and a security module 22, wherein the service module 21 and the security module 22 are in communication connection;
the service module 21 stores identification information and identification extension information;
the security module 22 stores a preset encryption algorithm or key certificate; the service module 21 is configured to receive a first indication message sent by at least one first program unit 111 in the active identifier carrier 1, and send a first request response message to the at least one first program unit 111, where the first indication message includes an active identifier carrier 1 identifier, a first target algorithm configured by the active identifier carrier 1, and a service request; the first request response message includes a target identity credential;
the security module 22 is configured to parse the first target algorithm.
It should be noted that, the active identifier carrier service device 2 is configured to communicate with an enterprise information system, and implement information management on the active identifier carrier 1, such as adding and deleting information stored in the active identifier carrier 1; the active identification carrier service device 2 is further configured to verify the identity of the active identification carrier 1. The active identifier carrier service device 2 may be one server in a server cluster (including a plurality of servers), or may be a chip in the one server, or may be a system on a chip in the one server, or may be implemented by a Virtual Machine (VM) deployed on a physical machine.
In this embodiment, the security module 22 may decrypt the first indication message sent by the at least one first program unit 111 in the active identifier carrier 1 and complete verification of the active identifier carrier 1, so as to determine whether the active identifier carrier 1 can continue with a subsequent service request. Here, the service module 21 stores identification information and identification extension information, where the identification information may be information of the active identification carrier 1, such as identification information of the active identification carrier 1, and the identification extension information may be attached information of the binding of the active identification carrier 1. For example, the identification information stores the identification information of the active identification carrier 1 of a vehicle terminal, but the active identification carrier 1 may also be bound with information such as the color, model, distance travelled, etc. of the vehicle.
Optionally, the security module 22 is further configured to configure a second target algorithm for the first request response message; the second target algorithm is determined according to the service level of the service request.
Of course, after the security module 22 finishes decrypting the first indication message, it determines whether to encrypt the first indication message according to the service request in the first indication message. If the service level of the service request is higher, for example, when the intelligent door lock is unlocked, before the first request response message is returned, a second target algorithm is required to be configured for the first request response message, and the active identification carrier at the terminal side is required to finish decryption, so that the subsequent service request can be performed, and the security performance of verification data is further improved.
In summary, in the above technical solution, a second program unit and at least one first program unit are disposed at one end of the active identifier carrier, and the two independent applications respectively have independent security domains, i.e. an active identifier domain and a security authentication domain, and the security capability of the at least one first program unit is provided by the second program unit application through the in-card interface; the service module and the security module arranged at one end of the active identification carrier service equipment can realize the verification of the service and the encryption. The security authentication domain and the security module can flexibly provide corresponding security authentication and security encryption algorithm schemes according to different security requirement levels of the industrial identification carrier application.
An alternative embodiment of the invention also provides an active identity carrier system, characterized by comprising an active identity carrier as claimed in any one of the preceding claims, and an active identity carrier service device as described above.
In an embodiment of the invention, the modules may be implemented in software for execution by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different bits which, when joined logically together, comprise the module and achieve the stated purpose for the module.
Indeed, a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Likewise, operational data may be identified within modules and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices.
Where a module may be implemented in software, taking into account the level of existing hardware technology, a module may be implemented in software, and one skilled in the art may, without regard to cost, build corresponding hardware circuitry, including conventional Very Large Scale Integration (VLSI) circuits or gate arrays, and existing semiconductors such as logic chips, transistors, or other discrete components, to achieve the corresponding functions. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
The exemplary embodiments described above are described with reference to the drawings, many different forms and embodiments are possible without departing from the spirit and teachings of the present invention, and therefore, the present invention should not be construed as limited to the exemplary embodiments set forth herein. Rather, these exemplary embodiments are provided so that this disclosure will be thorough and complete, and will convey the scope of the invention to those skilled in the art. In the drawings, the size of the elements and relative sizes may be exaggerated for clarity. The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Unless otherwise indicated, a range of values includes the upper and lower limits of the range and any subranges therebetween.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.

Claims (11)

1. An active identification carrier, comprising: an application module and a security domain module;
the application program module comprises:
at least one first program unit, the at least one first program unit is in communication connection with the active identification carrier service device;
a second program element, said second program element being communicatively connected to said at least one first program element;
the security domain module comprises at least:
an active identification domain, the active identification domain being communicatively coupled to the at least one first program element;
a secure authentication domain communicatively coupled to the second program element; the security authentication domain stores N algorithm types and M service types;
the at least one first program unit is configured to send a first indication message to the active identifier carrier service device, and receive a first request response message sent by the active identifier carrier service device; the first indication message comprises an active identification carrier identification, a configured first target algorithm and a service request; the first request response message includes a target identity credential;
the second program unit is configured to configure a first target algorithm for the first indication message according to the first target algorithm sent by the security authentication domain;
the first target algorithm is determined according to the service request, N algorithm types and M service types.
2. The active identification carrier of claim 1, wherein the first request response message further comprises: the second target algorithm configured by the active identification carrier service equipment is determined according to the security module of the active identification carrier service equipment and the service request;
the second program unit is further configured to verify the second target algorithm according to a third target algorithm sent by the security authentication domain;
the third target algorithm is determined according to the service request, N algorithm types and M service types.
3. The active identification carrier of claim 1, wherein the active identification field is configured to store industrial identification carrier information and related configuration information;
the security authentication domain is used for storing a security certificate, a key and an encryption and decryption algorithm related to the user identity identification module card, and the security authentication domain determines a target algorithm required by the at least one first program unit according to the security certificate, the key and the encryption and decryption algorithm.
4. The active identification carrier of claim 1, wherein the active identification carrier comprises a plurality of active identification elements,
generating a key index table of M rows and N columns in the security authentication domain according to the N algorithm types and the M service types;
wherein each index parameter in the key index table has uniqueness.
5. The active identification carrier of claim 4, wherein each index parameter in the key index table comprises at least a first flag bit and a second flag bit;
the first flag bit represents an algorithm type; the second flag bit represents service type information.
6. The active identification carrier of claim 1, further comprising:
the second program unit is connected with the at least one first program unit through the system interface.
7. The active identification carrier of claim 6, wherein the system interface provides the at least one first program element with a target algorithm required by the at least one first program element;
wherein the system interface supports at least one target algorithm.
8. The active identification carrier of claim 1, wherein the active identification domain and the security authentication domain are independent security domains.
9. An active identification carrier service device, comprising:
the system comprises a service module and a safety module, wherein the service module is in communication connection with the safety module;
the service module stores identification information and identification expansion information;
the security module stores a preset encryption algorithm or a key certificate; the service module is configured to receive a first indication message sent by at least one first program unit in an active identification carrier, and send a first request response message to the at least one first program unit, where the first indication message includes an active identification carrier identification, a first target algorithm configured by the active identification carrier, and a service request; the first request response message includes a target identity credential;
the security module is configured to parse the first target algorithm.
10. The active identity carrier service device of claim 9, wherein the security module is further configured to configure a second target algorithm for the first request response message; the second target algorithm is determined according to the service level of the service request.
11. An active identification carrier system comprising an active identification carrier as claimed in any one of claims 1 to 8 and an active identification carrier service device as claimed in any one of claims 9 to 10.
CN202210778576.5A 2022-06-30 2022-06-30 Active identification carrier, service equipment and system Pending CN117375870A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210778576.5A CN117375870A (en) 2022-06-30 2022-06-30 Active identification carrier, service equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210778576.5A CN117375870A (en) 2022-06-30 2022-06-30 Active identification carrier, service equipment and system

Publications (1)

Publication Number Publication Date
CN117375870A true CN117375870A (en) 2024-01-09

Family

ID=89401028

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210778576.5A Pending CN117375870A (en) 2022-06-30 2022-06-30 Active identification carrier, service equipment and system

Country Status (1)

Country Link
CN (1) CN117375870A (en)

Similar Documents

Publication Publication Date Title
US11025611B2 (en) Method and apparatus of constructing secure infra-structure for using embedded universal integrated circuit card
US9936384B2 (en) Systems and methods for providing security to different functions
CN101777978B (en) Method and system based on wireless terminal for applying digital certificate and wireless terminal
US8027472B2 (en) Using a trusted-platform-based shared-secret derivation and WWAN infrastructure-based enrollment to establish a secure local channel
CN109547464B (en) Method and apparatus for storing and executing access control client
US20060089123A1 (en) Use of information on smartcards for authentication and encryption
KR20200085230A (en) Holistic module authentication with a device
US20190289463A1 (en) Method and system for dual-network authentication of a communication device communicating with a server
CN104205891A (en) Virtual sim card cloud platform
JP2015512209A (en) Mobile device supporting multiple access control clients and corresponding method
CN103533539A (en) Virtual SIM (subscriber identity module) card parameter management method and device
EP2405376B1 (en) Utilization of a microcode interpreter built in to a processor
KR20140098872A (en) security system and method using trusted service manager and biometric for web service of mobile nfc device
CN111654372B (en) Key management method and related device
CN111918274B (en) Code number configuration and management method and device, electronic equipment and readable storage medium
CN107332817B (en) Mobile device supporting multiple access control clients and corresponding method
WO2022083946A1 (en) An apparatus and method for managing the provisioning of security modules
CN117375870A (en) Active identification carrier, service equipment and system
CN111770488B (en) EHPLMN updating method, related equipment and storage medium
KR102035158B1 (en) Method and apparatus of constructing secure infra-structure for using embedded universal integrated circuit card
CN111246480A (en) Application communication method, system, equipment and storage medium based on SIM card
CN111866884B (en) Safety protection method and device
CN117411647A (en) Satellite communication authentication method and system and satellite communication encryption method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination