WO2013167082A2 - Digital certificate function implementation method for mobile terminal and mobile terminal - Google Patents

Digital certificate function implementation method for mobile terminal and mobile terminal Download PDF

Info

Publication number
WO2013167082A2
WO2013167082A2 PCT/CN2013/080133 CN2013080133W WO2013167082A2 WO 2013167082 A2 WO2013167082 A2 WO 2013167082A2 CN 2013080133 W CN2013080133 W CN 2013080133W WO 2013167082 A2 WO2013167082 A2 WO 2013167082A2
Authority
WO
WIPO (PCT)
Prior art keywords
digital certificate
mobile terminal
smart card
management module
client
Prior art date
Application number
PCT/CN2013/080133
Other languages
French (fr)
Chinese (zh)
Other versions
WO2013167082A3 (en
Inventor
陈颖
缪海翔
马少峰
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013167082A2 publication Critical patent/WO2013167082A2/en
Publication of WO2013167082A3 publication Critical patent/WO2013167082A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a mobile terminal digital certificate function implementation method and a mobile terminal. Background technique
  • USBKey digital certificate function when the user accesses the ordinary information of the ordinary website or the government network, identity authentication is not required, but when the government staff or authorized personnel want to log in to the government network for confidential information, identity authentication is required.
  • digital certificates require storage media (such as software, CD-ROM, USBKey, etc.), which means that when users want to use the mobile terminal to securely access the Internet, they need to carry two devices, a wireless Internet device and a digital certificate, and also require The Internet terminal device must have two interfaces at the same time, one is used by the network card, and the other is used for digital certificates. It is inconvenient to carry and use, and the use cost is also increased.
  • this article provides a wireless network card and digital certificate. The method of combining books into one.
  • Digital certificate technology is a general term for encryption technology based on digital certificates.
  • the digital certificate is issued by the Certification Authority (CA), and the CA is an authoritative, fair and trustworthy third party. Its role is crucial.
  • CA Certification Authority
  • the user For the issuance and management of digital certificates, the user must carry the relevant documents to the certificate acceptance point of each place, or go directly to the certificate issuing authority, CA Center, to fill out the application form and conduct identity verification. After the approval, the relevant media with the certificate can be obtained. , IC card or USBKey, etc.) and a password envelope with a password.
  • the format of digital certificates is generally based on the X.509V3 international standard, including the serial number of the certificate, the name of the certificate holder, the name of the certificate issuer, the validity period of the certificate, the number of the certificate, and the number of the certificate issuer. Signature, etc.
  • Digital certificates are usually placed on a storage medium as a file.
  • the certificate with the private key is defined by the PKCS# 12 (Public Key Cryptography Standards #12) standard, with pfx as the certificate file suffix.
  • the digital certificate in the cer format has only the public key and no private key.
  • digital certificates can be divided into: server certificates, email certificates and client certificates.
  • client certificates are primarily used for authentication and electronic signatures.
  • the client certificate is stored in a dedicated storage medium, such as an IC card or a Key, and USBKey is the most common storage medium.
  • the certificate in the storage medium cannot be exported or copied, and the storage medium needs to be input with the protection password of the storage medium.
  • This type of authentication is one of the most secure authentication methods on the Internet.
  • the process of using the digital certificate is as follows: When using a digital certificate for identity authentication, it will randomly generate a 128-bit identity code, and each digital certificate can generate a digital number corresponding to each other, which is impossible to ensure the confidentiality of data transmission. Sex, which is equivalent to generating a complex password. Summary of the invention
  • the purpose of the embodiments of the present invention is to provide a mobile terminal digital certificate function implementation method and a mobile terminal integrating the digital certificate function.
  • the embodiment of the present invention provides a method for implementing a digital certificate function of a mobile terminal, where the method includes: after the mobile terminal accesses a PC through a USB interface, the mobile terminal is powered on, initializes a USB port, and the PC determines Whether there is a new USB device connection, if there is a new device, the port is mapped to the USB interface, and the smart card storing the digital certificate in the mobile terminal interacts with the PC side through the smart card management module, and the PC side driver starts the digital certificate.
  • the client is running.
  • the smart card storing the digital certificate interacts with the smart card management module through the IS07816 protocol.
  • the smart card management module initiates a transparent transmission interaction through the MCSP/PKCS11 protocol through the board side driver of the mobile terminal and the digital certificate PC side driver of the PC side, and starts the digital certificate client.
  • the smart card is a UICC
  • the port includes an AT port, a Modem port, and a standard USB device interface.
  • the digital certificate client initiates a digital certificate operation by operating a command MCSP/PKCS11 data packet.
  • the embodiment of the present invention further provides a mobile terminal, where the mobile terminal includes a smart card, a smart card management module, and a board side driver;
  • the smart card stores a digital certificate
  • the smart card management module implements operation on the smart card digital certificate, and the smart card management module and the smart card communicate through a standard protocol;
  • the board side driver interacts with the digital certificate PC side driver through a protocol to start the digital certificate client.
  • the smart card storing the digital certificate is managed by the IS07816 protocol and the smart card. Module interaction.
  • the smart card management module starts the digital certificate client by using a board side driver of the mobile terminal and a digital certificate pc side driving interaction on the PC side.
  • the smart card is a UICC card.
  • the digital certificate client initiates a digital certificate operation by operating a command MCSP/PKCS11 data packet.
  • the embodiment of the present invention has the following beneficial effects:
  • the mobile terminal has a digital certificate function, and it is unnecessary to add a new digital certificate device, which is greatly convenient for the user to use.
  • FIG. 1 is a schematic diagram showing the composition of a digital certificate for implementing a wireless internet data card according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram showing the composition of a digital certificate implemented by the mobile phone according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram showing the composition of a digital certificate implemented by a PAD according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a method for implementing data channel creation between a digital certificate client and a mobile communication terminal according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an implementation process of a digital certificate operation process according to an embodiment of the present invention. detailed description
  • Embodiments of the present invention provide a method for implementing a digital certificate function of a mobile terminal and a mobile communication terminal having a digital certificate function.
  • the core idea of the embodiment of the present invention is implemented by using a software method without performing hardware modification of the mobile communication terminal device.
  • the method described in this paper involves the following key issues: How to store digital certificates on a mobile terminal, how to read and write digital certificates stored on mobile terminals, and how digital certificates are applied on mobile terminals.
  • the storage of digital certificates are in a disk, IC card or USBKey.
  • a component that can be used to store a digital storage medium and is indispensable for the terminal device is not a UICC.
  • the UICC is a removable smart card used to store information such as operator subscription information, authentication keys, phone books, and short messages.
  • the UICC can include a variety of logical applications, such as a Subscriber Identity Module (SIM), a Universal Subscriber Identity Module (USIM), and an IP Multimedia Service Identity Module (ISIM).
  • SIM Subscriber Identity Module
  • USIM Universal Subscriber Identity Module
  • ISIM IP Multimedia Service Identity Module
  • the UICC digital certificate is very similar to the USBKEY digital certificate. The main difference is the difference in the external hardware interface.
  • the hardware interface of the USBKEY is a USB port
  • the hardware interface of the UICC is a UICC-terminal interface.
  • UICC In order to realize the digital certificate function, in addition to providing the storage space of the digital certificate, UICC also needs to have the RSA hardware coprocessor to support the asymmetric algorithm encryption function.
  • the mobile service operator first needs to create a special UICC card for the designated group users.
  • the card can also provide security services such as RSA algorithm, identity authentication, data addition and decryption, and provide Digital certificate storage space.
  • the enterprise where the group user is located shall apply for a digital certificate for each customer. After the certification center CA has produced the digital certificate, the digital certificate is stored in the UICC card;
  • the operator issues a mobile communication terminal to the group customer, and a mobile communication terminal with a digital certificate. Reading and application of digital certificates.
  • the operation of the digital certificate is realized by encrypting the device management interface, and is used for managing the encryption device in the form of hardware or software, realizing data encryption, decryption, digital signature, verification and data digest (ie HASH), Fig. 1 - Fig. 3
  • the digital certificate on the mobile communication terminal should be used normally, and the following contents need to be implemented:
  • the digital certificate client (PC/AP side application) remains unchanged; Provides mobile communication terminal device drivers, including PC side drivers and board side drivers.
  • the operations of the digital certificate client (PC/AP side application) on the digital certificate are implemented by the MCSP protocol or the PKCS11 protocol, and the operations are transparently transmitted to the board side driver through the PC side driver.
  • the UICC management module needs to implement the operation of the UICC digital certificate.
  • the UICC management module communicates with the UICC through the IS07816 standard protocol.
  • the MCSP protocol or PKCS 11 protocol packet passed between the two is first packaged into the IS07816 standard package and then transmitted.
  • Figure 1 Figure 3
  • Figure 1, Figure 2, Figure 3 are the wireless data card, mobile phone, PAD connection.
  • the wireless internet data card includes a board side driver, a UICC management module, and a UICC digital certificate.
  • the UICC management module and the UICC digital certificate interact through the IS07816 protocol.
  • the PC side includes a digital certificate PC side driver and a digital certificate client.
  • the digital certificate PC side driver and the digital certificate client interact through the MCSP protocol.
  • FIG. 2 is a design scheme of a mobile phone having a digital certificate function
  • the mobile phone includes a mobile digital certificate client, a UICC management module, and a UICC digital certificate.
  • the UICC management module and the UICC digital certificate are exchanged through the IS07816 protocol, and the UICC management module and the mobile digital certificate client interact through the PKCS 11 protocol.
  • FIG. 3 is a design scheme of the PAD having a digital certificate function
  • the PAD includes an AP side and a wireless network module.
  • the AP side includes a digital certificate AP side driver and a digital certificate client.
  • the digital certificate AP side driver and the digital certificate client interact through the MCSP protocol.
  • the wireless internet module includes a board side driver, a UICC management module, and a UICC digital certificate.
  • the UICC management module and the UICC digital certificate are exchanged through the IS07816 protocol.
  • the board side driver and the digital certificate AP side driver interact through the MCSP/PKCS11 protocol.
  • Step 101 Determine whether it is a mobile terminal, if yes, the process ends, if not, then proceeds to step 102;
  • the mobile communication terminal device is a mobile phone terminal
  • the digital certificate client and the UICC management module are all on the same mobile phone platform, and can directly communicate, and the USB interface driver is not required to perform the transfer.
  • Step 102 The hardware connection between the PC/AP side and the mobile communication terminal adopts a USB interface; the terminal device is a wireless network card or a PAD other than the mobile phone, and the connection between the PC/AP side and the mobile communication terminal is USB. interface.
  • Step 103 judging whether the initialization USB interface is normal, if it is normal, then proceeds to step 104, if not, then proceeds to step 106;
  • the device After the mobile communication terminal device is connected to the PC through the USB interface, the device first powers on, and then initializes the USB port.
  • the PC determines if there is a new USB device connection. If there is a new device to access, go to step 104; otherwise, no new USB device is connected, go to step 106;
  • Step 104 Map the AT port, the Modem port, and the standard USB device port to the USB port; the board side driver performs an enumeration (Enumerate) operation, and maps the AT port, the Modem port, and the standard USB device interface service to the USB port.
  • the board-side driver of the mobile communication terminal device needs to support the standard USB device interface in order to implement the digital certificate function.
  • the AT port and Modem port are used for the general functions of the mobile terminal device (online, short message, phone book, etc.), and the standard USB interface is used for the digital certificate function.
  • Standard USB device driver provided by the operating system. Using a standard USB device driver, the PC-side digital certificate client can be guaranteed to support both the ordinary USBKey digital certificate and the digital certificate on the mobile terminal device without any modification.
  • Step 105 Determine whether the port mapping is successful, if successful, then proceeds to step 107, if not, then proceeds to step 106;
  • Step 106 The data channel creation failed.
  • Step 107 The data channel is created successfully.
  • FIG. 5 it is a schematic flowchart of the implementation process of the digital certificate operation process in the embodiment of the present invention, and the specific implementation steps are as follows:
  • Step 201 The digital certificate client initiates a digital certificate operation, and the operation command is an MCSP/PKCS11 data packet;
  • the digital certificate client initiates a digital certificate related operation, and the operation between the digital certificate client and the ordinary USBKey type digital certificate is performed by the MCSP/PKCS11 protocol, so the operation command is the MCSP/PKCS 11 data packet.
  • Step 202 Determine whether the terminal is a mobile phone, if yes, go to step 206, if not, go to step 203;
  • Step 203 The PC/AP side driver and the board side driver transparently transmit the MCSP/PKCS11 protocol;
  • the PC/AP side driver and the board side driver will transparently transmit the MCSP/PKCS11 protocol;
  • the PC/AP side driver After receiving the MCSP/PKCS 11 protocol data packet addressed to the mobile communication terminal device, the PC/AP side driver packages the data packet directly into the USB format and then sends it to the mobile communication terminal device.
  • the package format is as follows:
  • USB data packet header USB data packet body Step 205: The board side driver receives the USB packet, takes out the MCSP/PKCS 11 protocol data packet, and forwards it to the UICC management module;
  • the board side driver of the mobile communication terminal device receives the USB data packet from the standard USB device interface, removes the USB packet header, and extracts the MCSP/PKCS 11 protocol data packet from the package body, and forwards it to the UICC management module; Step 206: After receiving the MCSP/PKCS1 protocol data packet, the UICC management module packages the IS07816 standard data packet and forwards it to the UICC.
  • the UICC management module After receiving the MCSP/PKCS1 data packet, the UICC management module does not process the data, and directly packages it according to the IS07816 standard format and sends it to the UICC.
  • the package format is as follows:
  • the package body is defined as follows:
  • Step 207 The UICC extracts the MCSP/PKCS11 data packet from the IS07816 standard data packet, and performs corresponding operations according to the content of the package;
  • the UICC processes the received IS07816 data packet, and extracts the MCSP/PKCS 11 data packet from it, and the UICC performs the corresponding operation according to the specific content of the MCSP/PKCS1 l data packet;
  • Step 208 The UICC returns an operation response result, and the operation result is an MCSP/PKCS1 l data packet.
  • Step 209 The UICC packages the MCSP/PKCS11 data packet into the IS07816 data packet, and then returns it to the UICC management module.
  • the format of the response packet is as follows:
  • the data field is optional.
  • the response packet consists of at least one status word.
  • the status word indicates the processing status of the command, that is, whether the command is executed correctly. If it is not executed correctly, the reason is.
  • SW1 indicates the command processing status
  • SW2 indicates the command processing limit
  • Step 210 Determine whether it is a mobile terminal, if the mobile communication terminal device is a mobile phone terminal, go to step 214, otherwise the terminal device is a wireless internet data card and a PAD, go to step 211;
  • Step 211 The UICC management module extracts the MCSP/PKCS 11 data packet from the IS07816 data packet and transmits the data packet to the board side driver.
  • Step 212 The board side driver drives the MCSP/PKCS11 data packet into the USB data packet, and sends it to the PC/AP side through the standard USB device interface;
  • Step 213 After receiving the USB data packet, the PC/AP side driver extracts the MCSP/PKCS11 data packet from the driver, and transmits the data packet to the digital certificate client.
  • Step 214 The digital certificate client analyzes the MCSP/PKCS11 data packet, and performs corresponding operations according to the response result of the UICC;
  • the digital certificate operation process is completed.
  • the embodiment of the present invention combines a wireless network card and a digital certificate into one, so that the mobile terminal has a digital certificate function, and the integrated digital certificate function is shifted.
  • the mobile terminal therefore, the invention can eliminate the need to add a new digital certificate device, which is greatly convenient for the user to use.

Abstract

Disclosed is a digital certificate function implementation method for a mobile terminal. The method comprises: after the mobile terminal accesses a PC side through a USB interface, the mobile terminal powering on and starting up, and initializing a USB port; and the PC side judging whether a new USB device connection exists, and if yes, mapping the port onto the USB interface, a smart card which stores a digital certificate in the mobile terminal interacting with a PC side drive through a smart card management module, and the PC side drive starting up a digital certificate client. The present invention integrates a digital certificate function in a mobile terminal, thereby greatly facilitating a user in using same.

Description

一种移动终端数字证书功能实现方法及移动终端 技术领域  Method for realizing digital certificate function of mobile terminal and mobile terminal
本发明涉及通信技术领域, 更具体地, 涉及一种移动终端数字证书功 能实现方法及移动终端。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a mobile terminal digital certificate function implementation method and a mobile terminal. Background technique
移动通信运营商在拓展无线上网卡业务的进程中, 一个方向就是发展 企业用户, 为企业用户提供无线上网服务。 让用户可以无需固定的办公地 点, 通过手机、 无线上网卡、 PAD等移动终端, 就能在任意有信号覆盖的 地方接入网络, 访问企业内网, 正常办理公事, 就像坐在企业内部, 通过 企业内网操作一样方便简洁。 可是方便的同时, 问题也出现了, 信息安全 的保证成为首要问题。 尤其是从互联网登录到企业网, 安全风险非常大。 信息泄密、 病毒、 恶意攻击等, 都有可能发生。 比如有国内运营商为了发 展用户, 准备为政府网推出一种特别定制的无线上网卡(数据卡), 运营商 要求数据卡既要具备普通的业务功能 (包括上网、 短信等), 也要具备 USBKey数字证书功能, 当用户访问普通网站或政府网普通信息时, 不需要 身份认证, 但当政府工作人员或有授权人员要登录政府网涉密信息时, 则 需要进行身份认证。  In the process of expanding the wireless network card service, mobile communication operators are developing enterprise users and providing wireless Internet services for enterprise users. It allows users to access the network in any place with signal coverage, access to the intranet, and go through the business without using a fixed office location, through mobile terminals such as mobile phones, wireless network cards, and PADs. It is as convenient and simple to operate through the intranet. However, at the same time, problems have arisen, and the guarantee of information security has become a top priority. Especially when logging in to the corporate network from the Internet, the security risks are very high. Information disclosure, viruses, malicious attacks, etc., can happen. For example, in order to develop users, domestic operators are preparing to launch a specially customized wireless network card (data card) for the government network. Operators require data cards to have common business functions (including Internet access, text messages, etc.). USBKey digital certificate function, when the user accesses the ordinary information of the ordinary website or the government network, identity authentication is not required, but when the government staff or authorized personnel want to log in to the government network for confidential information, identity authentication is required.
为了保证无线通信的安全, 运营商用户提出用数字证书的方法。 可是 数字证书是需要存储介质的 (如软件、 光盘、 USBKey等), 这就意味着用 户要使用移动终端安全上网时, 就需要携带两个设备, 一个无线上网设备 和一个数字证书, 而且还要求上网终端设备必须同时具备两个接口, 一个 由上网卡使用, 另一个又数字证书使用, 携带和使用上都不方便, 也增加 了使用成本。 要解决上述问题, 本文就提供了一种将无线上网卡和数字证 书合二为一的方法。 In order to ensure the security of wireless communication, the operator user proposes a method of using a digital certificate. However, digital certificates require storage media (such as software, CD-ROM, USBKey, etc.), which means that when users want to use the mobile terminal to securely access the Internet, they need to carry two devices, a wireless Internet device and a digital certificate, and also require The Internet terminal device must have two interfaces at the same time, one is used by the network card, and the other is used for digital certificates. It is inconvenient to carry and use, and the use cost is also increased. To solve the above problems, this article provides a wireless network card and digital certificate. The method of combining books into one.
首先简要介绍一下数字证书相关的背景技术。 数字证书技术是一种以 数字证书为核心的加密技术的总称。数字证书由认证中心(CA, Certification Authority )发布, CA作为权威的、 公正的、 可信赖的第三方, 其作用是至 关重要的。  First, a brief introduction to the background technology related to digital certificates. Digital certificate technology is a general term for encryption technology based on digital certificates. The digital certificate is issued by the Certification Authority (CA), and the CA is an authoritative, fair and trustworthy third party. Its role is crucial.
数字证书的发放和管理, 用户要携带有关证件到各地的证书受理点, 或者直接到证书发放机构即 CA中心填写申请表并进行身份审核, 审核通过 后就可以得到装有证书的相关介质(磁盘、 IC卡或 USBKey等)和一个写有 密码口令的密码信封。  For the issuance and management of digital certificates, the user must carry the relevant documents to the certificate acceptance point of each place, or go directly to the certificate issuing authority, CA Center, to fill out the application form and conduct identity verification. After the approval, the relevant media with the certificate can be obtained. , IC card or USBKey, etc.) and a password envelope with a password.
数字证书的格式及存储, 目前数字证书的格式普遍采用的是 X.509V3 国际标准, 内容包括证书序列号、 证书持有者名称、 证书颁发者名称、 证 书有效期、 公钥、 证书颁发者的数字签名等。 数字证书通常以文件形式放 在存储介质上。 带有私钥的证书由 PKCS# 12 ( Public Key Cryptography Standards #12 )标准定义, 以 pfx作为证书文件后缀名。 cer格式的数字证书 里面只有公钥没有私钥。  Format and storage of digital certificates. Currently, the format of digital certificates is generally based on the X.509V3 international standard, including the serial number of the certificate, the name of the certificate holder, the name of the certificate issuer, the validity period of the certificate, the number of the certificate, and the number of the certificate issuer. Signature, etc. Digital certificates are usually placed on a storage medium as a file. The certificate with the private key is defined by the PKCS# 12 (Public Key Cryptography Standards #12) standard, with pfx as the certificate file suffix. The digital certificate in the cer format has only the public key and no private key.
数字证书的应用, 按应用角度数字证书可分为: 服务器证书、 电子邮 件证书和客户端证书, 本文中仅涉及客户端证书的实现。 客户端证书主要 被用来进行身份验证和电子签名。 客户端证书被存储于专用的存储介质中, 比如 IC卡或 Key中, USBKey是最常见的存储介质。 存储介质中的证书不能 被导出或复制, 且存储介质使用时需要输入存储介质的保护密码。 使用该 证书时, 需要物理上获得其存储介质, 且需要知道存储介质的保护密码, 这也被称为双因子认证。 这种认证手段是目前互联网上最安全的身份认证 手段之一。 数字证书的使用流程如下: 当使用数字证书进行身份认证时, 它将随机生成 128位的身份码, 每份数字证书都能生成相应但每次都不可能 相同的数码, 从而保证数据传输的保密性, 即相当于生成一个复杂的密码。 发明内容 The application of digital certificates, according to the application perspective, digital certificates can be divided into: server certificates, email certificates and client certificates. In this paper, only the implementation of client certificates is involved. Client certificates are primarily used for authentication and electronic signatures. The client certificate is stored in a dedicated storage medium, such as an IC card or a Key, and USBKey is the most common storage medium. The certificate in the storage medium cannot be exported or copied, and the storage medium needs to be input with the protection password of the storage medium. When using this certificate, it is necessary to physically obtain its storage medium, and it is necessary to know the protection password of the storage medium, which is also called two-factor authentication. This type of authentication is one of the most secure authentication methods on the Internet. The process of using the digital certificate is as follows: When using a digital certificate for identity authentication, it will randomly generate a 128-bit identity code, and each digital certificate can generate a digital number corresponding to each other, which is impossible to ensure the confidentiality of data transmission. Sex, which is equivalent to generating a complex password. Summary of the invention
本发明实施例目的是: 提供一种移动终端数字证书功能实现方法及集 成数字证书功能的移动终端。  The purpose of the embodiments of the present invention is to provide a mobile terminal digital certificate function implementation method and a mobile terminal integrating the digital certificate function.
本发明实施例提出了一种移动终端数字证书功能实现方法, 所述方法 包括: 当所述移动终端通过 USB接口接入到 PC后, 所述移动终端上电启动, 初始化 USB端口, PC机判断是否有新的 USB设备连接, 如果有新设备则将 端口映射到 USB接口上, 所述移动终端中存储有数字证书的智能卡通过智 能卡管理模块与 PC侧驱动交互, 所述 PC侧驱动启动数字证书客户端运行。  The embodiment of the present invention provides a method for implementing a digital certificate function of a mobile terminal, where the method includes: after the mobile terminal accesses a PC through a USB interface, the mobile terminal is powered on, initializes a USB port, and the PC determines Whether there is a new USB device connection, if there is a new device, the port is mapped to the USB interface, and the smart card storing the digital certificate in the mobile terminal interacts with the PC side through the smart card management module, and the PC side driver starts the digital certificate. The client is running.
优选地,所述存储有数字证书的智能卡通过 IS07816协议和智能卡管理 模块交互。  Preferably, the smart card storing the digital certificate interacts with the smart card management module through the IS07816 protocol.
优选地, 所述智能卡管理模块通过移动终端的板侧驱动和 PC侧的数字 证书 PC侧驱动通过 MCSP/PKCS11协议进行透传交互, 启动数字证书客户 端。  Preferably, the smart card management module initiates a transparent transmission interaction through the MCSP/PKCS11 protocol through the board side driver of the mobile terminal and the digital certificate PC side driver of the PC side, and starts the digital certificate client.
优选地, 所述智能卡是 UICC, 所述端口包括 AT口、 Modem口以及标准 USB设备接口。  Preferably, the smart card is a UICC, and the port includes an AT port, a Modem port, and a standard USB device interface.
优选地, 所述数字证书客户端通过操作命令 MCSP/PKCS11数据包发起 数字证书操作。  Preferably, the digital certificate client initiates a digital certificate operation by operating a command MCSP/PKCS11 data packet.
另外, 本发明实施例还提出了一种移动终端, 所述移动终端包括智能 卡、 智能卡管理模块、 板侧驱动;  In addition, the embodiment of the present invention further provides a mobile terminal, where the mobile terminal includes a smart card, a smart card management module, and a board side driver;
所述智能卡存储有数字证书;  The smart card stores a digital certificate;
所述智能卡管理模块实现对智能卡数字证书的操作, 智能卡管理模块 和智能卡间通过标准协议进行通信;  The smart card management module implements operation on the smart card digital certificate, and the smart card management module and the smart card communicate through a standard protocol;
所述板侧驱动通过协议与数字证书 PC侧驱动交互, 从而启动数字证书 客户端。  The board side driver interacts with the digital certificate PC side driver through a protocol to start the digital certificate client.
优选地,所述存储有数字证书的智能卡通过 IS07816协议和智能卡管理 模块交互。 Preferably, the smart card storing the digital certificate is managed by the IS07816 protocol and the smart card. Module interaction.
优选地, 所述智能卡管理模块通过移动终端的板侧驱动和 PC侧的数字 证书 pc侧驱动交互, 启动数字证书客户端。  Preferably, the smart card management module starts the digital certificate client by using a board side driver of the mobile terminal and a digital certificate pc side driving interaction on the PC side.
优选地, 所述智能卡是 UICC卡。  Preferably, the smart card is a UICC card.
优选地, 所述数字证书客户端通过操作命令 MCSP/PKCS11数据包发起 数字证书操作。  Preferably, the digital certificate client initiates a digital certificate operation by operating a command MCSP/PKCS11 data packet.
综上所述, 采用本发明实施例具有如下有益效果:  In summary, the embodiment of the present invention has the following beneficial effects:
与现有技术相比, 采用本发明实施例所述的方法和移动终端, 移动终 端具有了数字证书功能, 可以不必要再增加新的数字证书设备, 极大方便 了用户使用。 附图说明  Compared with the prior art, with the method and the mobile terminal according to the embodiment of the present invention, the mobile terminal has a digital certificate function, and it is unnecessary to add a new digital certificate device, which is greatly convenient for the user to use. DRAWINGS
图 1是本发明实施例无线上网数据卡实现数字证书组成示意图; 图 2是本发明实施例手机实现数字证书组成示意图;  1 is a schematic diagram showing the composition of a digital certificate for implementing a wireless internet data card according to an embodiment of the present invention; FIG. 2 is a schematic diagram showing the composition of a digital certificate implemented by the mobile phone according to an embodiment of the present invention;
图 3是本发明实施例 PAD实现数字证书组成示意图;  3 is a schematic diagram showing the composition of a digital certificate implemented by a PAD according to an embodiment of the present invention;
图 4是本发明实施例数字证书客户端到移动通信终端间数据通道创建 的实现方法流程示意图;  4 is a schematic flowchart of a method for implementing data channel creation between a digital certificate client and a mobile communication terminal according to an embodiment of the present invention;
图 5是本发明实施例数字证书操作过程的实现流程示意图。 具体实施方式  FIG. 5 is a schematic diagram of an implementation process of a digital certificate operation process according to an embodiment of the present invention. detailed description
本发明实施例提出一种移动终端数字证书功能实现方法及具有数字证 书功能的移动通信终端。 本发明实施例的核心思想是在不进行移动通信终 端设备硬件改动的前提下, 采用软件的方法实现。 本文所述方法, 涉及如 下几个关键问题: 如何在移动终端上实现数字证书的存储、 如何读写存储 在移动终端上的数字证书、 移动终端上数字证书如何应用。  Embodiments of the present invention provide a method for implementing a digital certificate function of a mobile terminal and a mobile communication terminal having a digital certificate function. The core idea of the embodiment of the present invention is implemented by using a software method without performing hardware modification of the mobile communication terminal device. The method described in this paper involves the following key issues: How to store digital certificates on a mobile terminal, how to read and write digital certificates stored on mobile terminals, and how digital certificates are applied on mobile terminals.
数字证书的存储。常见的数字证书存储介质有磁盘、 IC卡或 USBKey中, 纵观移动通信终端设备中, 可以用于存储数字存储的介质、 且对终端设备 不可或缺不可替换的部件, 非 UICC莫属了。 UICC是一种可移动智能卡, 它 用于存储运营商签约用户信息、 鉴权密钥、 电话簿、 短消息等信息。 UICC 可以包括多种逻辑应用, 例如用户标识模块 ( SIM, Subscriber Identity Module )、通用用户标识模块( USIM, Universal Subscriber Identity Module )、 IP多媒体业务标识模块( ISIM, IP Multimedia Service Identity Module )。 UICC 数字证书和 USBKEY数字证书非常的相似, 主要区别在于对外硬件接口的 不同。 USBKEY的硬件接口为 USB口, 而 UICC的硬件接口为 UICC-终端接 口。 为实现数字证书功能, UICC除可提供数字证书的存储空间外, 还需要 具备 RSA硬件协处理器以支持支持非对称算法加密功能。 The storage of digital certificates. Common digital certificate storage media are in a disk, IC card or USBKey. Throughout the mobile communication terminal device, a component that can be used to store a digital storage medium and is indispensable for the terminal device is not a UICC. The UICC is a removable smart card used to store information such as operator subscription information, authentication keys, phone books, and short messages. The UICC can include a variety of logical applications, such as a Subscriber Identity Module (SIM), a Universal Subscriber Identity Module (USIM), and an IP Multimedia Service Identity Module (ISIM). The UICC digital certificate is very similar to the USBKEY digital certificate. The main difference is the difference in the external hardware interface. The hardware interface of the USBKEY is a USB port, and the hardware interface of the UICC is a UICC-terminal interface. In order to realize the digital certificate function, in addition to providing the storage space of the digital certificate, UICC also needs to have the RSA hardware coprocessor to support the asymmetric algorithm encryption function.
这种特殊的数字证书的制作和发布与普通数字证书的制作过程有以下 几点不同:  The production and distribution of such special digital certificates differs from the production of ordinary digital certificates by the following points:
移动业务运营商首先需要为指定的集团用户,制作一批特殊的 UICC卡, 卡里除存储电信业务相关信息, 该卡还能提供 RSA算法、 身份认证、 数据 加、 解密等安全服务, 并提供数字证书存储空间。  The mobile service operator first needs to create a special UICC card for the designated group users. In addition to storing information about the telecommunication service, the card can also provide security services such as RSA algorithm, identity authentication, data addition and decryption, and provide Digital certificate storage space.
集团用户所在企业要为每个客户申请一个数字证书, 认证中心 CA制作 好数字证书后, 将数字证书存储到 UICC卡中;  The enterprise where the group user is located shall apply for a digital certificate for each customer. After the certification center CA has produced the digital certificate, the digital certificate is stored in the UICC card;
运营商向集团客户发布移动通信终端, 带有数字证书的移动通信终端。 数字证书的读取及应用。 对数字证书的操作, 是通过加密设备管理接 口来实现的, 用于管理硬件或软件形式的加密设备, 实现数据加密、 解密, 数字签名、 验证和数据摘要(即 HASH ), 图 1-图 3是本方案中加密设备接口 的实现框架。 目前有两种比较通用的加密设备管理接口, 一种是 PKCS#11 标准接口, 另一种是由 Microsoft制定的 CSP(Cryptographic Service Provider) 标准接口。 移动通信终端上的数字证书要能正常使用, 需要实现以下内容: 数字证书客户端 (PC/AP侧应用程序)保持不变; 提供移动通信终端设备驱动, 包括 PC侧驱动和板侧驱动。 数字证书客 户端 (PC/AP侧应用程序)对数字证书的各项操作, 是通过 MCSP协议或 PKCS11协议实现的, 各项操作通过 PC侧驱动透传到板侧驱动。 The operator issues a mobile communication terminal to the group customer, and a mobile communication terminal with a digital certificate. Reading and application of digital certificates. The operation of the digital certificate is realized by encrypting the device management interface, and is used for managing the encryption device in the form of hardware or software, realizing data encryption, decryption, digital signature, verification and data digest (ie HASH), Fig. 1 - Fig. 3 It is the implementation framework of the encryption device interface in this solution. There are currently two common encryption device management interfaces, one is the PKCS#11 standard interface, and the other is the CSP (Cryptographic Service Provider) standard interface developed by Microsoft. The digital certificate on the mobile communication terminal should be used normally, and the following contents need to be implemented: The digital certificate client (PC/AP side application) remains unchanged; Provides mobile communication terminal device drivers, including PC side drivers and board side drivers. The operations of the digital certificate client (PC/AP side application) on the digital certificate are implemented by the MCSP protocol or the PKCS11 protocol, and the operations are transparently transmitted to the board side driver through the PC side driver.
UICC管理模块要实现对 UICC数字证书的操作。 UICC管理模块和 UICC 间通过 IS07816标准协议进行通信。二者间传递的 MCSP协议或 PKCS 11协议 包, 先打包到 IS07816标准包中, 再进行传输。  The UICC management module needs to implement the operation of the UICC digital certificate. The UICC management module communicates with the UICC through the IS07816 standard protocol. The MCSP protocol or PKCS 11 protocol packet passed between the two is first packaged into the IS07816 standard package and then transmitted.
请参考图 1-图 3所示,其中图 1、 图 2、 图 3分别是无线上网数据卡、 手机、 PAD连接方式。  Please refer to Figure 1 - Figure 3, where Figure 1, Figure 2, Figure 3 are the wireless data card, mobile phone, PAD connection.
请参考图 1所示是无线上网数据卡具有数字证书功能的设计方案, 所述 无线上网数据卡包括板侧驱动、 UICC管理模块、 UICC数字证书。所述 UICC 管理模块和 UICC数字证书通过 IS07816协议交互。 所述 PC侧包括数字证书 PC侧驱动和数字证书客户端。 所述数字证书 PC侧驱动和数字证书客户端通 过 MCSP协议交互。  Please refer to FIG. 1 for a design scheme of a wireless internet data card having a digital certificate function, and the wireless internet data card includes a board side driver, a UICC management module, and a UICC digital certificate. The UICC management module and the UICC digital certificate interact through the IS07816 protocol. The PC side includes a digital certificate PC side driver and a digital certificate client. The digital certificate PC side driver and the digital certificate client interact through the MCSP protocol.
请参考图 2所示是手机具有数字证书功能的设计方案, 所述手机包括手 机数字证书客户端、 UICC管理模块、 UICC数字证书。 所述 UICC管理模块 和 UICC数字证书之间通过 IS07816协议交互, 所述 UICC管理模块和手机数 字证书客户端之间通过 PKCS 11协议交互。  Please refer to FIG. 2, which is a design scheme of a mobile phone having a digital certificate function, and the mobile phone includes a mobile digital certificate client, a UICC management module, and a UICC digital certificate. The UICC management module and the UICC digital certificate are exchanged through the IS07816 protocol, and the UICC management module and the mobile digital certificate client interact through the PKCS 11 protocol.
请参考图 3所示是 PAD具有数字证书功能的设计方案, 所述 PAD包括 AP 侧和无线上网模块。 所述 AP侧包括数字证书 AP侧驱动和数字证书客户端。 所述数字证书 AP侧驱动和数字证书客户端之间通过 MCSP协议交互。 所述 无线上网模块包括板侧驱动、 UICC管理模块和 UICC数字证书。 所述 UICC 管理模块和 UICC数字证书之间通过 IS07816协议交互。 所述板侧驱动和数 字证书 AP侧驱动通过 MCSP/PKCS11协议交互。  Please refer to FIG. 3, which is a design scheme of the PAD having a digital certificate function, and the PAD includes an AP side and a wireless network module. The AP side includes a digital certificate AP side driver and a digital certificate client. The digital certificate AP side driver and the digital certificate client interact through the MCSP protocol. The wireless internet module includes a board side driver, a UICC management module, and a UICC digital certificate. The UICC management module and the UICC digital certificate are exchanged through the IS07816 protocol. The board side driver and the digital certificate AP side driver interact through the MCSP/PKCS11 protocol.
如图 4所示, 数字证书客户端到移动通信终端间数据通道创建的实现方 法, 其具体的实施步骤如下: 步骤 101 : 判断是否是手机终端, 如果是则结束流程, 如果不是则转入 步骤 102; As shown in FIG. 4, the implementation method of the data channel creation between the digital certificate client and the mobile communication terminal is as follows: Step 101: Determine whether it is a mobile terminal, if yes, the process ends, if not, then proceeds to step 102;
如果移动通信终端设备是手机终端, 则数字证书客户端和 UICC管理模 块都处于同一手机平台, 可以直接通信, 无需 USB接口驱动做中转。  If the mobile communication terminal device is a mobile phone terminal, the digital certificate client and the UICC management module are all on the same mobile phone platform, and can directly communicate, and the USB interface driver is not required to perform the transfer.
步骤 102: PC/AP侧和移动通信终端间硬件上的连接采用 USB接口; 终端设备是除过手机之外的无线上网卡或 PAD, PC/AP侧和移动通信终 端间硬件上的连接采用 USB接口。  Step 102: The hardware connection between the PC/AP side and the mobile communication terminal adopts a USB interface; the terminal device is a wireless network card or a PAD other than the mobile phone, and the connection between the PC/AP side and the mobile communication terminal is USB. interface.
步骤 103 : 判断初始化 USB接口是否正常, 如果正常则转入步骤 104, 如果不正常则转入步骤 106;  Step 103: judging whether the initialization USB interface is normal, if it is normal, then proceeds to step 104, if not, then proceeds to step 106;
移动通信终端设备通过 USB接口接入到 PC后, 设备首先上电启动, 然 后初始化 USB端口。 PC机判断是否有新的 USB设备连接。 如果有新设备接 入, 转步骤 104; 否则, 没有新 USB设备接入, 转步骤 106;  After the mobile communication terminal device is connected to the PC through the USB interface, the device first powers on, and then initializes the USB port. The PC determines if there is a new USB device connection. If there is a new device to access, go to step 104; otherwise, no new USB device is connected, go to step 106;
步骤 104: 将 AT口、 Modem口和标准 USB设备口映射到 USB接口上; 板侧驱动进行枚举( Enumerate )操作,将 AT口、 Modem口以及标准 USB 设备接口服务映射到 USB口。 移动通信终端设备的板侧驱动程序, 除需要 支持 AT口、 Modem口外, 为了实现数字证书功能, 还需要增加标准 USB设 备接口的支持。 AT口、 Modem口用于移动终端设备的常规功能(上网、 短 信、 电话本等), 标准 USB接口用于数字证书功能的使用。 标准 USB设备驱 动, 由操作系统提供。 采用标准 USB设备驱动, 可以保证 PC侧数字证书客 户端不做任意修改, 就可以做到既能支持普通 USBKey数字证书, 也能支持 移动终端设备上的数字证书。  Step 104: Map the AT port, the Modem port, and the standard USB device port to the USB port; the board side driver performs an enumeration (Enumerate) operation, and maps the AT port, the Modem port, and the standard USB device interface service to the USB port. In addition to the AT port and Modem port, the board-side driver of the mobile communication terminal device needs to support the standard USB device interface in order to implement the digital certificate function. The AT port and Modem port are used for the general functions of the mobile terminal device (online, short message, phone book, etc.), and the standard USB interface is used for the digital certificate function. Standard USB device driver, provided by the operating system. Using a standard USB device driver, the PC-side digital certificate client can be guaranteed to support both the ordinary USBKey digital certificate and the digital certificate on the mobile terminal device without any modification.
步骤 105: 判断端口映射是否成功, 如果成功, 则转入步骤 107, 如果 不成功, 则转入步骤 106;  Step 105: Determine whether the port mapping is successful, if successful, then proceeds to step 107, if not, then proceeds to step 106;
步骤 106: 数据通道创建失败。  Step 106: The data channel creation failed.
步骤 107: 数据通道创建成功。 如图 5所示, 是本发明实施例中数字证书操作过程的实现流程示意图, 其具体实施步骤如下: Step 107: The data channel is created successfully. As shown in FIG. 5, it is a schematic flowchart of the implementation process of the digital certificate operation process in the embodiment of the present invention, and the specific implementation steps are as follows:
步骤 201 : 数字证书客户端发起数字证书操作, 操作命令为 MCSP/PKCS11数据包;  Step 201: The digital certificate client initiates a digital certificate operation, and the operation command is an MCSP/PKCS11 data packet;
数字证书客户端发起数字证书相关操作, 数字证书客户端与普通 USBKey型数字证书间的操作是通过 MCSP/PKCS11协议的进行的, 故操作 命令为 MCSP/PKCS 11数据包。  The digital certificate client initiates a digital certificate related operation, and the operation between the digital certificate client and the ordinary USBKey type digital certificate is performed by the MCSP/PKCS11 protocol, so the operation command is the MCSP/PKCS 11 data packet.
步骤 202: 判断终端是否为手机, 如果是则转入步骤 206, 如果不是则 转入步骤 203;  Step 202: Determine whether the terminal is a mobile phone, if yes, go to step 206, if not, go to step 203;
步骤 203: PC/AP侧驱动和板侧驱动将 MCSP/PKCS11协议进行透传; 步骤 204: PC/AP侧驱动将 MCSP/PKCS11协议数据包打包到 USB数据包 后发送给移动通信终端设备;  Step 203: The PC/AP side driver and the board side driver transparently transmit the MCSP/PKCS11 protocol; Step 204: The PC/AP side driver packages the MCSP/PKCS11 protocol data packet to the USB data packet, and then sends the data packet to the mobile communication terminal device;
为了保证原有数字证书客户端不做修改, PC/AP侧驱动和板侧驱动将对 MCSP/PKCS11协议进行透传;  In order to ensure that the original digital certificate client is not modified, the PC/AP side driver and the board side driver will transparently transmit the MCSP/PKCS11 protocol;
PC/AP侧驱动在收到发往移动通信终端设备的 MCSP/PKCS 11协议数据 包后, 不做处理直接按 USB格式打包, 然后发往移动通信终端设备。 包格 式如下:  After receiving the MCSP/PKCS 11 protocol data packet addressed to the mobile communication terminal device, the PC/AP side driver packages the data packet directly into the USB format and then sends it to the mobile communication terminal device. The package format is as follows:
MCSP/PKCS 11数据 MCSP/PKCS 11 data
^ V ~  ^ V ~
USB数据包包头 USB数据包包体 步骤 205: 板侧驱动收到 USB包, 取出 MCSP/PKCS 11协议数据包, 转发 给 UICC管理模块;  USB data packet header USB data packet body Step 205: The board side driver receives the USB packet, takes out the MCSP/PKCS 11 protocol data packet, and forwards it to the UICC management module;
移动通信终端设备的板侧驱动从标准 USB设备接口上收到 USB数据包, 去掉 USB包头,从包体中取出 MCSP/PKCS 11协议数据包, 转发给 UICC管理 模块; 步骤 206 : UICC管理模块收到 MCSP/PKCSl l协议数据包后, 打包 IS07816标准数据包, 转发给 UICC; The board side driver of the mobile communication terminal device receives the USB data packet from the standard USB device interface, removes the USB packet header, and extracts the MCSP/PKCS 11 protocol data packet from the package body, and forwards it to the UICC management module; Step 206: After receiving the MCSP/PKCS1 protocol data packet, the UICC management module packages the IS07816 standard data packet and forwards it to the UICC.
UICC管理模块收到 MCSP/PKCSl l数据包后,也不对数据进行处理, 直 接按 IS07816标准格式打包, 发给 UICC。 包格式如下:  After receiving the MCSP/PKCS1 data packet, the UICC management module does not process the data, and directly packages it according to the IS07816 standard format and sends it to the UICC. The package format is as follows:
CLA INS PI P2 Lc Data Le CLA INS PI P2 Lc Data Le
J J
Figure imgf000011_0001
Figure imgf000011_0001
IS07816协议包包头 IS07816协议包体  IS07816 protocol packet header IS07816 protocol packet body
Figure imgf000011_0002
Figure imgf000011_0002
包体定义如下:  The package body is defined as follows:
Figure imgf000011_0003
Figure imgf000011_0003
步骤 207: UICC从 IS07816标准数据包中取出 MCSP/PKCS11数据包, 并根据包内容进行相应操作;  Step 207: The UICC extracts the MCSP/PKCS11 data packet from the IS07816 standard data packet, and performs corresponding operations according to the content of the package;
UICC对收到的 IS07816数据包进行处理, 从中取出 MCSP/PKCS 11数据 包, UICC会根据 MCSP/PKCSl l数据包的具体内容, 进行相应的操作;  The UICC processes the received IS07816 data packet, and extracts the MCSP/PKCS 11 data packet from it, and the UICC performs the corresponding operation according to the specific content of the MCSP/PKCS1 l data packet;
步骤 208: UICC返回操作应答结果,操作结果为 MCSP/PKCSl l数据包; 步骤 209: UICC 将 MCSP/PKCS11数据包打包到 IS07816数据包中, 然 后返回给 UICC管理模块; Step 208: The UICC returns an operation response result, and the operation result is an MCSP/PKCS1 l data packet. Step 209: The UICC packages the MCSP/PKCS11 data packet into the IS07816 data packet, and then returns it to the UICC management module.
应答包的包格式如下:  The format of the response packet is as follows:
Data SW1 SW2
Figure imgf000012_0001
Data SW1 SW2
Figure imgf000012_0001
IS07816应答包的数据域 应答包状态字  IS07816 response packet data field Reply packet status word
其中数据域是可选的, 应答包至少由一个状态字组成, 状态字说明了 命令的处理情况, 即命令是否被正确执行, 如未被正确执行, 原因是什么。 The data field is optional. The response packet consists of at least one status word. The status word indicates the processing status of the command, that is, whether the command is executed correctly. If it is not executed correctly, the reason is.
SW1 : 表示命令处理状态; SW2: 表示命令处理限定; SW1 : indicates the command processing status; SW2: indicates the command processing limit;
步骤 210: 判断是否为手机终端, 如果移动通信终端设备是手机终端, 则转步骤 214, 否则终端设备是无线上网数据卡和 PAD, 转步骤 211 ;  Step 210: Determine whether it is a mobile terminal, if the mobile communication terminal device is a mobile phone terminal, go to step 214, otherwise the terminal device is a wireless internet data card and a PAD, go to step 211;
步骤 211: UICC管理模块从 IS07816数据包中取出 MCSP/PKCS 11数据 包, 传给板侧驱动;  Step 211: The UICC management module extracts the MCSP/PKCS 11 data packet from the IS07816 data packet and transmits the data packet to the board side driver.
步骤 212:板侧驱动将 MCSP/PKCS11数据包打到 USB数据包中,通过标 准 USB设备接口, 发往 PC/AP侧;  Step 212: The board side driver drives the MCSP/PKCS11 data packet into the USB data packet, and sends it to the PC/AP side through the standard USB device interface;
步骤 213 : PC/AP侧驱动收到 USB数据包后, 从中取出 MCSP/PKCS11数 据包, 传给数字证书客户端;  Step 213: After receiving the USB data packet, the PC/AP side driver extracts the MCSP/PKCS11 data packet from the driver, and transmits the data packet to the digital certificate client.
步骤 214: 数字证书客户端对 MCSP/PKCS11数据包分析, 并按 UICC的 应答结果进行相应的操作;  Step 214: The digital certificate client analyzes the MCSP/PKCS11 data packet, and performs corresponding operations according to the response result of the UICC;
数字证书操作过程完成。  The digital certificate operation process is completed.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。 工业实用性 与现有技术相比, 采用本发明实施例, 是将无线上网卡和数字证书合 二为一, 从而使移动终端具有了数字证书功能, 为集成数字证书功能的移 动终端, 因此, 采用本发明可以不必要再增加新的数字证书设备, 极大方 便了用户使用。 The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Industrial Applicability Compared with the prior art, the embodiment of the present invention combines a wireless network card and a digital certificate into one, so that the mobile terminal has a digital certificate function, and the integrated digital certificate function is shifted. The mobile terminal, therefore, the invention can eliminate the need to add a new digital certificate device, which is greatly convenient for the user to use.

Claims

权利要求书 Claim
1、 一种移动终端数字证书功能实现方法, 所述方法包括: 当移动终端 通过 USB接口接入到 PC侧后, 所述移动终端上电启动, 初始化 USB端口, PC侧判断是否有新的 USB设备连接, 如果有新设备则将端口映射到 USB接 口上, 所述移动终端中存储有数字证书的智能卡通过智能卡管理模块与 PC 侧驱动交互, 所述 PC侧驱动启动数字证书客户端运行。  A method for implementing a digital certificate function of a mobile terminal, the method comprising: after the mobile terminal accesses the PC side through a USB interface, the mobile terminal is powered on, initializes a USB port, and the PC side determines whether there is a new USB The device is connected, and if there is a new device, the port is mapped to the USB interface, and the smart card storing the digital certificate in the mobile terminal interacts with the PC side through the smart card management module, and the PC side driver starts the digital certificate client to run.
2、 如权利要求 1所述的方法, 其中, 所述存储有数字证书的智能卡通 过 IS07816协议和智能卡管理模块交互。  2. The method according to claim 1, wherein the smart card storing the digital certificate interacts with the smart card management module through the IS07816 protocol.
3、 如权利要求 1所述的方法, 其中, 所述智能卡管理模块通过移动终 端的板侧驱动和 PC侧的数字证书与所述 PC侧驱动交互, 并通过 3. The method according to claim 1, wherein the smart card management module interacts with the PC side driver through a board side drive of the mobile terminal and a digital certificate on the PC side, and passes
MCSP/PKCS11协议进行透传交互, 启动数字证书客户端。 The MCSP/PKCS11 protocol performs transparent transmission and starts the digital certificate client.
4、 如权利要求 3所述的方法, 其中, 所述智能卡是 UICC, 所述端口包 括 AT口、 Modem口以及标准 USB设备接口。  4. The method according to claim 3, wherein the smart card is a UICC, and the port comprises an AT port, a Modem port, and a standard USB device interface.
5、 如权利要求 1所述的方法, 其中, 所述数字证书客户端通过操作命 令 MCSP/PKCS11数据包发起数字证书操作。  5. The method of claim 1, wherein the digital certificate client initiates a digital certificate operation by operating a command MCSP/PKCS11 data packet.
6、 一种移动终端, 所述移动终端包括智能卡、 智能卡管理模块、 板侧 驱动;  6. A mobile terminal, the mobile terminal comprising a smart card, a smart card management module, and a board side driver;
所述智能卡, 配置为存储有数字证书;  The smart card is configured to store a digital certificate;
所述智能卡管理模块, 配置为实现对智能卡数字证书的操作, 智能卡 管理模块和智能卡间通过标准协议进行通信;  The smart card management module is configured to implement operation on a smart card digital certificate, and the smart card management module and the smart card communicate through a standard protocol;
所述板侧驱动, 配置为通过协议与数字证书 PC侧驱动交互, 从而启动 数字证书客户端。  The board side driver is configured to interact with the digital certificate PC side driver through a protocol to start the digital certificate client.
7、 如权利要求 6所述的移动终端, 其中, 所述智能卡, 配置为通过 IS07816协议和智能卡管理模块交互。 The mobile terminal according to claim 6, wherein the smart card is configured to interact with the smart card management module through the IS07816 protocol.
8、 如权利要求 6所述的移动终端, 其中, 所述智能卡管理模块, 配置 为通过移动终端的板侧驱动和 PC侧的数字证书与 PC侧驱动交互, 启动数字 证书客户端。 The mobile terminal according to claim 6, wherein the smart card management module is configured to start a digital certificate client by interacting with a PC side driver through a board side driver of the mobile terminal and a digital certificate on the PC side.
9、 如权利要求 6所述的移动终端, 其中, 所述智能卡是 UICC卡。 9. The mobile terminal of claim 6, wherein the smart card is a UICC card.
10、 如权利要求 6所述的移动终端, 其中, 所述移动终端包括: 所述数 字证书客户端, 配置为通过操作命令 MCSP/PKCS11数据包发起数字证书操 作。 10. The mobile terminal of claim 6, wherein the mobile terminal comprises: the digital certificate client configured to initiate a digital certificate operation by operating a command MCSP/PKCS11 data packet.
PCT/CN2013/080133 2012-11-22 2013-07-25 Digital certificate function implementation method for mobile terminal and mobile terminal WO2013167082A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210478547.3A CN103023642B (en) 2012-11-22 2012-11-22 A kind of mobile terminal and digital certificate functionality implementation method thereof
CN201210478547.3 2012-11-22

Publications (2)

Publication Number Publication Date
WO2013167082A2 true WO2013167082A2 (en) 2013-11-14
WO2013167082A3 WO2013167082A3 (en) 2014-01-03

Family

ID=47971804

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/080133 WO2013167082A2 (en) 2012-11-22 2013-07-25 Digital certificate function implementation method for mobile terminal and mobile terminal

Country Status (2)

Country Link
CN (1) CN103023642B (en)
WO (1) WO2013167082A2 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023642B (en) * 2012-11-22 2016-02-24 中兴通讯股份有限公司 A kind of mobile terminal and digital certificate functionality implementation method thereof
CN110557755A (en) * 2018-05-31 2019-12-10 西安中兴新软件有限责任公司 method, system and device for realizing information processing
CN112764666A (en) * 2019-10-21 2021-05-07 伊姆西Ip控股有限责任公司 Method, apparatus and computer program product for storage management

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2434724A (en) * 2006-01-13 2007-08-01 Deepnet Technologies Ltd Secure transactions using authentication tokens based on a device "fingerprint" derived from its physical parameters
CN101394615A (en) * 2007-09-20 2009-03-25 中国银联股份有限公司 Mobile payment terminal and payment method based on PKI technique
CN101931532A (en) * 2009-09-08 2010-12-29 北京握奇数据系统有限公司 Telecommunication smart card-based digital certificate management method and telecommunication smart card
CN102737311A (en) * 2012-05-11 2012-10-17 福建联迪商用设备有限公司 Internet bank security authentication method and system
CN103023642A (en) * 2012-11-22 2013-04-03 中兴通讯股份有限公司 Mobile terminal and digital certificate function realizing method thereof

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282367B (en) * 2007-04-06 2011-05-25 中兴通讯股份有限公司 Data interactive method for wireless network card and computer
CN101477498B (en) * 2009-01-13 2010-12-22 华为终端有限公司 Port switching method and equipment of USB equipment
CN101938520B (en) * 2010-09-07 2015-01-28 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
CN102548054A (en) * 2010-12-30 2012-07-04 西安龙飞软件有限公司 Method for designing fixed-line function in 3G (The 3rd Generation Telecommunication) router
CN102547476A (en) * 2012-02-10 2012-07-04 华为终端有限公司 Home media information device and data transmission method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2434724A (en) * 2006-01-13 2007-08-01 Deepnet Technologies Ltd Secure transactions using authentication tokens based on a device "fingerprint" derived from its physical parameters
CN101394615A (en) * 2007-09-20 2009-03-25 中国银联股份有限公司 Mobile payment terminal and payment method based on PKI technique
CN101931532A (en) * 2009-09-08 2010-12-29 北京握奇数据系统有限公司 Telecommunication smart card-based digital certificate management method and telecommunication smart card
CN102737311A (en) * 2012-05-11 2012-10-17 福建联迪商用设备有限公司 Internet bank security authentication method and system
CN103023642A (en) * 2012-11-22 2013-04-03 中兴通讯股份有限公司 Mobile terminal and digital certificate function realizing method thereof

Also Published As

Publication number Publication date
WO2013167082A3 (en) 2014-01-03
CN103023642B (en) 2016-02-24
CN103023642A (en) 2013-04-03

Similar Documents

Publication Publication Date Title
US11258777B2 (en) Method for carrying out a two-factor authentication
CA2875503C (en) Enterprise triggered 2chk association activation
JP6012125B2 (en) Enhanced 2CHK authentication security through inquiry-type transactions
TWI308832B (en) A method and apparatus for securing communications between a smartcard and a terminal
JP5601729B2 (en) How to log into a mobile radio network
US20070118735A1 (en) Systems and methods for trusted information exchange
CN101167298A (en) Method and device for accessing a sim card housed in a mobile terminal
CA2914956C (en) System and method for encryption
WO2009039771A1 (en) Mobile payment terminal and payment method based on pki technology
EP1878161B1 (en) Method and system for electronic reauthentication of a communication party
WO2010045817A1 (en) Key distribution method and system
CN106921496A (en) A kind of digital signature method and system
JP2012521155A (en) Method for manufacturing a product including a certificate and a key
CN103237305A (en) Password protection method for smart card on mobile terminals
WO2008095382A1 (en) A method, system and apparatus for establishing transport layer security connection
Urien RACS: Remote APDU call secure creating trust for the internet
WO2010045824A1 (en) A method and system for key distributing
WO2013167082A2 (en) Digital certificate function implementation method for mobile terminal and mobile terminal
KR100848966B1 (en) Method for authenticating and decrypting of short message based on public key
CN102546545A (en) Device and method for guaranteeing transmission safety of important network data of user
CN103905624B (en) Generation method and the mobile phone terminal of digital signature
CN2914498Y (en) Information security device based on universal serial bus human-computer interaction type device
CN112862481A (en) Block chain digital asset key management method and system based on SIM card
CN107370598A (en) Method using smart mobile phone as PC electronic key
CN115001705B (en) Network protocol security improving method based on encryption equipment

Legal Events

Date Code Title Description
122 Ep: pct application non-entry in european phase

Ref document number: 13788113

Country of ref document: EP

Kind code of ref document: A2