WO2013176502A1 - Procédé permettant de fournir des informations relatives à un fournisseur de communications mobiles et dispositif permettant la mise en œuvre dudit procédé - Google Patents

Procédé permettant de fournir des informations relatives à un fournisseur de communications mobiles et dispositif permettant la mise en œuvre dudit procédé Download PDF

Info

Publication number
WO2013176502A1
WO2013176502A1 PCT/KR2013/004536 KR2013004536W WO2013176502A1 WO 2013176502 A1 WO2013176502 A1 WO 2013176502A1 KR 2013004536 W KR2013004536 W KR 2013004536W WO 2013176502 A1 WO2013176502 A1 WO 2013176502A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
euicc
module
mobile communication
encapsulated
Prior art date
Application number
PCT/KR2013/004536
Other languages
English (en)
Korean (ko)
Inventor
이형진
김관래
김주영
박철현
이진형
정윤필
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020130057509A external-priority patent/KR102173534B1/ko
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Priority to US14/403,102 priority Critical patent/US9924357B2/en
Publication of WO2013176502A1 publication Critical patent/WO2013176502A1/fr
Priority to US15/696,320 priority patent/US10462667B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data

Definitions

  • the present invention relates to a method for providing mobile carrier information to a terminal having a built-in UICC and an apparatus for performing the same.
  • a UICC Universal Integrated Circuit Card
  • SMS Short Message Service
  • IMSI International Mobile Subscriber Identity
  • HPLMN Home Public Land Mobile Network
  • the UICC may be referred to as a subscriber identity module (SIM) card in the case of the Global System for Mobile communications (GSM) scheme, and may be referred to as a universal subscriber identity module (USIM) card in the case of a wideband code division multiple access (WCDMA) scheme. .
  • SIM subscriber identity module
  • GSM Global System for Mobile communications
  • USIM universal subscriber identity module
  • the terminal When the user mounts the UICC on the terminal, the terminal automatically performs user authentication using the information stored in the UICC so that the user can conveniently use the terminal.
  • the user when the user replaces the terminal, the user can easily replace the terminal while maintaining the mobile communication service and user information subscribed to by the user simply by mounting the UICC removed from the existing terminal to the new terminal. have.
  • the user may simply change the mobile communication provider by replacing the UICC inserted in the terminal currently being used with the UICC of another mobile communication provider.
  • the UICC of the existing removable plastic structure Built-in UICC (abbreviated as 'eUICC') to provide the same service as a detachable UICC even when a chip-type terminal integrated structure is provided instead of a detachable structure in order to provide more shock and heat resistance.
  • 'eUICC' Built-in UICC
  • the eUICC is mounted on the terminal at the manufacturing stage of the terminal and released, and due to the physical structure of the terminal that cannot be detached from the terminal, the eUICC cannot be changed through the eUICC detachment.
  • An object of the present invention for solving the above problems is to provide a mobile carrier information to the eUICC while maintaining a high security, and to provide a mobile carrier information that can maintain a high security even after the carrier information is stored in the eUICC To provide a way.
  • another object of the present invention is to provide a mobile communication provider information that can provide mobile carrier information to the eUICC, while maintaining a high security, even after the mobile carrier information is stored in the eUICC providing a mobile carrier information will be.
  • a method for providing mobile carrier information performed by a terminal having an eUICC, the mobile carrier information is encapsulated and included Receiving the received data and storing the received data in the eUICC.
  • the authentication key information for authentication of the terminal may be encapsulated to receive the included data.
  • the data encapsulated with the authentication key information may be configured as data of an authentication processing module for processing authentication of the terminal.
  • the encryption module data generating the format of the authentication key information for authentication of the terminal may be received in a different format than before.
  • the storing of the received data in the eUICC may include storing an authentication processing module configured to process authentication of the terminal in the eUICC, wherein the mobile communication service provider information includes an authentication key, wherein the authentication key is the authentication key. It may be stored in the eUICC in a state encapsulated in a processing module.
  • any one of an authentication success response, an authentication failure response, and a synchronization failure response May provide a response to the terminal.
  • the mobile communication provider information providing method may further include the step of performing a process for preventing the exposure of the authentication key when the authentication key is used after the authentication processing module is stored in the eUICC.
  • a method for providing mobile operator information the method for providing mobile operator information performed by a mobile operator server, the module encapsulating mobile operator information. Generating and transmitting the encapsulated module to a specific terminal.
  • the generating of the module encapsulating the mobile communication provider information may include generating the encapsulated module by encapsulating the authentication key with the mobile communication provider information in the authentication processing module performing the authentication process.
  • the encapsulated module may be generated as a file having the same form as the applet file.
  • the transmitting of the encapsulated module to a specific terminal may include transmitting the encapsulated module to a subscription manager-data preparation (SM-DP), and transmitting the encapsulated module to the SM-SR (SM-DP). And transmitting the encapsulated module to the specific terminal through an over the air (OTA) communication scheme.
  • SM-DP subscription manager-data preparation
  • SM-DP SM-SR
  • OTA over the air
  • the mobile operator information providing apparatus for achieving another object of the present invention, the processing for downloading the module in which the mobile carrier information is encapsulated and the module in which the mobile carrier information is encapsulated EUICC having a processing unit to perform.
  • the module in which the mobile communication provider information is encapsulated may include an authentication key encapsulating the authentication key of the device, and may be configured as an authentication processing module for performing authentication.
  • the processing unit may receive an authentication request message from the device and provide the authentication request message to the authentication processing module, and receive a response provided as an authentication result from the authentication processing module and provide the response to the device.
  • the authentication processing module performs an authentication process corresponding to the authentication request provided from the processing unit, and then, among the authentication success response indicating authentication success, authentication failure response indicating authentication failure, and synchronization failure response indicating synchronization failure. Any response may be provided to the device through the processing unit.
  • the information of the mobile carrier to be delivered for providing to the eUICC is encapsulated in arbitrary data such as an authentication processing module.
  • Authentication key can be delivered by applying the highest security technique.
  • the information of the mobile communication service provider can be delivered to the eUICC by applying the highest level of security.
  • the authentication key is encapsulated and stored inside the eUICC so that the interface to access the authentication key does not exist, so that the authentication key is not exposed by an external hacking attack using the interface, thereby replicating the eUICC. You can prevent it.
  • FIG. 1 is a conceptual diagram illustrating an environment in which a method for providing mobile service provider information according to an embodiment of the present invention is executed.
  • FIG. 2 is a conceptual diagram illustrating a method for providing mobile service provider information according to an embodiment of the present invention.
  • FIG. 3 is a flowchart illustrating an authentication process between a terminal and a mobile service provider network.
  • FIG. 4 is a block diagram illustrating a configuration of an eUICC to which a mobile communication service provider information providing method according to another embodiment of the present invention is applied.
  • FIG. 5 is a conceptual diagram illustrating a method for providing mobile carrier information according to another embodiment of the present invention.
  • FIG. 6 is a conceptual diagram illustrating a process of performing authentication processing after an authentication key is stored in an eUICC according to another embodiment of the present invention.
  • FIG. 7 illustrates an example of an authentication interface used in a method for providing mobile carrier information according to another embodiment of the present invention.
  • FIG. 8 illustrates an example of an authentication success response interface used in a method for providing mobile carrier information according to another embodiment of the present invention.
  • FIG. 9 illustrates an example of a synchronization failure response interface used in a method for providing mobile carrier information according to another embodiment of the present invention.
  • FIG. 10 is a flowchart illustrating a method for providing mobile carrier information according to another embodiment of the present invention.
  • FIG. 1 is a conceptual diagram illustrating an environment in which a method for providing mobile service provider information according to an embodiment of the present invention is executed.
  • a method of providing mobile carrier information is a mobile network operator (MNO) server (hereinafter referred to as an MNO server) 110, a subscriber information management server.
  • MNO mobile network operator
  • the 130 and the eUICC 150 may be performed in an environment connected to each other through a network.
  • the MNO server 110 is provided by the eUICC 150 to provide a mobile communication service to a subscriber who has subscribed to a mobile communication service provided by a mobile communication system such as Wideband Code Division Multiple Access (WCDMA) and Long Term Evolution (LTE). Generate mobile operator information.
  • a mobile communication system such as Wideband Code Division Multiple Access (WCDMA) and Long Term Evolution (LTE).
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • the mobile carrier information may be referred to by other terms such as an operator credential, an MNO credential, a profile, an eUICC profile, or a profile package.
  • the subscriber information management server 130 processes functions such as information management for the eUICC 150, information management for various telecommunication service providers, authentication and remote information change according to the change of the mobile communication service provider of the subscriber.
  • the subscriber information management server 130 issues overall management of the eUICC 150 such as issuing mobile operator information to the eUICC 150 and processing a procedure for changing a subscription or changing a mobile carrier. do.
  • the subscriber information management server 130 may include a subscription manager (SM: abbreviated as "SM”) or a profile manager (PM: profile manager, abbreviated as “PM”).
  • SM subscription manager
  • PM profile manager
  • SM uses the Subscription Manager-Data Preparation (SM-DP), which plays a role in generating mobile carrier information, and the Subscription Manager Secure Routing (SM-SR), which directly transfers operator information to eUICC (150). It may include.
  • SM-DP Subscription Manager-Data Preparation
  • SM-SR Subscription Manager Secure Routing
  • the SM-DP performs a process such as encryption on the data to be provided to the eUICC 150 by the mobile communication service provider (MNO), configures a package to which security is applied, and delivers it to the SM-SR.
  • MNO mobile communication service provider
  • the package to which security is applied may be composed of mobile communication provider information generated by the MNO server 110.
  • the SM-SR routes to another SM-SR or delivers to the corresponding eUICC 150 so that the security-applied package received from the SM-DP can be normally delivered to the target eUICC 150.
  • OTA over-the-air
  • the eUICC 150 decodes the OTA package received through the OTA communication method from the SM-SR, extracts the package encrypted by the SM-DP, and decodes the extracted package to obtain actual mobile service provider information. Mobile carrier information is stored in the eUICC (150).
  • FIG. 2 is a conceptual diagram illustrating a method for providing mobile service provider information according to an embodiment of the present invention.
  • the authentication key K will be described as an example of mobile communication provider information provided to the eUICC.
  • the MNO server 210 includes an authentication key K of a subscriber, a UICC data file (for example, a network connection file such as IMSI, HPLMN), a user information file (for example, an SMS file, Phonebook, etc.) and applets and the like, and generate the file to the SM-DP (230).
  • a UICC data file for example, a network connection file such as IMSI, HPLMN
  • a user information file for example, an SMS file, Phonebook, etc.
  • applets and the like and generate the file to the SM-DP (230).
  • the SM-DP 230 encrypts the file provided from the MNO server 210 and then transfers the encrypted file to the SM-SR 250.
  • the SM-DP 230 generates an OTA package including a file to be delivered to the eUICC 270 through the SM-SR 250, and the authentication key (K) of the subscriber and the UICC data file (for example, the OTA package).
  • K authentication key
  • a credential of a mobile communication service provider (MNO) such as IMSI, HPLMN, etc. may be included.
  • SM-SR 250 delivers the encrypted OTA package provided from SM-DP 230 to the corresponding eUICC 270.
  • the SM-SR 250 may deliver an OTA package to the eUICC 270 using an encrypted OTA communication method.
  • the eUICC 270 decrypts the encrypted OTA package received from the SM-SR 250 to obtain an authentication key K, a UICC data file, and the like, and stores the encrypted key.
  • the authentication key K encrypted by the SM-DP 230 and provided to the eUICC 270 is one of the mobile communication provider information as described above. That is, the authentication key K is a subscriber key shared between the eUICC 270 and the authentication center (AuC) of the mobile communication service provider and authenticates between the network of the mobile communication service provider and the subscriber (or eUICC 270). Used for
  • the authentication key is for authenticating the mobile operator network and has the highest level of importance in security. If the authentication key K value is exposed, the corresponding eUICC 270 can be duplicated, and the voice call, the multimedia message service (SMS / MMS), the data service, etc. of the subscriber can be hacked through the duplication.
  • K which is important information of the highest level of security, is applied at the same level of security (for example, a simple encryption level) as other information (for example, IMSI, HPLMN, SMS, phonebook, etc.). It is illustrated as passing through a wireless network.
  • level of security for example, a simple encryption level
  • other information for example, IMSI, HPLMN, SMS, phonebook, etc.
  • the subscriber authentication key information such as the authentication key K is provided and stored in the eUICC 270 during the opening process of the terminal, it is provided to the eUICC 270 before authentication with the eUICC 270 and the mobile communication network. In this process, an unsecured public wireless network is used.
  • the authentication key K since the authentication key K can be duplicated when the eUICC 270 is exposed, the authentication key K is information having the highest level of security. Therefore, in order to deliver the authentication key K, it is necessary to apply the highest security to the authentication key K and deliver it, and the highest security level for the authentication key K must be maintained even inside the eUICC 270.
  • a method for applying the highest level of security to the authentication key K and maintaining the highest level of security even after the authentication key is downloaded into the eUICC 270 is provided. to provide.
  • a method of applying the highest level of security to the authentication key K the eUICC 270 receives the authentication key K from the remote, the authentication key K is eUICC (270)
  • the authentication key information K is not used alone.
  • the authentication process of the terminal receives an input value (for example, a random number value) from the network to perform a predetermined calculation with the internally stored authentication key, and is processed by a method of delivering the calculation result to the network.
  • an input value for example, a random number value
  • the authentication key only needs to exist in the eUICC 270 in such a way that the eUICC 270 can perform authentication processing with the mobile service provider network without any problem.
  • the authentication key information K is independently transmitted. No output is required.
  • FIG. 3 is a flowchart illustrating an authentication process between a terminal and a mobile service provider network.
  • a mobile switching center (MSC) or a serving GPRS support node (SGSN) 330 transmits an authentication data request message to the authentication center 350 to perform an authentication procedure.
  • Subscriber authentication data is requested (S301).
  • the authentication data request message may include IMSI (International Mobile Subscriber Identity) information which is subscriber identification information of the telecommunication service.
  • IMSI International Mobile Subscriber Identity
  • the authentication center 350 distinguishes subscribers using IMSI information included in the authentication data request message received from the MSC or SGSN 330, and uses a random number (RAND), a K, an authentication management field (AMF), and a sequence (SQN). Based on the value of Number, an Expected Response (XRES), Authentication Token (AUTN), Ciphering Key (CK), Integrity Key (IK), and Message Authentication Code (MAK) value are generated (S303).
  • RAND random number
  • K an authentication management field
  • SQL authentication management field
  • SQN sequence
  • XRES Expected Response
  • AUTN Authentication Token
  • CK Ciphering Key
  • IK Integrity Key
  • MAK Message Authentication Code
  • the RAND means a random number, and is generated in a home network operated by a predetermined mobile communication provider and transmitted to the terminal 310.
  • K means a secret key and is called an authentication key, and is stored in each of the USIMs mounted on the authentication center 350 and the terminal 310 of the home network.
  • AMF is used to indicate the type of algorithm used for authentication and which key value was used when generating the authentication vector.
  • SQN is a sequence number, and the rules for generating an SQN for each mobile carrier may be different, and are used to confirm that the authentication vector received from the USIM is a new value.
  • XRES is used to determine the validity of a USIM card.
  • Authentication Token consists of SQN + AK, MAC and AMF.
  • Anonymity Key (AK) is used to mask the regularity of the SQN value by masking the increasing SQN value each time authentication is attempted.
  • CK is a value used for a ciphering algorithm, and is used to encrypt data transmitted between the terminal 310 and the MSC or SGSN 330.
  • IK is a value used in the integrity algorithm, and is used to verify the integrity of a signaling message transmitted and received over a radio section.
  • the MAC is used to determine the validity of the network in the terminal 310.
  • the authentication center 350 configures an authentication vector (AV) including RAND, XRES, CK, IK, and ATUN, and performs n authentication vectors (AV (AV) through an authentication data response message).
  • AV authentication vector
  • 1... n)) is transmitted to the MSC or SGSN 330 (S305).
  • one authentication vector consists of RAND, AUTN, CK, IK, and XRES
  • the AUTN consists of SQN + AK, MAC, and AMF.
  • n authentication vectors (AV (1 ... n)) mean an array of n authentication vectors having a basic configuration of RAND, AUTN, XRES, CK, and IK. That is, AV (i) means an authentication vector composed of RAND (i), AUTN (i), XRES (i), CK (i), and IK (i).
  • the MSC or SGSN 330 selects an authentication vector AV (i) to be used for authentication among n authentication vectors provided from the authentication center 350 and requests the authentication vector AV (i) to be authenticated (AUTHENTICATION REQUEST).
  • the RAND (i) and the AUTN (i) among the components of the selected authentication vector AV (i) are transmitted to the terminal 310 (S307).
  • the terminal 310 transmits the RAND (i) and the AUTN (i) included in the authentication request message received from the MSC or SGSN 330 to the USIM.
  • USIM inputs RAND (i), AUTN (i) value and K value, which is an authentication key stored in the USIM card, as input from the terminal 310, RES (Response), XMAC (Expected Message Authentication Code), and CK (Ciphering Key). ), IK (Integrity Key) and SQN (Sequence Number) values are generated (S309).
  • the USIM compares the MAC value provided from the RNC (Radio Network Controller) with the generated XMAC value (S311).
  • the USIM transmits an AUTHENTICATION REJECT message to the MSC or SGSN 330 (S313).
  • the authentication rejection message may include MAC failure as information indicating a cause of authentication failure.
  • the USIM determines whether the SQN value extracted from the AUTN is within a predetermined SQN range (S315).
  • the USIM if the SQN is out of a predetermined range, the USIM generates an AUTS and includes the synchronization failure information indicating the cause of the authentication failure in the AUTENTICATION REJECT message and the generated Authentication re-Synchronization token (AUTS).
  • AUTS Authentication re-Synchronization token
  • the USIM transmits the generated RES value to the MSC or SGSN 330 by including it in the authentication response (AUTHENTICATION RESPONSE) message (S319).
  • the MSC or SGSN 330 compares the RES value received from the terminal 310 (or USIM) and the XRES value stored in the VLR (Visitor Location Register) / SGSN through an AUTHENTICATION RESPONSE message (S321).
  • the MSC or SGSN 330 selects IK and CK from the authentication vector array (S323), thereby ending the entire authentication procedure.
  • the MSC or SGSN 330 receives an authentication rejection message from the terminal 310 through step S313, or if the RES value and the XRES value are different from each other, the authentication center reports an authentication failure message (AUTHENTICATION FAILURE REPORT) message. It transmits to 350 (S325).
  • the authentication failure report message may include information such as IMSI, cause of authentication failure, access type, authentication re-attempt information, VLR / SGSN address, and RAND value.
  • the MSC or SGSN 330 when the MSC or SGSN 330 receives an authentication rejection message from the terminal 310 through step S317, the MSC or SGSN 330 sends an authentication data request message to retry authentication. (S327).
  • the authentication data request message may include synchronization failure indication information, RAND or AUTS information.
  • the eUICC may include one authentication request message and three response messages, that is, an authentication response (AUTENTICATION).
  • AUTENTICATION RESPONSE (RES)
  • AUTENTICATION REJECT MAC failure
  • AUTENTICATION REJECT Sync failure
  • the terminal can process the above three types of responses to the authentication request, even if the authentication key K does not exist alone in the eUICC, the terminal can perform authentication with the mobile operator network. It means that there is.
  • FIG. 4 is a block diagram illustrating a configuration of an eUICC to which a mobile communication service provider information providing method according to another embodiment of the present invention is applied.
  • the eUICC 400 may include a processing unit 410 and an authentication processing module 430.
  • the processor 410 may perform a process necessary to download the authentication processing module 430.
  • the processor may execute various applications related to the eUICC 400.
  • the authentication processing module 430 is a module that performs processing related to authentication, and includes an authentication key K 431 encapsulated therein.
  • the authentication key K 431 downloaded by the eUICC 400 from the mobile communication service provider server is not transmitted in a single form, and a module of a predetermined type is used. Encapsulated and delivered.
  • encapsulating and transmitting the authentication key K 431 means not transmitting the authentication key K 431 in a single form.
  • the module used for encapsulation of the authentication key K 431 may use various types of modules.
  • the module used for encapsulation of the authentication key K 431 processes the authentication key K 431 together with any other information to generate the format of the authentication key K 431 into a new format different from the original form. It can be any encryption module that can.
  • the encapsulation module uses the above-mentioned three responses (ie, authentication response, authentication rejection (MAC failure)), and authentication rejection using a specific value that the terminal receives from the network as an input value (for example, a random number value). It may be configured as an authentication processing module 430 that can output one of (synchronization failure).
  • the eUICC 400 since the authentication key K 431 is delivered in a single form or does not use a specific interface for the delivery of the authentication key K 431, the eUICC 400 uses an unauthenticated network. Even when downloading the authentication key K 431, there is no possibility that the authentication key K 431 leaks by hacking.
  • various security techniques are applied in the authentication processing module 430 to prevent the authentication key K 431 from being exposed.
  • the authentication processing module 430 may hide the position where the authentication key K 431 is used for the operation on the memory through a pseudo encryption operation.
  • all the buffers used for encryption / decryption using the authentication key are initialized so that the calculated value cannot be estimated.
  • the countermeasure function is provided during encryption / decryption operation using the authentication key to prevent illegal access.
  • the authentication key required for encryption / decryption may be included in the authentication processing module 430, and thus, even when applying the security scheme as described above, there is no need to newly assign an encryption key.
  • the authentication processing module 430 internally has the authentication key K 431, not only the security techniques described above but also a number of techniques for defending against external attacks may be applied.
  • FIG. 5 is a conceptual diagram illustrating a method for providing mobile carrier information according to another embodiment of the present invention, and illustrates an example of a process of downloading a module in which an eUICC encapsulates an authentication key K from an MNO server.
  • the MNO server 510 generates a module encapsulating an authentication key K of a subscriber and transmits the generated module to the encapsulation module SM-DP 530.
  • the MNO server 510 may encapsulate the authentication key K using the authentication processing module 501.
  • the MNO server 510 may generate the authentication processing module 501 in which the authentication key is encapsulated as a file (or a library) having the same form as a general applet (for example, .cap).
  • the SM-DP 530 transfers the authentication processing module 501 provided from the MNO server 510 to the SM-SR 550.
  • the SM-DP 530 encrypts the authentication processing module 501 to be delivered to the eUICC 570 through the SM-SR 550 to generate an OTA package, and generates the encrypted OTA package by the SM-SR 550. Can be delivered to.
  • the SM-SR 550 delivers the OTA package provided from the SM-DP 530 to the corresponding eUICC 570.
  • the SM-SR 550 may deliver an OTA package to the eUICC 570 using an encrypted OTA communication method, and the encrypted OTA package may include an authentication processing module 501 encapsulated with an authentication key. have.
  • the eUICC 570 may extract the authentication processing module 501 in which the authentication key is encapsulated by decrypting the encrypted OTA package received from the SM-SR 550, and then store the extracted authentication processing module 501 therein.
  • an authentication key transmitted from the MNO server 510 to the eUICC 570 is converted into a file having a different format (for example, authentication processing).
  • the encapsulated file can be encrypted and delivered to eUICC 570, thereby enhancing the security level for delivery of the authentication key to the highest level.
  • the eUICC should be able to perform an authentication function with the mobile service provider network without exposing the authentication key K to the outside.
  • FIG. 6 is a conceptual diagram illustrating a process of performing authentication processing after an authentication key is stored in an eUICC according to another embodiment of the present invention.
  • the terminal 610 and the eUICC 630 are shown as independent blocks, respectively, but these are merely for convenience of description, and in practice, the eUICC 630 is mounted in a chip form inside the terminal 610. Can be configured.
  • the eUICC 630 simply transmits and receives a message with the terminal 610 through an interface for one to four authentication processes, and provides an authentication function with the mobile service provider network. Even if the authentication key K is not downloaded in a single form, the authentication process requiring the authentication key K can be performed.
  • the processing unit 631 of the eUICC sends an authentication request to the authentication processing module. Provided at 633.
  • the authentication processing module 633 performs the above-described processing corresponding to the authentication request provided from the processing unit 631, and then provides a response to the authentication request to the processing unit 631, and the processing unit 631 receives the authentication success response.
  • the response message provided from the authentication processing module is provided to the terminal through the corresponding interface among the interface 602, the authentication failure response interface 603, and the synchronization failure response interface 604.
  • the authentication interface 601, the authentication success response interface 602, the authentication failure response interface 603, and the synchronization failure response interface 604 may be configured in a message form.
  • FIG. 7 illustrates an example of an authentication interface used in a method for providing mobile carrier information according to another embodiment of the present invention.
  • 8 illustrates an example of an authentication success response interface used in a method for providing mobile carrier information according to another embodiment of the present invention.
  • 9 illustrates an example of a synchronization failure response interface used in the method for providing mobile carrier information according to another embodiment of the present invention.
  • an authentication interface (or an authentication message) includes a CLA field indicating a class of an instruction, an INS field indicating an instruction, a P1 field indicating a first parameter, and a second parameter. It may include a P2 field indicating a parameter, an Lc field indicating a length of command data, and a DATA field including authentication related data.
  • the DATA field may include a random number (RAND) and an authentication token (AUTN) provided from a network.
  • the authentication processing module When receiving the authentication message from the terminal, the authentication processing module calculates an XMAC (Expected Message Authentication Code) using the RAND and the secret key (K). Thereafter, the authentication processing module compares the calculated MAC (Message Authentication Code) included in the AUTN with the calculated XMAC to determine whether the two values are the same. In addition, the authentication processing module checks whether the sequence number (SQN) is within a predefined valid area.
  • XMAC Exected Message Authentication Code
  • the authentication processing module calculates RES (Response), which is an authentication response, and the authentication success response interface (or authentication success response message) as shown in FIG. Inform the terminal that the authentication is successful.
  • the authentication processing module also transmits the encryption key CK and the integrity key IK calculated together with the RES to the terminal.
  • the authentication success response interface (or authentication success response message) may be configured as illustrated in FIG. 8. That is, the authentication success response interface may include a 'DB' field indicating whether authentication is successful, an RES indicating an authentication value, an encryption key CK, an integrity key IK, and 2G (second generation mobile communication method) encryption key Kc information. have.
  • the terminal receives the authentication success response message from the eUICC, and transmits to the network including the corresponding response (RES) received in the authentication response (AUTHENTICATION RESPONSE) message.
  • the network (MSC or SGSN) receiving the authentication response from the terminal compares the authentication response RES transmitted by including it in the authentication response message transmitted from the terminal to the XRES (Expected Response) stored in advance.
  • RES and XRES are the same, the terminal is authenticated on the network side.
  • the terminal and the network configure a secure channel using the encryption key CK and the integrity key IK generated therebetween, and then perform communication using the secure channel. Reliability is guaranteed.
  • the terminal transmits the information including the information indicating the cause of the failure in the authentication rejection (AUTHENTICATION REJECT) message corresponding to the authentication failure response message provided from the eUICC to the network.
  • synchronization management is performed to prevent a situation where an unauthorized user acquires an authentication vector transmitted as it is without encryption in the wireless section by using an authentication vector obtained by an unauthorized user.
  • synchronization management means processing that an authentication vector used once cannot be reused.
  • the authentication processing module checks the MAC and SQN included in the AUTN delivered from the network. If the calculated XMAC and the MAC delivered from the network are the same but the SQN is not within the valid range, the authentication module determines that the synchronization has failed and fails to synchronize. Respond to the terminal using a message (or synchronization failure response interface).
  • the network (authentication center) generates an SQN larger than the value stored in the authentication processing module, and the authentication processing module updates the stored SQN value with the SQN value generated in the network upon successful authentication.
  • the authentication processing module transmits a synchronization failure response message (or synchronization failure response interface) having a format as shown in FIG. 9 upon synchronization failure to the terminal.
  • the synchronization failure response message may include 'DC' indicating a synchronization failure tag, 'OE' indicating the length of AUTS, and AUTS information.
  • the network (authentication center) generates a new authentication vector containing an authentication re-synchronization token (AUTS) sent from the authentication processing module and a prestored RAND.
  • AUTS authentication re-synchronization token
  • the network checks MAC-S (Message Authentication Code-Synchronization) of the AUTS. If the MAC-S value is valid, the network performs a reauthentication procedure with the terminal by generating a new authentication vector after updating the SQN. In general, authentication should succeed after resynchronization.
  • MAC-S Message Authentication Code-Synchronization
  • FIG. 10 is a flowchart illustrating a method for providing mobile carrier information according to another embodiment of the present invention, illustrating a processing performed by a terminal having an eUICC.
  • a terminal receives data (eg, an authentication processing module) in which mobile communication provider information such as an authentication key is encapsulated from a network (S1001).
  • data eg, an authentication processing module
  • mobile communication provider information such as an authentication key
  • the terminal stores the data in the eUICC (S1003).
  • the mobile carrier information encapsulated in the received data is stored in the eUICC in a state encapsulated in the data.
  • the terminal determines whether an authentication request is received from the network (S1005), and when an authentication request is received, transmits parameters included in the authentication request to the eUICC through an authentication interface (S1007).
  • the terminal receives a response corresponding to the authentication request from the eUICC (S1009).
  • the response corresponding to the authentication request may be any one of an authentication success response, an authentication failure response, and a synchronization failure response, as described with reference to FIGS. 6 to 9.
  • the terminal transmits a message corresponding to the response received from the eUICC to the network (S1011).
  • the authentication key transmitted for providing to the eUICC can be delivered by applying the highest security technique.
  • the mobile operator profile does not exist in the eUICC before the terminal is opened, authentication is not performed between the terminal and the mobile operator network, and thus, through an open wireless network that is not secured.
  • the carrier's information should be conveyed.
  • the information providing method of the mobile communication service provider according to the embodiment of the present invention can expect a greater security effect in such an environment.
  • the authentication key is encapsulated and stored inside the eUICC so that an interface for accessing the authentication key does not exist, so that the authentication key is not exposed by an external hacking attack using the interface, thereby replicating the eUICC. Can be prevented.

Abstract

L'invention concerne un procédé permettant de fournir des informations relatives à un fournisseur de communications mobiles et un dispositif permettant la mise en œuvre dudit procédé. Un terminal muni d'une eUICC reçoit des données dans lesquelles sont encapsulées les informations relatives au fournisseur de communications mobiles, et enregistre les données reçues dans l'eUICC. En conséquence, les informations relatives au fournisseur de communications mobiles peuvent être transférées en appliquant un niveau maximum de sécurité, et on peut éviter la copie de l'eUICC par des attaques de piratage externe consécutives à l'exposition de la clé d'authentification.
PCT/KR2013/004536 2012-05-24 2013-05-23 Procédé permettant de fournir des informations relatives à un fournisseur de communications mobiles et dispositif permettant la mise en œuvre dudit procédé WO2013176502A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US14/403,102 US9924357B2 (en) 2012-05-24 2013-05-23 Method for providing mobile communication provider information and device for performing same
US15/696,320 US10462667B2 (en) 2012-05-24 2017-09-06 Method of providing mobile communication provider information and device for performing the same

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2012-0055412 2012-05-24
KR20120055412 2012-05-24
KR1020130057509A KR102173534B1 (ko) 2012-05-24 2013-05-22 이동통신사업자 정보 제공 방법 및 이를 수행하는 장치
KR10-2013-0057509 2013-05-22

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US14/403,102 A-371-Of-International US9924357B2 (en) 2012-05-24 2013-05-23 Method for providing mobile communication provider information and device for performing same
US15/696,320 Continuation US10462667B2 (en) 2012-05-24 2017-09-06 Method of providing mobile communication provider information and device for performing the same

Publications (1)

Publication Number Publication Date
WO2013176502A1 true WO2013176502A1 (fr) 2013-11-28

Family

ID=49624112

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2013/004536 WO2013176502A1 (fr) 2012-05-24 2013-05-23 Procédé permettant de fournir des informations relatives à un fournisseur de communications mobiles et dispositif permettant la mise en œuvre dudit procédé

Country Status (1)

Country Link
WO (1) WO2013176502A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111465007A (zh) * 2019-01-18 2020-07-28 华为技术有限公司 一种认证方法、装置和系统
WO2021194210A1 (fr) * 2020-03-27 2021-09-30 삼성전자 주식회사 Dispositif électronique et procédé d'utilisation de données mises en cache sur la base d'informations d'identification d'abonné dans un dispositif électronique

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040041120A (ko) * 2004-04-21 2004-05-14 정경래 모바일 및 이동통신 수단을 이용한 실시간 맞춤 연계 방법및 시스템
KR20050040961A (ko) * 2003-10-29 2005-05-04 한국전자통신연구원 액세스포인트간 로밍 서비스 제공 방법 및 그 장치
KR20080033686A (ko) * 2006-10-13 2008-04-17 삼성전자주식회사 데이터 통신 시스템에서 이동통신 단말기를 제어하는 장치및 방법
KR20080111374A (ko) * 2007-06-18 2008-12-23 삼성전자주식회사 이동 통신용 방송 서비스 전송 방법과 그 장치 및 이동통신용 방송 서비스 수신 방법과 그 장치

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050040961A (ko) * 2003-10-29 2005-05-04 한국전자통신연구원 액세스포인트간 로밍 서비스 제공 방법 및 그 장치
KR20040041120A (ko) * 2004-04-21 2004-05-14 정경래 모바일 및 이동통신 수단을 이용한 실시간 맞춤 연계 방법및 시스템
KR20080033686A (ko) * 2006-10-13 2008-04-17 삼성전자주식회사 데이터 통신 시스템에서 이동통신 단말기를 제어하는 장치및 방법
KR20080111374A (ko) * 2007-06-18 2008-12-23 삼성전자주식회사 이동 통신용 방송 서비스 전송 방법과 그 장치 및 이동통신용 방송 서비스 수신 방법과 그 장치

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111465007A (zh) * 2019-01-18 2020-07-28 华为技术有限公司 一种认证方法、装置和系统
CN111465007B (zh) * 2019-01-18 2022-10-11 华为技术有限公司 一种认证方法、装置和系统
WO2021194210A1 (fr) * 2020-03-27 2021-09-30 삼성전자 주식회사 Dispositif électronique et procédé d'utilisation de données mises en cache sur la base d'informations d'identification d'abonné dans un dispositif électronique

Similar Documents

Publication Publication Date Title
WO2016010312A1 (fr) Procédé et dispositif pour installer un profil d'une carte à circuit intégré universelle incorporée (euicc)
WO2013048084A2 (fr) Procédé de gestion de profil, uicc intégré, et dispositif pourvu de l'uicc intégré
WO2014193188A1 (fr) Procédé et appareil de configuration de profils
US10462667B2 (en) Method of providing mobile communication provider information and device for performing the same
WO2016153281A1 (fr) Procédé et appareil de téléchargement de profil dans un système de communication sans fil
WO2013036010A1 (fr) Procédé de certification utilisant un certificat d'uicc intégrée, procédés de mise à disposition et de changement de mno utilisant le procédé de certification, uicc intégrée correspondante, système de mno et support d'enregistrement
WO2015065063A1 (fr) Procédé et appareil de confirmation d'identité à l'aide de clés asymétriques dans un réseau de communications directes sans fil
FI106604B (fi) Menetelmä tilaajan identiteetin suojaamiseksi
WO2013036009A1 (fr) Procédé pour gérer une uicc intégrée et uicc intégrée correspondante, et système de mno, procédé de mise à disposition et procédé pour changer de mno les utilisant
WO2014193181A1 (fr) Procédé et appareil d'installation de profil
WO2013009045A2 (fr) Méthode de changement d'orm dans un module sim intégré basé sur la génération d'un module sim intégré, module sim intégré et support d'enregistrement prévus à cet effet
EP1879325B1 (fr) Procede et systeme de mise a jour d'une cle secrete
WO2013036011A2 (fr) Procédé permettant de gérer un profil d'uicc intégrée et uicc intégrée, terminal équipé d'une uicc intégrée, procédé d'approvisionnement et procédé de modification de mno associé
WO2014171707A1 (fr) Procédé et système de sécurité destinés à prendre en charge des communications mobiles d'une politique de restriction en matière de renouvellement d'abonnement ou d'abonnement supplémentaire
WO2015163623A1 (fr) Procédé et appareil de mise en service de profils
WO2018147711A1 (fr) Appareil et procédé de contrôle d'accès de esim
WO2013009059A2 (fr) Procédé de paramétrage d'un terminal dans un système de communication mobile
WO2019132272A1 (fr) Identifiant en tant que service basé sur une chaîne de blocs
WO2019009557A1 (fr) Procédé et appareil destinés à examiner un certificat numérique par un terminal esim et serveur
KR20070112260A (ko) Sim/uicc 키 설정을 위한 네트워크 지원 단말기
WO2013066077A1 (fr) Procédé pour gérer plusieurs profils dans une carte uicc intégrée, carte uicc intégrée et terminal correspondant
WO2020050701A1 (fr) Appareil et procédé au moyen desquels un dispositif ssp et un serveur négocient des certificats numériques
CN106332085A (zh) 一种物联网wifi网络的配置方法、物联网终端和路由终端
WO2012093900A2 (fr) Procédé et dispositif pour authentifier une entité de réseau personnel
WO2013065983A1 (fr) Procédé de modification de droits à un domaine de sécurité pour une carte de stockage de données, serveur, carte de stockage de données et borne correspondante

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13794699

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 14403102

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 09/03/2015)

122 Ep: pct application non-entry in european phase

Ref document number: 13794699

Country of ref document: EP

Kind code of ref document: A1