WO2013167082A2 - Procédé de mise en oeuvre d'une fonction de certificat numérique pour terminal mobile, et terminal mobile - Google Patents

Procédé de mise en oeuvre d'une fonction de certificat numérique pour terminal mobile, et terminal mobile Download PDF

Info

Publication number
WO2013167082A2
WO2013167082A2 PCT/CN2013/080133 CN2013080133W WO2013167082A2 WO 2013167082 A2 WO2013167082 A2 WO 2013167082A2 CN 2013080133 W CN2013080133 W CN 2013080133W WO 2013167082 A2 WO2013167082 A2 WO 2013167082A2
Authority
WO
WIPO (PCT)
Prior art keywords
digital certificate
mobile terminal
smart card
management module
client
Prior art date
Application number
PCT/CN2013/080133
Other languages
English (en)
Chinese (zh)
Other versions
WO2013167082A3 (fr
Inventor
陈颖
缪海翔
马少峰
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013167082A2 publication Critical patent/WO2013167082A2/fr
Publication of WO2013167082A3 publication Critical patent/WO2013167082A3/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a mobile terminal digital certificate function implementation method and a mobile terminal. Background technique
  • USBKey digital certificate function when the user accesses the ordinary information of the ordinary website or the government network, identity authentication is not required, but when the government staff or authorized personnel want to log in to the government network for confidential information, identity authentication is required.
  • digital certificates require storage media (such as software, CD-ROM, USBKey, etc.), which means that when users want to use the mobile terminal to securely access the Internet, they need to carry two devices, a wireless Internet device and a digital certificate, and also require The Internet terminal device must have two interfaces at the same time, one is used by the network card, and the other is used for digital certificates. It is inconvenient to carry and use, and the use cost is also increased.
  • this article provides a wireless network card and digital certificate. The method of combining books into one.
  • Digital certificate technology is a general term for encryption technology based on digital certificates.
  • the digital certificate is issued by the Certification Authority (CA), and the CA is an authoritative, fair and trustworthy third party. Its role is crucial.
  • CA Certification Authority
  • the user For the issuance and management of digital certificates, the user must carry the relevant documents to the certificate acceptance point of each place, or go directly to the certificate issuing authority, CA Center, to fill out the application form and conduct identity verification. After the approval, the relevant media with the certificate can be obtained. , IC card or USBKey, etc.) and a password envelope with a password.
  • the format of digital certificates is generally based on the X.509V3 international standard, including the serial number of the certificate, the name of the certificate holder, the name of the certificate issuer, the validity period of the certificate, the number of the certificate, and the number of the certificate issuer. Signature, etc.
  • Digital certificates are usually placed on a storage medium as a file.
  • the certificate with the private key is defined by the PKCS# 12 (Public Key Cryptography Standards #12) standard, with pfx as the certificate file suffix.
  • the digital certificate in the cer format has only the public key and no private key.
  • digital certificates can be divided into: server certificates, email certificates and client certificates.
  • client certificates are primarily used for authentication and electronic signatures.
  • the client certificate is stored in a dedicated storage medium, such as an IC card or a Key, and USBKey is the most common storage medium.
  • the certificate in the storage medium cannot be exported or copied, and the storage medium needs to be input with the protection password of the storage medium.
  • This type of authentication is one of the most secure authentication methods on the Internet.
  • the process of using the digital certificate is as follows: When using a digital certificate for identity authentication, it will randomly generate a 128-bit identity code, and each digital certificate can generate a digital number corresponding to each other, which is impossible to ensure the confidentiality of data transmission. Sex, which is equivalent to generating a complex password. Summary of the invention
  • the purpose of the embodiments of the present invention is to provide a mobile terminal digital certificate function implementation method and a mobile terminal integrating the digital certificate function.
  • the embodiment of the present invention provides a method for implementing a digital certificate function of a mobile terminal, where the method includes: after the mobile terminal accesses a PC through a USB interface, the mobile terminal is powered on, initializes a USB port, and the PC determines Whether there is a new USB device connection, if there is a new device, the port is mapped to the USB interface, and the smart card storing the digital certificate in the mobile terminal interacts with the PC side through the smart card management module, and the PC side driver starts the digital certificate.
  • the client is running.
  • the smart card storing the digital certificate interacts with the smart card management module through the IS07816 protocol.
  • the smart card management module initiates a transparent transmission interaction through the MCSP/PKCS11 protocol through the board side driver of the mobile terminal and the digital certificate PC side driver of the PC side, and starts the digital certificate client.
  • the smart card is a UICC
  • the port includes an AT port, a Modem port, and a standard USB device interface.
  • the digital certificate client initiates a digital certificate operation by operating a command MCSP/PKCS11 data packet.
  • the embodiment of the present invention further provides a mobile terminal, where the mobile terminal includes a smart card, a smart card management module, and a board side driver;
  • the smart card stores a digital certificate
  • the smart card management module implements operation on the smart card digital certificate, and the smart card management module and the smart card communicate through a standard protocol;
  • the board side driver interacts with the digital certificate PC side driver through a protocol to start the digital certificate client.
  • the smart card storing the digital certificate is managed by the IS07816 protocol and the smart card. Module interaction.
  • the smart card management module starts the digital certificate client by using a board side driver of the mobile terminal and a digital certificate pc side driving interaction on the PC side.
  • the smart card is a UICC card.
  • the digital certificate client initiates a digital certificate operation by operating a command MCSP/PKCS11 data packet.
  • the embodiment of the present invention has the following beneficial effects:
  • the mobile terminal has a digital certificate function, and it is unnecessary to add a new digital certificate device, which is greatly convenient for the user to use.
  • FIG. 1 is a schematic diagram showing the composition of a digital certificate for implementing a wireless internet data card according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram showing the composition of a digital certificate implemented by the mobile phone according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram showing the composition of a digital certificate implemented by a PAD according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a method for implementing data channel creation between a digital certificate client and a mobile communication terminal according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an implementation process of a digital certificate operation process according to an embodiment of the present invention. detailed description
  • Embodiments of the present invention provide a method for implementing a digital certificate function of a mobile terminal and a mobile communication terminal having a digital certificate function.
  • the core idea of the embodiment of the present invention is implemented by using a software method without performing hardware modification of the mobile communication terminal device.
  • the method described in this paper involves the following key issues: How to store digital certificates on a mobile terminal, how to read and write digital certificates stored on mobile terminals, and how digital certificates are applied on mobile terminals.
  • the storage of digital certificates are in a disk, IC card or USBKey.
  • a component that can be used to store a digital storage medium and is indispensable for the terminal device is not a UICC.
  • the UICC is a removable smart card used to store information such as operator subscription information, authentication keys, phone books, and short messages.
  • the UICC can include a variety of logical applications, such as a Subscriber Identity Module (SIM), a Universal Subscriber Identity Module (USIM), and an IP Multimedia Service Identity Module (ISIM).
  • SIM Subscriber Identity Module
  • USIM Universal Subscriber Identity Module
  • ISIM IP Multimedia Service Identity Module
  • the UICC digital certificate is very similar to the USBKEY digital certificate. The main difference is the difference in the external hardware interface.
  • the hardware interface of the USBKEY is a USB port
  • the hardware interface of the UICC is a UICC-terminal interface.
  • UICC In order to realize the digital certificate function, in addition to providing the storage space of the digital certificate, UICC also needs to have the RSA hardware coprocessor to support the asymmetric algorithm encryption function.
  • the mobile service operator first needs to create a special UICC card for the designated group users.
  • the card can also provide security services such as RSA algorithm, identity authentication, data addition and decryption, and provide Digital certificate storage space.
  • the enterprise where the group user is located shall apply for a digital certificate for each customer. After the certification center CA has produced the digital certificate, the digital certificate is stored in the UICC card;
  • the operator issues a mobile communication terminal to the group customer, and a mobile communication terminal with a digital certificate. Reading and application of digital certificates.
  • the operation of the digital certificate is realized by encrypting the device management interface, and is used for managing the encryption device in the form of hardware or software, realizing data encryption, decryption, digital signature, verification and data digest (ie HASH), Fig. 1 - Fig. 3
  • the digital certificate on the mobile communication terminal should be used normally, and the following contents need to be implemented:
  • the digital certificate client (PC/AP side application) remains unchanged; Provides mobile communication terminal device drivers, including PC side drivers and board side drivers.
  • the operations of the digital certificate client (PC/AP side application) on the digital certificate are implemented by the MCSP protocol or the PKCS11 protocol, and the operations are transparently transmitted to the board side driver through the PC side driver.
  • the UICC management module needs to implement the operation of the UICC digital certificate.
  • the UICC management module communicates with the UICC through the IS07816 standard protocol.
  • the MCSP protocol or PKCS 11 protocol packet passed between the two is first packaged into the IS07816 standard package and then transmitted.
  • Figure 1 Figure 3
  • Figure 1, Figure 2, Figure 3 are the wireless data card, mobile phone, PAD connection.
  • the wireless internet data card includes a board side driver, a UICC management module, and a UICC digital certificate.
  • the UICC management module and the UICC digital certificate interact through the IS07816 protocol.
  • the PC side includes a digital certificate PC side driver and a digital certificate client.
  • the digital certificate PC side driver and the digital certificate client interact through the MCSP protocol.
  • FIG. 2 is a design scheme of a mobile phone having a digital certificate function
  • the mobile phone includes a mobile digital certificate client, a UICC management module, and a UICC digital certificate.
  • the UICC management module and the UICC digital certificate are exchanged through the IS07816 protocol, and the UICC management module and the mobile digital certificate client interact through the PKCS 11 protocol.
  • FIG. 3 is a design scheme of the PAD having a digital certificate function
  • the PAD includes an AP side and a wireless network module.
  • the AP side includes a digital certificate AP side driver and a digital certificate client.
  • the digital certificate AP side driver and the digital certificate client interact through the MCSP protocol.
  • the wireless internet module includes a board side driver, a UICC management module, and a UICC digital certificate.
  • the UICC management module and the UICC digital certificate are exchanged through the IS07816 protocol.
  • the board side driver and the digital certificate AP side driver interact through the MCSP/PKCS11 protocol.
  • Step 101 Determine whether it is a mobile terminal, if yes, the process ends, if not, then proceeds to step 102;
  • the mobile communication terminal device is a mobile phone terminal
  • the digital certificate client and the UICC management module are all on the same mobile phone platform, and can directly communicate, and the USB interface driver is not required to perform the transfer.
  • Step 102 The hardware connection between the PC/AP side and the mobile communication terminal adopts a USB interface; the terminal device is a wireless network card or a PAD other than the mobile phone, and the connection between the PC/AP side and the mobile communication terminal is USB. interface.
  • Step 103 judging whether the initialization USB interface is normal, if it is normal, then proceeds to step 104, if not, then proceeds to step 106;
  • the device After the mobile communication terminal device is connected to the PC through the USB interface, the device first powers on, and then initializes the USB port.
  • the PC determines if there is a new USB device connection. If there is a new device to access, go to step 104; otherwise, no new USB device is connected, go to step 106;
  • Step 104 Map the AT port, the Modem port, and the standard USB device port to the USB port; the board side driver performs an enumeration (Enumerate) operation, and maps the AT port, the Modem port, and the standard USB device interface service to the USB port.
  • the board-side driver of the mobile communication terminal device needs to support the standard USB device interface in order to implement the digital certificate function.
  • the AT port and Modem port are used for the general functions of the mobile terminal device (online, short message, phone book, etc.), and the standard USB interface is used for the digital certificate function.
  • Standard USB device driver provided by the operating system. Using a standard USB device driver, the PC-side digital certificate client can be guaranteed to support both the ordinary USBKey digital certificate and the digital certificate on the mobile terminal device without any modification.
  • Step 105 Determine whether the port mapping is successful, if successful, then proceeds to step 107, if not, then proceeds to step 106;
  • Step 106 The data channel creation failed.
  • Step 107 The data channel is created successfully.
  • FIG. 5 it is a schematic flowchart of the implementation process of the digital certificate operation process in the embodiment of the present invention, and the specific implementation steps are as follows:
  • Step 201 The digital certificate client initiates a digital certificate operation, and the operation command is an MCSP/PKCS11 data packet;
  • the digital certificate client initiates a digital certificate related operation, and the operation between the digital certificate client and the ordinary USBKey type digital certificate is performed by the MCSP/PKCS11 protocol, so the operation command is the MCSP/PKCS 11 data packet.
  • Step 202 Determine whether the terminal is a mobile phone, if yes, go to step 206, if not, go to step 203;
  • Step 203 The PC/AP side driver and the board side driver transparently transmit the MCSP/PKCS11 protocol;
  • the PC/AP side driver and the board side driver will transparently transmit the MCSP/PKCS11 protocol;
  • the PC/AP side driver After receiving the MCSP/PKCS 11 protocol data packet addressed to the mobile communication terminal device, the PC/AP side driver packages the data packet directly into the USB format and then sends it to the mobile communication terminal device.
  • the package format is as follows:
  • USB data packet header USB data packet body Step 205: The board side driver receives the USB packet, takes out the MCSP/PKCS 11 protocol data packet, and forwards it to the UICC management module;
  • the board side driver of the mobile communication terminal device receives the USB data packet from the standard USB device interface, removes the USB packet header, and extracts the MCSP/PKCS 11 protocol data packet from the package body, and forwards it to the UICC management module; Step 206: After receiving the MCSP/PKCS1 protocol data packet, the UICC management module packages the IS07816 standard data packet and forwards it to the UICC.
  • the UICC management module After receiving the MCSP/PKCS1 data packet, the UICC management module does not process the data, and directly packages it according to the IS07816 standard format and sends it to the UICC.
  • the package format is as follows:
  • the package body is defined as follows:
  • Step 207 The UICC extracts the MCSP/PKCS11 data packet from the IS07816 standard data packet, and performs corresponding operations according to the content of the package;
  • the UICC processes the received IS07816 data packet, and extracts the MCSP/PKCS 11 data packet from it, and the UICC performs the corresponding operation according to the specific content of the MCSP/PKCS1 l data packet;
  • Step 208 The UICC returns an operation response result, and the operation result is an MCSP/PKCS1 l data packet.
  • Step 209 The UICC packages the MCSP/PKCS11 data packet into the IS07816 data packet, and then returns it to the UICC management module.
  • the format of the response packet is as follows:
  • the data field is optional.
  • the response packet consists of at least one status word.
  • the status word indicates the processing status of the command, that is, whether the command is executed correctly. If it is not executed correctly, the reason is.
  • SW1 indicates the command processing status
  • SW2 indicates the command processing limit
  • Step 210 Determine whether it is a mobile terminal, if the mobile communication terminal device is a mobile phone terminal, go to step 214, otherwise the terminal device is a wireless internet data card and a PAD, go to step 211;
  • Step 211 The UICC management module extracts the MCSP/PKCS 11 data packet from the IS07816 data packet and transmits the data packet to the board side driver.
  • Step 212 The board side driver drives the MCSP/PKCS11 data packet into the USB data packet, and sends it to the PC/AP side through the standard USB device interface;
  • Step 213 After receiving the USB data packet, the PC/AP side driver extracts the MCSP/PKCS11 data packet from the driver, and transmits the data packet to the digital certificate client.
  • Step 214 The digital certificate client analyzes the MCSP/PKCS11 data packet, and performs corresponding operations according to the response result of the UICC;
  • the digital certificate operation process is completed.
  • the embodiment of the present invention combines a wireless network card and a digital certificate into one, so that the mobile terminal has a digital certificate function, and the integrated digital certificate function is shifted.
  • the mobile terminal therefore, the invention can eliminate the need to add a new digital certificate device, which is greatly convenient for the user to use.

Abstract

L'invention concerne un procédé de mise en oeuvre d'une fonction de certificat numérique pour terminal mobile. Selon l'invention, un terminal mobile accède à un côté PC par une interface USB, puis se met sous tension et démarre; un port USB s'initialise; et le côté PC détermine si une nouvelle connexion de dispositif USB existe et, si c'est le cas, met en correspondance le port et l'interface USB; une carte à puce stockant un certificat numérique dans le terminal mobile interagit avec un lecteur côté PC par l'intermédiaire d'un module de gestion de carte à puce; et le lecteur côté PC démarre une session d'un client du certificat numérique. Une fonction de certificat numérique est intégrée dans le terminal mobile, ce qui facilite considérablement l'exploitation de ce dernier par un utilisateur.
PCT/CN2013/080133 2012-11-22 2013-07-25 Procédé de mise en oeuvre d'une fonction de certificat numérique pour terminal mobile, et terminal mobile WO2013167082A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210478547.3 2012-11-22
CN201210478547.3A CN103023642B (zh) 2012-11-22 2012-11-22 一种移动终端及其数字证书功能实现方法

Publications (2)

Publication Number Publication Date
WO2013167082A2 true WO2013167082A2 (fr) 2013-11-14
WO2013167082A3 WO2013167082A3 (fr) 2014-01-03

Family

ID=47971804

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/080133 WO2013167082A2 (fr) 2012-11-22 2013-07-25 Procédé de mise en oeuvre d'une fonction de certificat numérique pour terminal mobile, et terminal mobile

Country Status (2)

Country Link
CN (1) CN103023642B (fr)
WO (1) WO2013167082A2 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023642B (zh) * 2012-11-22 2016-02-24 中兴通讯股份有限公司 一种移动终端及其数字证书功能实现方法
CN110557755A (zh) * 2018-05-31 2019-12-10 西安中兴新软件有限责任公司 一种实现信息处理的方法、系统及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2434724A (en) * 2006-01-13 2007-08-01 Deepnet Technologies Ltd Secure transactions using authentication tokens based on a device "fingerprint" derived from its physical parameters
CN101394615A (zh) * 2007-09-20 2009-03-25 中国银联股份有限公司 一种基于pki技术的移动支付终端及支付方法
CN101931532A (zh) * 2009-09-08 2010-12-29 北京握奇数据系统有限公司 基于电信智能卡的数字证书管理方法及电信智能卡
CN102737311A (zh) * 2012-05-11 2012-10-17 福建联迪商用设备有限公司 网络银行安全认证方法和系统
CN103023642A (zh) * 2012-11-22 2013-04-03 中兴通讯股份有限公司 一种移动终端及其数字证书功能实现方法

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282367B (zh) * 2007-04-06 2011-05-25 中兴通讯股份有限公司 一种无线网卡与计算机的数据交互方法
CN101477498B (zh) * 2009-01-13 2010-12-22 华为终端有限公司 Usb设备切换端口的方法及设备
CN101938520B (zh) * 2010-09-07 2015-01-28 中兴通讯股份有限公司 一种基于移动终端签名的远程支付系统及方法
CN102548054A (zh) * 2010-12-30 2012-07-04 西安龙飞软件有限公司 一种3g路由器中固话功能的设计方法
CN102547476A (zh) * 2012-02-10 2012-07-04 华为终端有限公司 家庭媒体信息装置和数据传输方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2434724A (en) * 2006-01-13 2007-08-01 Deepnet Technologies Ltd Secure transactions using authentication tokens based on a device "fingerprint" derived from its physical parameters
CN101394615A (zh) * 2007-09-20 2009-03-25 中国银联股份有限公司 一种基于pki技术的移动支付终端及支付方法
CN101931532A (zh) * 2009-09-08 2010-12-29 北京握奇数据系统有限公司 基于电信智能卡的数字证书管理方法及电信智能卡
CN102737311A (zh) * 2012-05-11 2012-10-17 福建联迪商用设备有限公司 网络银行安全认证方法和系统
CN103023642A (zh) * 2012-11-22 2013-04-03 中兴通讯股份有限公司 一种移动终端及其数字证书功能实现方法

Also Published As

Publication number Publication date
CN103023642B (zh) 2016-02-24
CN103023642A (zh) 2013-04-03
WO2013167082A3 (fr) 2014-01-03

Similar Documents

Publication Publication Date Title
US11258777B2 (en) Method for carrying out a two-factor authentication
CA2875503C (fr) Association 2chk declenchee par entreprise
JP6012125B2 (ja) 問い合わせ型トランザクションによる強化された2chk認証セキュリティ
TWI308832B (en) A method and apparatus for securing communications between a smartcard and a terminal
JP5601729B2 (ja) 移動無線機の移動無線網へのログイン方法
US20070118735A1 (en) Systems and methods for trusted information exchange
CN101167298A (zh) 用于访问装在移动终端内的sim卡的方法和装置
CA2914956C (fr) Systeme et procede de chiffrement
WO2009039771A1 (fr) Terminal de paiement mobile et procédé de paiement basé sur la technologie pki
EP1878161B1 (fr) Procede et systeme destines a la reauthentification electronique d'une partie de communication
WO2010045817A1 (fr) Procédé et système de distribution de clés
CN106921496A (zh) 一种数字签名方法和系统
JP2012521155A (ja) 証明書および鍵を含む製品を製造する方法
CN103237305A (zh) 面向移动终端上的智能卡密码保护方法
WO2008095382A1 (fr) Procédé, système et appareil pour établir une connexion de sécurité de couche de transport
Urien RACS: Remote APDU call secure creating trust for the internet
WO2010045824A1 (fr) Procédé et système de distribution de clés
KR100848966B1 (ko) 공개키 기반의 무선단문메시지 보안 및 인증방법
CN102546545A (zh) 保障用户重要的网络数据传输安全的装置和方法
WO2013167082A2 (fr) Procédé de mise en oeuvre d'une fonction de certificat numérique pour terminal mobile, et terminal mobile
CN103905624B (zh) 数字签名的生成方法与手机终端
CN2914498Y (zh) 基于通用串行总线人机交互类设备的信息安全设备
CN112862481A (zh) 一种基于sim卡的区块链数字资产密钥管理方法及系统
CN107370598A (zh) 以智能手机作为个人电脑电子密钥的方法
CN102546573A (zh) 基于互联网的安全性信息交互系统及方法

Legal Events

Date Code Title Description
122 Ep: pct application non-entry in european phase

Ref document number: 13788113

Country of ref document: EP

Kind code of ref document: A2