WO2016107410A1 - 通信控制装置、鉴权装置、中心控制装置及通信系统 - Google Patents
通信控制装置、鉴权装置、中心控制装置及通信系统 Download PDFInfo
- Publication number
- WO2016107410A1 WO2016107410A1 PCT/CN2015/097559 CN2015097559W WO2016107410A1 WO 2016107410 A1 WO2016107410 A1 WO 2016107410A1 CN 2015097559 W CN2015097559 W CN 2015097559W WO 2016107410 A1 WO2016107410 A1 WO 2016107410A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- control device
- authentication device
- attribute
- setting information
- Prior art date
Links
- 238000004891 communication Methods 0.000 title claims abstract description 85
- 238000012217 deletion Methods 0.000 claims description 6
- 230000037430 deletion Effects 0.000 claims description 6
- 230000006870 function Effects 0.000 description 10
- 230000003993 interaction Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000000034 method Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/18—Selecting a network or a communication service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/35—Protecting application or service provisioning, e.g. securing SIM application provisioning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0055—Transmission or use of information for re-establishing the radio link
- H04W36/0072—Transmission or use of information for re-establishing the radio link of resource information of target access point
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
- H04W8/183—Processing at user equipment or user record carrier
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/14—Reselecting a network or an air interface
Definitions
- the present application relates to the field of communications technologies, and in particular, to a communication control device, an authentication device, and a central control device.
- SIM Subscriber Identity Module
- a common method for writing number data for a SIM card is a remote write card.
- the remote write card is used by the operator during the operation.
- the data is sent to the point of sale (POS) through the remote server.
- POS point of sale
- SIM film card card technology refers to adding a layer of bridge film card with bidirectional input and output (IO) processing capability between the SIM card of the mobile phone and the SIM card slot of the mobile phone. Therefore, on the basis of ensuring the normal interaction between the mobile phone and the SIM card, a customized expansion function is realized by having a programmable film card.
- Common extensions include SIM card user application development tools (SIM TOOL KIT, STK) extensions, over-the-air (OTA) update applications, and more.
- the prior art mainly attaches the SIM film card to the surface of the SIM card in the form of a film, and combines to realize the STK expansion of the ordinary SIM card, so the SIM film card mainly serves as the auxiliary SIM card.
- the function is to make the SIM film card card realize the same user identification and network access function as the SIM card and expand the application.
- the embodiment of the present application provides a communication control device, an authentication device, a central control device, and a communication system.
- the central control device authenticates the authentication device and issues attribute setting information, and controls the authentication device through the communication control device. So that the authentication device sets its own attributes according to the attribute setting information, so that the mobile terminal can select different carrier networks for communication.
- a communication control apparatus which controls an authentication apparatus for performing mobile user identity authentication on a mobile terminal, so that the mobile terminal can select a different carrier network.
- Communication the communication control device has:
- a first obtaining unit configured to acquire identification information of the authentication device
- a first authentication unit configured to send the identification information to a server, so that the server performs identity authentication on the authentication device
- a second obtaining unit configured to acquire a session key from the server, and attribute setting information encrypted by the session key
- a first sending unit configured to send the session key and the encrypted attribute setting information to the authentication device, so that the authentication device obtains the attribute setting information by decrypting, and according to the attribute Setting information to set an operator attribute of the authentication device, wherein the attribute setting information has at least an International Mobile Subscriber Identification Number (IMSI) and an authentication key (Key identifier, Ki).
- IMSI International Mobile Subscriber Identification Number
- Ki Key identifier
- the communication control device is provided to the mobile terminal.
- the communication control device further has a switching control unit
- a handover control unit configured to receive a notification that the authentication device successfully sets the operator attribute, and, if the carrier attribute is two or more, perform carrier attribute according to the received handover instruction Selecting to cause the mobile terminal to switch to communicate with a network corresponding to the selected carrier attribute.
- the communication control device further has:
- a deletion control unit configured to control the authentication device to delete the operator attribute according to the received deletion instruction.
- an authentication apparatus configured to be used by a mobile terminal to perform mobile user identity authentication, so that the mobile terminal communicates in a network, the authentication apparatus having:
- a third obtaining unit configured to acquire, by the communication control device of the mobile terminal, a session key delivered by the server, and attribute setting information encrypted by the session key;
- a decryption unit configured to decrypt the attribute setting information encrypted by the session key according to the decryption algorithm and the session key, to obtain the attribute setting information
- a setting unit configured to set an operator attribute of the authentication device according to the attribute setting information.
- the authentication apparatus further includes a storage unit that stores the attribute setting information, an encryption algorithm, and the decryption algorithm.
- the authentication device further includes a notification unit that transmits the notification information after the setting unit successfully sets the operator attribute.
- the authentication device is a Subscriber Identity Module (SIM) card, a chip that is attached to the customer identification module card, or the customer identification module card.
- SIM Subscriber Identity Module
- a device built into the mobile terminal having an equivalent function.
- a central control device which is disposed at a server, and the central control device has:
- a first receiving unit which receives identification information of an authentication device for performing mobile user identity authentication provided on the mobile terminal
- a second authentication unit configured to perform identity authentication on the authentication device according to the identification information and the encryption information, and establish a session key if the authentication is successful;
- a second sending unit configured to send the session key and the attribute setting information encrypted by the session key to the mobile terminal, so that the authentication device obtains the attribute setting information by decrypting, and according to the Genus
- the attribute setting information is used to set an operator attribute of the authentication device, wherein the attribute setting information is stored in the server.
- the central control device further has a management unit for managing the attribute setting information. .
- the utility model has the beneficial effects that the communication control device can send the encrypted attribute setting information and the session key obtained from the server to the authentication device, and the authentication device can set according to the attribute setting information delivered by the server. Or updating the operator attribute of the authentication device, so that the user can conveniently write the card to the authentication device through the communication control device, thereby improving the flexibility of the user to write the card, and the authentication device has multiple The number resource of the operator enables the user to independently select and use the network service of multiple operators at any time and place.
- FIG. 1 is a schematic diagram of a composition of a communication control apparatus according to an embodiment of the present application.
- FIG. 2 is a schematic diagram of a composition of an authentication apparatus according to an embodiment of the present application.
- FIG. 3 is a schematic diagram of a composition of a central control device according to an embodiment of the present application.
- FIG. 4 is a flow chart of setting a carrier attribute for an authentication device according to the present embodiment.
- the communication control device and the central control device may be implemented by software.
- the communication control device may be an application (Application, APP) used by the mobile terminal, and the central control device may be a program used by the server;
- APP Application, APP
- the present embodiment is not limited thereto, and the communication control device and the central control device may be implemented by hardware or may be implemented by hardware and software.
- the authentication device may be a Subscriber Identity Module (SIM) card, a chip attached to the customer identification module card, such as a SIM film card, or an equivalent function integration with the customer identification module card.
- SIM Subscriber Identity Module
- the device to the mobile terminal such as an eSIM card or the like; the functions of the components of the authentication device can be implemented by software running on the authentication device.
- the software can be an on-chip operating system (Chip Operation System, COS).
- COS Chip Operation System
- the present embodiment is not limited thereto, and the functions of the components of the authentication device may also be implemented by hardware, or may be implemented by hardware and software. The specific implementation manner may refer to the prior art.
- the mobile terminal may be a portable electronic device such as a feature phone, a smartphone or a tablet.
- the embodiment of the present application provides a communication control apparatus, which controls an authentication apparatus for performing mobile user identity authentication on a mobile terminal, so that the mobile terminal can select different carrier networks for communication.
- the communication control apparatus 100 may be provided with a first acquisition unit 101, a first authentication unit 102, a second acquisition unit 103, and a first transmission unit. 104.
- the first obtaining unit 101 is configured to obtain the identification information of the authentication device.
- the identification information may be an Integrated Circuit Card Identity (ICCID).
- ICCID Integrated Circuit Card Identity
- the first authentication unit 102 is configured to send the identification information to the server, so that the server performs identity authentication on the authentication device;
- the second obtaining unit 103 is configured to acquire a session key from the server, and is encrypted by the session key.
- the first sending unit 104 is configured to use the session key and the adding
- the secret attribute setting information is sent to the authentication device, so that the authentication device obtains the attribute setting information by decrypting, and sets the operator attribute of the authentication device according to the attribute setting information.
- the attribute setting information may be, for example, an International Mobile Subscriber Identification Number (IMSI) and an authentication key (Key identifier, Ki), etc.; however, the implementation is not limited thereto, and the attribute is not limited thereto.
- the setting information may also be other information as long as the authentication device can be controlled to set its carrier attribute to enable the mobile terminal to communicate with the network corresponding to the carrier attribute.
- the communication control apparatus can transmit the encrypted attribute setting information and the session key obtained from the server to the authentication apparatus, whereby the authentication apparatus can be under the control of the communication control apparatus
- the attribute setting information such as IMSI and Ki
- IMSI and Ki is set to set or update the operator attribute of the authentication device itself
- the carrier attribute may be, for example, IMSI and Ki, etc., thereby enabling the user to authenticate in a convenient manner.
- the rights device writes the card, so that if the carrier attribute is selected, the corresponding phone number is used to communicate in the network corresponding to the carrier attribute.
- the first obtaining unit 101 can obtain the ICCID of the authentication device by using the ICCID query interface of the authentication device. In addition, the first obtaining unit 101 can also obtain the operator of the authentication device. If the attribute is set, for example, the first obtaining unit 101 can obtain information about whether the IMSI of the authentication device is configured through the IMSI configuration information query interface of the authentication device.
- the server may be requested to send the attribute setting information, if the communication control device acquires the carrier attribute of the authentication device. It has been set up to enable the mobile terminal to communicate using a network corresponding to the carrier attribute.
- the first authentication unit 102 may, for example, invoke the server interaction interface of the communication control device to send the ICCID of the authentication device to the server, so that the server performs identity authentication on the authentication device according to the ICCID. If the identity authentication succeeds, the server can provide the service to the authentication device. If the identity authentication is unsuccessful, the authentication device is not registered in the server in advance and does not belong to the server. In addition, the first authentication unit 102 can also perform identity authentication on the server to confirm whether the server is a legitimate server, and prevent the mobile terminal from connecting to the pseudo server. In this embodiment, the specific manner in which the server authenticates the authentication device and the communication control device performs identity authentication on the server may be in the prior art, and is not particularly limited in this embodiment.
- the second obtaining unit 103 may, for example, invoke a server interaction interface of the communication control device to receive a session key from the server and encrypted attribute setting information.
- the encrypted attribute setting information from the server may be two or more, whereby two or more operator attributes may be set in the authentication device, and the two or more attributes may respectively correspond to different network operators, thereby The mobile terminal can switch between networks provided by a plurality of different network operators.
- the first sending unit 104 can send a session key and encrypted attribute setting information to the authentication device, for example, through an interface for data interaction with the authentication device, so that the authentication device obtains the decryption by decryption.
- the attribute setting information, and setting an operator attribute of the authentication device according to the attribute setting information can be sent to the authentication device, for example, through an interface for data interaction with the authentication device, so that the authentication device obtains the decryption by decryption.
- the attribute setting information, and setting an operator attribute of the authentication device according to the attribute setting information.
- the communication control apparatus 100 may further have a handover control unit 105 for receiving a notification that the authentication apparatus successfully sets the operator attribute, and in the operation In the case where the quotient attribute is two or more, the operator attribute is selected according to the received switching instruction, so that the mobile terminal switches to communicate with the network corresponding to the selected carrier attribute.
- the authentication device of the mobile terminal is provided with more than two carrier attributes, or the mobile terminal is provided with more than two authentication devices, and each authentication device is provided with at least one operator attribute
- the operator corresponding to the two or more operator attributes may be displayed on the user interface (UI) of the mobile terminal, and the user's selection operation on an interface on the interface may be converted into
- the switching instruction is sent to the switching control unit, and further, the switching control unit sends a control signal to the authentication device, so that the authentication device selects the IMSI and Ki corresponding to the operator selected by the user, so that the mobile terminal Switching to communication in the network corresponding to the selected IMSI and Ki.
- the specific method for the authentication device to select the corresponding IMSI and Ki to enable the mobile terminal to communicate in the corresponding network may refer to the prior art, and details are not described herein again.
- the handover control unit 105 can select one of the operator attributes to cause the mobile to switch to communicate with the network corresponding to the selected carrier attribute.
- the communication control apparatus 100 may further have a deletion control unit 106 for controlling the authentication apparatus to delete the operator attribute.
- the deletion control unit 106 may pass The interface for performing data interaction with the authentication device sends a control command for deleting the operator attribute to the authentication device, so that the authentication device deletes the corresponding operator attribute according to the control instruction.
- the communication control device can connect to the Internet via a wireless local area network or the like via a network connection module of the mobile terminal, thereby performing data interaction with the server, thereby being able to learn from the case where the operator's mobile network cannot be covered.
- the device sets the carrier attribute.
- the communication control apparatus 100 may further have an online banking payment unit (not shown).
- the online banking payment unit is used to provide the online banking payment function.
- the online banking payment unit reference may be made to the prior art, which is not described in this embodiment.
- the communication control device 100 can be disposed on the mobile terminal to control the authentication device of the mobile terminal.
- the embodiment is not limited thereto, and the communication device 100 can also be disposed on other mobile terminals or electronic devices to control the authentication device on the mobile terminal by remote control.
- the communication control apparatus can transmit the encrypted attribute setting information and the session key obtained from the server to the authentication apparatus, whereby the authentication apparatus can be based on the control apparatus under the control of the communication control apparatus Attribute setting information delivered by the server, such as information such as IMSI and Ki, to set or update the operator attributes of the authentication device itself, such as IMSI and Ki, etc.; and, by setting the switching control unit, the mobile terminal can be made different Switching between networks without replacing the authentication device, whereby the user can conveniently switch the carrier network used by the mobile terminal; and the communication control device can connect to the Internet through a wireless local area network or the like, and perform data with the server.
- the interaction is to set the operator attribute for the authentication device, whereby the card can be written without relying on the coverage of the mobile network.
- the embodiment of the present application provides an authentication device, which is disposed in a mobile terminal, is configured to perform mobile user identity authentication, so that the mobile terminal communicates in a network, and the authentication device is described in Embodiment 1. Controlled by the communication control device.
- FIG. 2 is a schematic diagram of a composition of the authentication apparatus of the embodiment.
- the authentication apparatus may have a third obtaining unit 201, a decrypting unit 202, and a setting unit 203.
- the third obtaining unit 201 is configured to acquire, by the communication control device of the mobile terminal, a session key sent by the server, and attribute setting information encrypted by the session key; and the decrypting unit 202 is configured to use the decryption algorithm. And decrypting the session key to obtain the attribute setting information; the setting unit 203 is configured to set an operator attribute of the authentication device according to the attribute setting information.
- the third obtaining unit 201 can obtain the session key sent by the server from the communication control device 100 and encrypt the session key through the interface of the data communication with the communication control device 100 of the embodiment 1. Property setting information.
- the decryption unit 202 may decrypt the attribute setting information encrypted by the session key according to the decryption algorithm and the session key to obtain the attribute setting information.
- the decryption The algorithm may be, for example, an SM4 data decryption algorithm and/or a SM3-HMAC (Hash-based Message Authentication Code) algorithm, and the decryption unit 202 may be, for example, by calling an SM4 data encryption/decryption interface and/or an SM3-HMAC algorithm interface.
- the decryption operation is performed to obtain the attribute setting information, such as IMSI and KI.
- the embodiment is not limited thereto, and other decryption algorithms may be used for decryption.
- the setting unit 203 may set the operator attribute of the authentication device according to the attribute setting information.
- the setting unit 203 may invoke the IMSI configuration interface and the Ki configuration interface, and obtain the server according to the decryption.
- the IMSI and Ki are sent to set the IMSI and Ki of the authentication device itself, wherein the IMSI can distinguish and identify the user of the mobile network, and Ki is the key for encrypting data transmission between the authentication device and the operator, and
- the mobile terminal can communicate in a network provided by a network operator corresponding to the ISMI and Ki.
- the authentication apparatus may further have a notification unit 204, after the setting unit 203 successfully sets the operator attribute, send notification information to the communication control apparatus of Embodiment 1. Thereby, the communication control device can confirm that the operator attribute is successfully configured based on the notification information.
- the authentication apparatus may further include a storage unit 205 for storing the attribute setting information, an encryption algorithm, and a decryption algorithm, for example, an SM4 data encryption and decryption algorithm and an SM3-HMAC. Algorithms, etc.
- the authentication apparatus may further provide a data path conforming to a Transport Protocol Data Unit (TPDU) protocol, so that the authentication apparatus performs data transmission with the outside; and further, the authentication The device may also have a noise source read interface, and the description of the noise source read interface may also refer to the prior art.
- TPDU Transport Protocol Data Unit
- the authentication device may further include an ICCID query interface and an IMSI configuration information query interface, etc., for providing the communication control device of Embodiment 1 with the query result of the ICCID and the IMSI configuration information of the authentication device. .
- the authentication device is capable of decrypting the encrypted attribute setting information sent by the server received by the communication control device of the mobile terminal, and then setting the operator attribute of the authentication device according to the attribute setting information.
- the mobile terminal can communicate in a network provided by a network operator corresponding to the carrier attribute.
- the embodiment of the present application provides a central control device, which is disposed at a server.
- FIG. 3 is a schematic diagram of a composition of a central control device according to an embodiment of the present application.
- the central control device 300 has a first receiving unit 301, a second authentication unit 302, and a second transmitting unit 303.
- the first receiving unit 301 receives the identification information of the authentication device for performing mobile user identity authentication on the mobile terminal.
- the identification information may be an integrated circuit card identifier, and the identification information may also be other.
- the second authentication unit 302 performs identity authentication on the authentication device according to the identification information and the encryption information, and establishes a session key if the authentication is successful; the second sending unit 303 sends the session to the mobile terminal. a key and attribute setting information encrypted by the session key, so that the authentication device obtains the attribute setting information by decrypting, and setting an operator attribute of the authentication device according to the attribute setting information, wherein the attribute setting information Stored on this server.
- the first receiving unit 301 can receive the ICCID of the authentication device from the communication control device 100 of Embodiment 1, for example, the first receiving unit 301 can invoke an interface in the server for communicating with the mobile terminal. To receive the ICCID.
- the second authentication unit 302 can perform identity authentication on the authentication device according to the received ICCID and the encrypted information to determine whether to provide services for the authentication device. If the authentication fails, the central control device refuses to provide service for the authentication device; if the authentication is successful, the central control device provides service for the authentication device and establishes a session key.
- the second sending unit 303 may invoke an interface in the server for communicating with the mobile terminal, and send the session key and the attribute setting information encrypted by the session key to the mobile terminal, so that the The authentication device obtains the attribute setting information by decrypting, and sets an operator attribute of the authentication device according to the attribute setting information.
- the attribute setting information may be pre-stored in a database of the server, for example, and the central control device may obtain the attribute setting information by calling an interface that accesses the database, and use the session.
- the key encrypts the attribute setting information.
- the central control device 300 may further include a management unit 304 for managing the attribute setting information.
- the management unit 304 may be configured to update the attribute setting information stored in the server according to the data of the network operator, for example, when the user reports the mobile phone number, the network operator may The information related to the mobile phone number in the database is cleared or changed. At this time, the central control device obtains the number of network operators through the interface provided for the network operator. According to the update information, the management unit 304 further performs update processing such as clearing or changing the attribute setting information stored in the server based on the data update information of the network operator.
- the center control device 300 may further have an internet banking payment interface (not shown).
- the network banking payment interface can be used for an authentication interface between the server and the network bank.
- the central server can issue the attribute setting information to the authentication device in an encrypted manner, whereby the authentication device can obtain the attribute setting information in a secure manner and set its own carrier attribute to make the mobile
- the terminal communicates in a network provided by a network operator corresponding to the carrier attribute.
- Embodiment 4 of the present application provides a communication system, which is composed of the communication control device 100 of Embodiment 1, the authentication device 200 of Embodiment 2, and the central control device of Embodiment 3, and a detailed description of each component device of the system, Reference may be made to Embodiment 1 to Embodiment 3, and the description is not repeated in this embodiment.
- FIG. 4 is a flow chart of setting a carrier attribute for an authentication device according to the present embodiment. As shown in Figure 4, the process includes:
- S1 starting the communication control device 100, and acquiring identification information (for example, ICCID, etc.) of the authentication device and information on whether the IMSI is set;
- identification information for example, ICCID, etc.
- the communication control device 100 transmits the identification information to the central control device 300 (such as ICCID, etc.);
- the central control device performs identity authentication according to the identification information (for example, ICCID, etc.) and the encrypted information.
- the authentication is successful, the session key is established, and the IMSI and the Ki are encrypted by using the session key.
- the communication control device 100 sends the session key and the encrypted IMSI and Ki to the authentication device 200;
- the authentication device 200 decrypts according to the session key and the decryption algorithm to obtain the IMSI and Ki delivered by the server;
- the authentication device 200 sets the IMSI and Ki in the authentication device 200 according to the IMSI and Ki delivered by the server;
- the authentication device 200 transmits the notification information for successfully setting the IMSI and Ki to the communication control device 100.
- an operator attribute can be set for the authentication device 200, that is, a card writing operation is performed on the authentication device.
- the authentication device may also be controlled by the communication control device to delete the operator attribute, that is, perform a card clearing operation on the authentication device.
- the communication control apparatus 100 can control the authentication apparatus to select the IMSI and Ki to make the mobile apparatus Switching to and communicating with the network provided by the operator corresponding to the selected IMSI and Ki.
- the management unit 304 of the central control device 300 can update the attribute setting information stored in the server according to the data of the network operator, thereby stopping the providing of the service to the lost authentication device. That is, the authentication device is lost.
- the network bank payment unit and the central control device 300 of the communication control device 100 can also have a network bank payment interface to implement the function of the network bank payment.
- the intermediate links and restrictions of the conventional write card and the network access can be effectively reduced, and functions such as writing a card, clearing the card, and switching the network can be conveniently performed, thereby improving the user's autonomy.
- the above device of the present application may be implemented by hardware or by hardware combined with software.
- the present application relates to a computer readable program that, when executed by a logic component, enables the logic component to implement the apparatus or components described above, or to implement the various methods described above Or steps.
- the application also relates to a storage medium for storing the above program, such as a hard disk, a magnetic disk, an optical disk, a DVD, a flash memory, or the like.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
- Telephone Function (AREA)
Abstract
本申请提供一种通信控制装置、鉴权装置、中心控制装置及通信系统,该通信控制装置对设置于移动终端的用于进行移动用户身份鉴权的鉴权装置进行控制,以使该移动终端选择不同运营商网络进行通信,该通信控制装置具有:第一获取单元,其获取鉴权装置的识别信息;第一认证单元,其将识别信息发送给服务器,以便服务器进行身份认证;第二获取单元,其获取来自服务器的会话密钥,以及经会话密钥加密的属性设置信息;第一发送单元,其用于将会话密钥和加密的属性设置信息发送给鉴权装置,以便鉴权装置通过解密得到属性设置信息,并根据属性设置信息来设置鉴权装置的运营商属性。本申请能帮助使用者自主改写鉴权装置,以选择使用运营商的网络服务。
Description
本申请涉及通信技术领域,尤其涉及一种通信控制装置、鉴权装置以及中心控制装置。
客户识别模块(Subscriber Identity Module,SIM)卡,是用于实现移动用户身份鉴权的装置,每个用户的SIM卡都要由运营商写入不同的号码数据,从而使得在登陆移动网络后,能够被网络唯一识别并接入。
为SIM卡写入号码数据的常见方法有远程写卡,远程写卡是运营商在运营过程中,当用户开户时,通过远程服务器下发数据到销售终端(Point Of Sells,POS),再利用写卡器即时向SIM卡中写入号码数据的一种操作。
在现有技术中,还存在一种SIM贴膜卡技术,该技术是指通过在手机SIM卡和手机SIM卡槽之间增加一层具有双向输入输出(Input Output,IO)处理能力的桥接薄膜卡,从而在保证手机和SIM卡之间的命令正常交互的基础上,通过带有可编程的薄膜卡,实现自定义的扩展功能。常见的扩展功能包括对SIM卡的用户识别应用发展工具(SIM TOOL KIT,STK)扩展、空中下载(Over-The-Air,OTA)更新应用等。
应该注意,上面对技术背景的介绍只是为了方便对本申请的技术方案进行清楚、完整的说明,并方便本领域技术人员的理解而阐述的。不能仅仅因为这些方案在本申请的背景技术部分进行了阐述而认为上述技术方案为本领域技术人员所公知。
申请内容
本申请的发明人发现,在现有技术中,对于远程写卡,需要额外的写卡硬件设备进行支持,且使用者需前往营业厅由代办员办理。因此,现有的写入号码数据的方法在实际应用中存在以下问题:
1)由于垄断因素存在,国外运营商无法简单通过上述技术直接在国内为用户写卡、发卡;
2)由于受硬件、特制SIM卡等限制,只能间接为用户发卡,用户无法自主、快捷对SIM卡完成写卡、清卡等操作,因此无法自主定制、更换运营商及服务;
3)上述技术及对应系统的设计是从各运营商单方运营角度出发,而非第三方公共平台,因而无法在一张SIM卡上,通过多号码写入、不同运营商号码切换等方式快捷为用户提供多运营商服务共享,或者重写号码信息以实现旧运营商的退出和新运营商的加入。
因此,上述三方面问题增加了网络运营商和移动网络用户的成本和不便。
此外,对于SIM贴膜卡技术而言,现有技术主要将SIM贴膜卡以薄膜的形式附着于SIM卡的表面,结合使用来实现普通SIM卡的STK扩展,因而SIM贴膜卡主要起辅助SIM卡的作用,较少使SIM贴膜卡实现与SIM卡等同的用户身份识别及入网功能并进行应用拓展。
本申请实施例提供一种通信控制装置、鉴权装置、中心控制装置及通信系统,由中心控制装置对鉴权装置进行认证并下发属性设置信息,并通过通信控制装置对鉴权装置进行控制,以使该鉴权装置根据该属性设置信息设置自身的属性,从而实现移动终端可以选择不同运营商网络进行通信。
根据本申请实施例的一个方面,提供一种通信控制装置,对设置于移动终端的用于进行移动用户身份鉴权的鉴权装置进行控制,以使所述移动终端可以选择不同运营商网络进行通信,该通信控制装置具有:
第一获取单元,其用于获取所述鉴权装置的识别信息;
第一认证单元,其用于将所述识别信息发送给服务器,以便所述服务器对所述鉴权装置进行身份认证;
第二获取单元,其用于获取来自服务器的会话密钥,以及经所述会话密钥加密的属性设置信息;以及
第一发送单元,其用于将所述会话密钥和所述加密的属性设置信息发送给所述鉴权装置,以便所述鉴权装置通过解密得到所述属性设置信息,并根据所述属性设置信息来设置所述鉴权装置的运营商属性,其中,所述属性设置信息至少具有国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)和鉴权密钥(Key identifier,Ki)等。
根据本申请实施例的另一个方面,其中,所述通信控制装置设置于所述移动终端。
根据本申请实施例的另一个方面,其中,所述通信控制装置还具有切换控制单元,
切换控制单元,其用于接收所述鉴权装置成功设置所述运营商属性的通知,并且,在所述运营商属性为两个以上的情况下,根据接收到的切换指令对运营商属性进行选择,以使所述移动终端切换到与所选择的运营商属性对应的网络中进行通信。
根据本申请实施例的另一个方面,其中,所述通信控制装置还具有:
删除控制单元,其用于根据接收到的删除指令控制所述鉴权装置删除所述运营商属性。
根据本申请实施例的再一个方面,提供一种鉴权装置,设置于移动终端,用于进行移动用户身份鉴权,以使所述移动终端在网络中通信,该鉴权装置具有:
第三获取单元,其用于经由所述移动终端的通信控制装置获取服务器下发的会话密钥,以及经所述会话密钥加密的属性设置信息;
解密单元,其用于根据解密算法和所述会话密钥,对经所述会话密钥加密的属性设置信息进行解密,以得到所述属性设置信息;
设置单元,其用于根据所述属性设置信息来设置所述鉴权装置的运营商属性。
根据本申请实施例的另一个方面,其中,所述鉴权装置还具备存储单元,其存储所述属性设置信息、加密算法和所述解密算法。
根据本申请实施例的另一个方面,其中,所述鉴权装置还具备通知单元,其在所述设置单元成功设置所述运营商属性之后,发送通知信息。
根据本申请实施例的另一个方面,其中,所述鉴权装置是客户识别模块(Subscriber Identity Module,SIM)卡、与所述客户识别模块卡贴合的芯片、或者与所述客户识别模块卡具有同等功能的内置于所述移动终端的装置。
根据本申请实施例的又一个方面,提供一种中心控制装置,设置于服务器,所述中心控制装置具有:
第一接收单元,其接收设置于移动终端的用于进行移动用户身份鉴权的鉴权装置的识别信息;
第二认证单元,其用于根据所述识别信息和加密信息,对所述鉴权装置进行身份认证,并且在认证成功的情况下建立会话密钥;以及
第二发送单元,其用于向所述移动终端发送所述会话密钥和经所述会话密钥加密的属性设置信息,以便所述鉴权装置通过解密得到所述属性设置信息,并根据所述属
性设置信息来设置所述鉴权装置的运营商属性,其中,所述属性设置信息存储于所述服务器。
根据本申请实施例的另一个方面,其中,该中心控制装置还具有管理单元,其用于对所述属性设置信息进行管理。。
本申请的有益效果在于:该通信控制装置可以将从服务器获得的加密的属性设置信息和会话密钥发送给鉴权装置,并且,该鉴权装置可以根据服务器下发的属性设置信息,来设置或更新该鉴权装置自身的运营商属性,由此,使用者通过通信控制装置就能够对鉴权装置便捷地进行写卡,提高了使用者写卡的灵活性,使鉴权装置具备多个运营商的号码资源,实现使用者能够随时随地自主选择使用多个运营商的网络服务。
参照后文的说明和附图,详细公开了本申请的特定实施方式,指明了本申请的原理可以被采用的方式。应该理解,本申请的实施方式在范围上并不因而受到限制。在所附权利要求的精神和条款的范围内,本申请的实施方式包括许多改变、修改和等同。
针对一种实施方式描述和/或示出的特征可以以相同或类似的方式在一个或更多个其它实施方式中使用,与其它实施方式中的特征相组合,或替代其它实施方式中的特征。
应该强调,术语“包括/包含”在本文使用时指特征、整件、步骤或组件的存在,但并不排除一个或更多个其它特征、整件、步骤或组件的存在或附加。
所包括的附图用来提供对本申请实施例的进一步的理解,其构成了说明书的一部分,用于例示本申请的实施方式,并与文字描述一起来阐释本申请的原理。显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。在附图中:
图1是本申请实施例的通信控制装置的一组成示意图;
图2是本申请实施例的鉴权装置的一组成示意图;
图3是本申请实施例的中心控制装置的一组成示意图;
图4是根据本实施例的通信系统为鉴权装置设置运营商属性的一个流程图。
参照附图,通过下面的说明书,本申请的前述以及其它特征将变得明显。在说明书和附图中,具体公开了本申请的特定实施方式,其表明了其中可以采用本申请的原则的部分实施方式,应了解的是,本申请不限于所描述的实施方式,相反,本申请包括落入所附权利要求的范围内的全部修改、变型以及等同物。下面结合附图对本申请的各种实施方式进行说明。这些实施方式只是示例性的,不是对本申请的限制。
在本申请中,通信控制装置和中心控制装置可以由软件实现,例如,该通信控制装置可以是移动终端使用的应用程序(Application,APP),该中心控制装置可以是服务器所使用的程序;然而,本实施例并不限于此,该通信控制装置和中心控制装置还可以由硬件实现,也可以由硬件结合软件实现,具体的实现方式可以参考现有技术。
在本申请中,该鉴权装置可以是客户识别模块(Subscriber Identity Module,SIM)卡,与该客户识别模块卡贴合的芯片例如SIM贴膜卡,或者与该客户识别模块卡具有同等功能的集成到该移动终端的装置例如eSIM卡等;该鉴权装置各部件的功能可以由运行在该鉴权装置上的软件来实现,例如,该软件可以是芯片上的操作系统(Chip Operation System,COS)。然而,本实施例并不限于此,该鉴权装置各部件的功能还可以由硬件实现,也可以由硬件结合软件实现,具体的实现方式可以参考现有技术。
在本申请中,移动终端可以是功能手机、智能手机或平板电脑等便携式电子设备。
实施例1
本申请实施例提供一种通信控制装置,对设置于移动终端的用于进行移动用户身份鉴权的鉴权装置进行控制,以使该移动终端可以选择不同运营商网络进行通信。
图1是本实施例的通信控制装置的一个构成示意图,如图1所示,该通信控制装置100可以具备第一获取单元101、第一认证单元102、第二获取单元103和第一发送单元104。
其中,第一获取单元101用于获取该鉴权装置的识别信息,例如,该识别信息可以是集成电路卡识别码(Integrate Circuit Card Identity,ICCID),当然该识别信息也可以是其它的信息;第一认证单元102用于将该识别信息发送给服务器,以便该服务器对该鉴权装置进行身份认证;第二获取单元103用于获取来自服务器的会话密钥,以及经该会话密钥加密的属性设置信息;第一发送单元104用于将该会话密钥和该加
密的属性设置信息发送给该鉴权装置,以便该鉴权装置通过解密得到该属性设置信息,并根据该属性设置信息来设置该鉴权装置的运营商属性。
在本实施例中,该属性设置信息例如可以是国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)和鉴权密钥(Key identifier,Ki)等;然而本实施并不限于此,该属性设置信息还可以是其它的信息,只要能控制该鉴权设备设置其运营商属性以使移动终端能够在与该运营商属性对应的网络通信即可。
通过本实施例,该通信控制装置可以将从服务器获得的加密的属性设置信息和会话密钥发送给鉴权装置,由此,在该通信控制装置的控制下,该鉴权装置可以根据服务器下发的属性设置信息,例如IMSI和Ki等信息,来设置或更新该鉴权装置自身的运营商属性,该运营商属性例如可以是IMSI和Ki等,由此,用户能够以便捷的方式对鉴权装置进行写卡,从而在选择了该运营商属性的情况下,使用相应的电话号码在与该运营商属性对应的网络中进行通信。
在本实施例中,该第一获取单元101可以通过该鉴权装置的ICCID查询接口,来获取该鉴权装置的ICCID;此外,该第一获取单元101还可以获取该鉴权装置的运营商属性是否被设置的信息,例如,该第一获取单元101可以通过该鉴权装置的IMSI配置信息查询接口来获取该鉴权装置的IMSI是否被配置的信息。
在本实施例中,如果该通信控制装置获取到该鉴权装置的运营商属性还没有被设置,可以请求服务器下发属性设置信息,如果该通信控制装置获取到该鉴权装置的运营商属性已经被设置,可以使该移动终端使用与该运营商属性对应的网络进行通信。
在本实施例中,第一认证单元102例如可以调用该通信控制装置的服务器交互接口向该服务器发送该鉴权装置的ICCID,以便服务器根据该ICCID对该鉴权装置进行身份认证。如果身份认证成功,那么该服务器可以对该鉴权装置提供服务,如果身份认证不成功,说明该鉴权装置没有提前登记于该服务器,不属于该服务器的服务对象。此外,该第一认证单元102还可以对该服务器进行身份认证,以确认该服务器是否合法的服务器,防止移动终端连接到伪服务器。在本实施例中,服务器对鉴权装置进行认证以及通信控制装置对服务器进行身份认证的具体方式可以是现有技术中的方式,本实施例不做特别限制。
在本实施例中,第二获取单元103例如可以调用该通信控制装置的服务器交互接口,来接收来自服务器的会话密钥以及加密的属性设置信息。并且,在本实施例中,
来自服务器的加密的属性设置信息可以是两个以上,由此,可以在该鉴权装置中设置两个以上的运营商属性,该两个以上的属性可以分别对应不同的网络运营商,从而使该移动终端可以在多个不同的网络运营商提供的网络间切换。
在本实施例中,第一发送单元104例如可以通过与该鉴权装置进行数据交互的接口,向该鉴权装置发送会话密钥以及加密的属性设置信息,以便所述鉴权装置通过解密得到所述属性设置信息,并根据所述属性设置信息来设置所述鉴权装置的运营商属性。
在本实施例中,如图1所示,该通信控制装置100还可以具有切换控制单元105,其用于接收所述鉴权装置成功设置所述运营商属性的通知,并且,在所述运营商属性为两个以上的情况下,根据接收到的切换指令对运营商属性进行选择,以使所述移动终端切换到与所选择的运营商属性对应的网络中进行通信。例如,该移动终端的鉴权装置被设置有两个以上的运营商属性,或者该移动终端设置有两个以上的鉴权装置,且每个鉴权装置都被设置有至少一个运营商属性的情况下,可以在该移动终端的用户界面(User Iterface,UI)上显示该两个以上的运营商属性所对应的运营商,并且用户在界面上对某一运营商的选择操作可以被转化为切换指令发送到该切换控制单元,进而,该切换控制单元向该鉴权装置发送控制信号,以使该鉴权装置选择与用户所选择的运营商对应的IMSI和Ki,以使所述移动终端切换到与所选择的IMSI和Ki对应的网络中进行通信。在本实施例中,鉴权装置选择相应的IMSI和Ki,以使移动终端在相应的网络中进行通信的具体方法,可以参考现有技术,本实施例不再赘述。
该切换控制单元105可以选择其中的一个运营商属性,以使该移动切换到与所选择的运营商属性对应的网络中进行通信。
在本实施例中,如图1所示,该通信控制装置100还可以具有删除控制单元106,其用于控制所述鉴权装置删除所述运营商属性,例如,该删除控制单元106可以通过与该鉴权装置进行数据交互的接口,向该鉴权装置发送删除运营商属性的控制指令,以便该鉴权装置根据该控制指令删除相应的运营商属性。
在本申请中,通信控制装置可以经由移动终端的网络连接模块通过无线局域网等连接到互联网,从而与服务器进行数据交互,由此,在运营商的移动网络无法覆盖的情况下,也可以为鉴权装置设置运营商属性。
此外,在本实施例中,该通信控制装置100还可以具有网络银行支付单元(图未
示),该网银支付单元用于提供网银支付功能,关于该网银支付单元的实现方式,可以参考现有技术,本实施例不再赘述。
在本实施例中,该通信控制装置100可以被设置于该移动终端,从而控制该移动终端的鉴权装置。但本实施例并不限于此,该通信装置100还可以被设置于其它的移动终端或电子设备,通过远程控制的方式控制本移动终端上的该鉴权装置。
通过本申请的实施例,该通信控制装置可以将从服务器获得的加密的属性设置信息和会话密钥发送给鉴权装置,由此,在该通信控制装置的控制下,该鉴权装置可以根据服务器下发的属性性设置信息,例如IMSI和Ki等信息,来设置或更新该鉴权装置自身的运营商属性,例如IMSI和Ki等;并且,通过设置切换控制单元,可以使移动终端在不同的网络间切换,而无需更换鉴权装置,由此,用户能够方便地对移动终端所使用的运营商网络进行切换;并且,通信控制装置可以通过无线局域网等连接到互联网,并与服务器进行数据交互,从而为鉴权装置设置运营商属性,由此,能够不依赖移动网络的覆盖而进行写卡。
实施例2
本申请实施例提供一种鉴权装置,其设置于移动终端,用于进行移动用户身份鉴权,以使所述移动终端在网络中通信,并且,该鉴权装置被实施例1所述的通信控制装置所控制。
图2是本实施例的鉴权装置的一个组成示意图,如图2所示,该鉴权装置可以具有第三获取单元201,解密单元202和设置单元203。
其中,第三获取单元201,其用于经由所述移动终端的通信控制装置获取服务器下发的会话密钥,以及经所述会话密钥加密的属性设置信息;解密单元202用于根据解密算法和所述会话密钥,进行解密,以得到所述属性设置信息;设置单元203用于根据所述属性设置信息来设置所述鉴权装置的运营商属性。
在本实施例中,该第三获取单元201可以通过与实施例1的通信控制装置100进行数据交互的接口,从该通信控制装置100获取服务器下发的会话密钥和经过该会话密钥加密的属性设置信息。
在本实施例中,解密单元202可以根据解密算法和该会话密钥,对经过该会话密钥加密的属性设置信息进行解密,以获得该属性设置信息。自本实施例中,该解密
算法例如可以是SM4数据解密算法和/或SM3-HMAC(Hash-based Message Authentication Code)算法,并且,该解密单元202例如可以通过调用SM4数据加解密接口和/或SM3-HMAC算法接口等,来实施该解密操作,以获得该属性设置信息,例如IMSI和KI。当然,本实施例并不限于此,还可以采用其它的解密算法进行解密。
在本实施例中,该设置单元203可以根据属性设置信息来设置该鉴权装置自身的运营商属性,例如,该设置单元203可以调用IMSI配置接口和Ki配置接口,并根据解密得到的服务器下发的IMSI和Ki,来设置该鉴权设备自身的IMSI和Ki,其中,IMSI可以对移动网络的用户进行区分识别,Ki是该鉴权设备与运营商之间加密数据传递的密钥,并且,根据IMSI和Ki,该移动终端可以在与该ISMI和Ki对应的网络运营商提供的网络中进行通信。
在本实施例中,如图1所示,该鉴权装置还可以具有通知单元204,其在所述设置单元203成功设置所述运营商属性之后,向实施例1的通信控制装置发送通知信息,由此,该通信控制装置能够根据该通知信息,确认所述运营商属性被成功配置。
在本实施例中,如图1所示,该鉴权装置还可以具备存储单元205,其用于存储所述属性设置信息、加密算法和解密算法,例如,SM4数据加解密算法和SM3-HMAC算法等。
此外,在本实施例中,该鉴权装置还可以提供符合传输协议数据单元(Transport Protocol Data Unit,TPDU)协议的数据通路,以便于该鉴权装置与外部进行数据传输;此外,该鉴权装置还可以具有噪声源读取接口,对于该噪声源读取接口的说明也可以参考现有技术。
此外,在本实施例中,该鉴权装置还可以具有ICCID查询接口和IMSI配置信息查询接口等,用于向实施例1的通信控制装置提供该鉴权装置的ICCID和IMSI配置信息的查询结果。
根据本实施例,该鉴权装置能够经由移动终端的通信控制装置接收的服务器下发的加密的属性设置信息,并解密,进而根据该属性设置信息设置该鉴权装置自身的运营商属性,由此,使该移动终端可以在与该运营商属性对应的网络运营商提供的网络中进行通信。
实施例3
本申请实施例提供一种中心控制装置,其设置于服务器。
图3是本申请实施例的中心控制装置的一个组成示意图,如图3所示,该中心控制装置300具有第一接收单元301,第二认证单元302和第二发送单元303。
其中,该第一接收单元301接收设置于移动终端的用于进行移动用户身份鉴权的鉴权装置的识别信息,例如该识别信息可以是集成电路卡识别码,当然该识别信息也可以是其它的信息;第二认证单元302根据该识别信息和加密信息,对所述鉴权装置进行身份认证,并且在认证成功的情况下建立会话密钥;第二发送单元303向该移动终端发送该会话密钥和经该会话密钥加密的属性设置信息,以便该鉴权装置通过解密得到该属性设置信息,并根据该属性设置信息来设置该鉴权装置的运营商属性,其中,该属性设置信息存储于该服务器。
在本实施例中,第一接收单元301可以从实施例1的通信控制装置100接收鉴权装置的ICCID,例如,该第一接收单元301可以调用该服务器中用于与移动终端进行通信的接口,来接收该ICCID。
在本实施例中,该第二认证单元302可以根据接收到的ICCID和加密信息来对该鉴权装置进行身份认证,以决定是否为该鉴权装置提供服务。如果认证失败,该中心控制装置拒绝为该鉴权装置提供服务;如果认证成功,则中心控制装置为该鉴权装置提供服务,并且建立会话密钥。
在本实施例中,该第二发送单元303可以调用该服务器中用于与移动终端进行通信的接口,向移动终端发送该会话密钥和经过该会话密钥加密的属性设置信息,以便所述鉴权装置通过解密得到所述属性设置信息,并根据所述属性设置信息来设置所述鉴权装置的运营商属性。
在本实施例中,该属性设置信息例如可以被预先存储在该服务器的数据库中,并且,该中心控制装置可以通过调用对该数据库进行访问的接口,来得到该属性设置信息,并使用该会话密钥对该属性设置信息进行加密。
在本实施例中,该中心控制装置300还可以具备管理单元304,其用于对所述属性设置信息进行管理。在一个具体的实施方式中,该管理单元304可以用于根据网络运营商的数据,更新存储于该服务器的属性设置信息,例如,当用户对手机号码进行挂失时,网络运营商的数据库中可以将数据库中与该手机号码相关的信息进行清除或变更,此时,该中心控制装置通过为网络运营商提供的接口,获得了网络运营商的数
据更新信息,进而,该管理单元304根据网络运营商的数据更新信息,对存储于服务器的对应的该属性设置信息进行清除或变更等更新处理。
此外,在本实施例中,该中心控制装置300还可以具有网络银行支付接口(未图示)。在该移动终端进行网络银行支付时,该网络银行支付接口可以用于该服务器与网络银行之间的认证接口。
根据本实施例,中心服务器可以以加密的方式对鉴权装置下发属性设置信息,由此,该鉴权装置能够以安全的方式获得属性设置信息,并设置自身的运营商属性,以使移动终端在该运营商属性对应的网络运营商提供的网络中通信。
实施例4
本申请实施例4提供一种通信系统,由实施例1的通信控制装置100,实施例2的鉴权装置200,以及实施例3的中心控制装置组成,关于该系统各组成装置的具体说明,可以参考实施1-实施例3,本实施例不再重复说明。
图4是根据本实施例的通信系统为鉴权装置设置运营商属性的一个流程图。如图4所示,该流程包括:
S1,启动该通信控制装置100,并获取鉴权装置的识别信息(例如ICCID等)和IMSI是否被设置的信息;
S2,如果判断为IMSI没有被设置,说明此鉴权装置没有被开通,进而,在接收到用户发送的开通该鉴权装置的指令后,该通信控制装置100向中心控制装置300发送识别信息(例如ICCID等);
S3,中心控制装置根据识别信息(例如ICCID等)和加密信息进行身份认证,在认证成功的情况下,建立会话密钥,并使用会话密钥对IMSI和Ki进行加密;
S4,将会话密钥和加密的IMSI和Ki发送给通信控制装置100;
S5,通信控制装置100将会话密钥和加密的IMSI和Ki发送给鉴权装置200;
S6,鉴权装置200根据会话密钥和解密算法进行解密,以得到服务器下发的IMSI和Ki;
S7,鉴权装置200根据服务器下发的IMSI和Ki,设置该鉴权装置200中的IMSI和Ki;
S8,鉴权装置200向通信控制装置100发送成功设置IMSI和Ki的通知信息。
根据图4的S1-S8能够为鉴权装置200设置运营商属性,即,对该鉴权装置进行写卡操作。
此外,在本实施例中,还可以通过该通信控制装置,来控制该鉴权装置删除运营商属性,即,对鉴权装置进行清卡操作。
此外,在本实施例中,当在上述步骤S2中判断为鉴权装置200的IMSI已经被设置的情况下,该通信控制装置100可以控制鉴权装置对IMSI和Ki进行选择,以使移动装置切换到与该选择的IMSI和Ki对应的运营商所提供的网络并进行通信。
此外,在本实施例中,该中心控制装置300的管理单元304,可以根据网络运营商的数据,更新存储于该服务器的属性设置信息,由此,可以对遗失的鉴权装置停止提供服务,即,对鉴权装置进行卡挂失。
此外,在本实施例中,还可以通过通信控制装置100的网络银行支付单元和中心控制装置300还可以具有网络银行支付接口实现网络银行支付的功能。
根据本实施例,能够有效减少传统的写卡及入网的中间环节和限制条件,能够方便地进行写卡、清卡和网络切换等功能,提高了用户的自主选择权。
本申请以上的装置可以由硬件实现,也可以由硬件结合软件实现。本申请涉及这样的计算机可读程序,当该程序被逻辑部件所执行时,能够使该逻辑部件实现上文所述的装置或构成部件,或使该逻辑部件实现上文所述的各种方法或步骤。本申请还涉及用于存储以上程序的存储介质,如硬盘、磁盘、光盘、DVD、flash存储器等。
以上结合具体的实施方式对本申请进行了描述,但本领域技术人员应该清楚,这些描述都是示例性的,并不是对本申请保护范围的限制。本领域技术人员可以根据本申请的精神和原理对本申请做出各种变型和修改,这些变型和修改也在本申请的范围内。
Claims (10)
- 一种通信控制装置,对设置于移动终端的用于进行移动用户身份鉴权的鉴权装置进行控制,以使所述移动终端选择不同运营商网络进行通信,所述通信控制装置设置于所述移动终端,并且,该通信控制装置具有:第一获取单元,其用于获取所述鉴权装置的识别信息;第一认证单元,其用于将所述识别信息发送给服务器,以便所述服务器对所述鉴权装置进行身份认证;第二获取单元,其在所述服务器进行身份认证成功的情况下,获取来自服务器的会话密钥,以及经所述会话密钥加密的属性设置信息;以及第一发送单元,其用于将所述会话密钥和所述加密的属性设置信息发送给所述鉴权装置,以便所述鉴权装置通过解密得到所述属性设置信息,并根据所述属性设置信息来设置所述鉴权装置的运营商属性,其中,所述属性设置信息至少具有国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)和鉴权密钥(Key identifier,Ki),所述通信控制装置通过连接到互联网,与所述服务器进行数据交换。
- 如权利要求1所述的通信控制装置,其中,所述通信控制装置设置于所述移动终端。
- 如权利要求1所述的通信控制装置,其中,所述通信控制装置还具有:切换控制单元,其用于接收所述鉴权装置成功设置所述运营商属性的通知,并且,在所述运营商属性为两个以上的情况下,根据接收到的切换指令对运营商属性进行选择,以使所述移动终端切换到与所选择的运营商属性对应的网络中进行通信。
- 如权利要求1所述的通信控制装置,其中,所述通信控制装置还具有:删除控制单元,其用于根据接收到的删除指令控制所述鉴权装置删除所述运营商属性。
- 一种鉴权装置,设置于移动终端,用于进行移动用户身份鉴权,以使所述移动终端在网络中通信,该鉴权装置具有:第三获取单元,其与设置于所述移动终端的通信控制装置通信,以接收所述通信控制装置所获取的服务器下发的会话密钥,以及经所述会话密钥加密的属性设置信 息;解密单元,其用于根据解密算法和所述会话密钥,对经所述会话密钥加密的属性设置信息进行解密,以得到所述属性设置信息;设置单元,其用于根据所述属性设置信息来设置所述鉴权装置的运营商属性,其中,所述属性设置信息至少具有国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)和鉴权密钥(Key identifier,Ki),所述通信控制装置通过连接到互联网,与所述服务器进行数据交换。
- 如权利要求5所述的鉴权装置,其中,所述鉴权装置还具有:存储单元,其存储所述属性设置信息、加密算法和所述解密算法。
- 如权利要求5所述的鉴权装置,其中,所述鉴权装置还具有:通知单元,其在所述设置单元成功设置所述运营商属性之后,发送通知信息。
- 如权利要求5所述的鉴权装置,其中,所述鉴权装置是客户识别模块(Subscriber Identity Module,SIM)卡、与所述客户识别模块卡贴合的芯片、或者与所述客户识别模块卡具有同等功能的内置于所述移动终端的装置。
- 一种中心控制装置,设置于服务器,所述中心控制装置具有:第一接收单元,其与设置于移动终端的通信控制装置通信,从而接收设置于移动终端的用于进行移动用户身份鉴权的鉴权装置的识别信息;第二认证单元,其用于根据所述识别信息和加密信息,对所述鉴权装置进行身份认证,并且在认证成功的情况下建立会话密钥;以及第二发送单元,其用于向设置于所述移动终端的所述通信控制装置发送所述会话密钥和经所述会话密钥加密的属性设置信息,以便所述通信控制装置将所述会话密钥和所述加密的属性设置信息发送给所述鉴权装置,并由所述鉴权装置通过解密得到所述属性设置信息,并根据所述属性设置信息来设置所述鉴权装置的运营商属性,其中,所述属性设置信息至少具有国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)和鉴权密钥(Key identifier,Ki),所述通信控制装置通过连接到互联网,与所述服务器进行数据交换。
- 如权利要求9所述的中心控制装置,其中,该中心控制装置还具有:管理单元,其用于对所述属性设置信息进行管理。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410838428.3 | 2014-12-30 | ||
CN201410838428.3A CN104519480B (zh) | 2014-12-30 | 2014-12-30 | 通信控制装置、鉴权装置、中心控制装置及通信系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016107410A1 true WO2016107410A1 (zh) | 2016-07-07 |
Family
ID=52794088
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/097559 WO2016107410A1 (zh) | 2014-12-30 | 2015-12-16 | 通信控制装置、鉴权装置、中心控制装置及通信系统 |
Country Status (13)
Country | Link |
---|---|
US (1) | US9723549B2 (zh) |
EP (1) | EP3041189A1 (zh) |
JP (1) | JP2016127598A (zh) |
KR (1) | KR101727414B1 (zh) |
CN (1) | CN104519480B (zh) |
AU (1) | AU2015261578B2 (zh) |
CA (1) | CA2913456C (zh) |
HK (1) | HK1207233A1 (zh) |
MY (1) | MY175039A (zh) |
RU (1) | RU2636679C2 (zh) |
SG (1) | SG10201509653XA (zh) |
TW (1) | TW201625029A (zh) |
WO (1) | WO2016107410A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9723549B2 (en) | 2014-12-30 | 2017-08-01 | Youyoubao (Tianjin) Network Technology Co., Ltd. | Communication control apparatus, authentication device, central control apparatus and communication system |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106162522B (zh) * | 2016-03-04 | 2017-11-24 | 悠游宝(天津)网络科技有限公司 | 用于通用可配置鉴权装置的通信控制装置和中心控制装置 |
CN106102035A (zh) * | 2016-05-25 | 2016-11-09 | 南京酷派软件技术有限公司 | 嵌入式用户身份识别卡的切换方法、装置、终端和服务器 |
CN107659926A (zh) * | 2016-07-25 | 2018-02-02 | 中兴通讯股份有限公司 | Sim卡信息传输方法及装置 |
WO2018023733A1 (en) * | 2016-08-05 | 2018-02-08 | Nokia Technologies Oy | Privacy preserving authentication and key agreement protocol for apparatus-to-apparatus communication |
JP6408536B2 (ja) * | 2016-11-17 | 2018-10-17 | Kddi株式会社 | 通信システム、通信装置、サーバ装置、通信方法、及びコンピュータプログラム |
US11082212B2 (en) | 2017-12-26 | 2021-08-03 | Industrial Technology Research Institute | System and method for communication service verification, and verification server thereof |
CN109819434A (zh) * | 2019-01-11 | 2019-05-28 | 深圳市斯凯荣科技有限公司 | 一种基于eSIM的卡池系统及控制方法 |
CN110636501B (zh) * | 2019-09-20 | 2023-04-07 | 北京芯盾集团有限公司 | 移动位置信息隐藏方法及系统 |
CN110708739B (zh) * | 2019-10-21 | 2022-05-13 | 中国联合网络通信集团有限公司 | 一种网络连接方法、装置及系统 |
US11197154B2 (en) | 2019-12-02 | 2021-12-07 | At&T Intellectual Property I, L.P. | Secure provisioning for wireless local area network technologies |
CN112055351B (zh) * | 2020-09-11 | 2023-04-07 | 太思隆达科技(北京)有限公司 | 薄型智能卡数据更新方法及设备 |
CN114267123B (zh) * | 2021-12-15 | 2023-08-04 | 新奥(中国)燃气投资有限公司 | 用于燃气计量表的智能nfc卡及其通信处理方法 |
US20230388280A1 (en) * | 2022-05-25 | 2023-11-30 | CybXSecurity LLC | System, Method, and Computer Program Product for Generating Secure Messages for Messaging |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2006095216A1 (en) * | 2005-03-11 | 2006-09-14 | N-Tel Communications Limited | Communications method and system |
CN102711096A (zh) * | 2012-05-30 | 2012-10-03 | 中国联合网络通信集团有限公司 | 空中写卡的方法、装置及终端 |
CN103716781A (zh) * | 2013-12-27 | 2014-04-09 | 北京大唐智能卡技术有限公司 | 一种实现移动终端智能卡写卡的方法、装置及系统 |
US20140148162A1 (en) * | 2011-05-23 | 2014-05-29 | Gigsky, Inc. | GLOBAL e-MARKETPLACE FOR MOBILE SERVICES |
CN104519480A (zh) * | 2014-12-30 | 2015-04-15 | 悠游宝(天津)网络科技有限公司 | 通信控制装置、鉴权装置、中心控制装置及通信系统 |
CN105101163A (zh) * | 2015-07-22 | 2015-11-25 | 联通兴业通信技术有限公司 | 空中写卡的方法和装置 |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2879867A1 (fr) * | 2004-12-22 | 2006-06-23 | Gemplus Sa | Systeme d'allocation de carte a puce a un operateur de reseau |
JP5078915B2 (ja) * | 2006-02-17 | 2012-11-21 | ケーティーフリーテル・カンパニー・リミテッド | Icカード、icカードが搭載された端末機及びその初期化方法 |
CN101222723B (zh) * | 2008-01-31 | 2012-05-30 | 熊文俊 | 一种虚拟sim卡多号单/双模手机及其实现方法与系统 |
CN101222712B (zh) * | 2008-02-02 | 2010-09-08 | 代邦(江西)制卡有限公司 | 支持虚拟sim卡的移动终端及其用户身份认证方法 |
CN101222713A (zh) | 2008-02-04 | 2008-07-16 | 深圳华为通信技术有限公司 | 电量输出控制方法、装置和终端 |
US9009796B2 (en) * | 2010-11-18 | 2015-04-14 | The Boeing Company | Spot beam based authentication |
US8195234B2 (en) * | 2008-09-22 | 2012-06-05 | Mediatek Inc. | Methods for sharing mobility status between subscriber identity cards and systems utilizing the same |
KR20100068692A (ko) | 2008-12-15 | 2010-06-24 | 주식회사 케이티 | Imsi를 이용한 서비스 제공 시스템 및 방법 |
US9037112B2 (en) * | 2010-03-15 | 2015-05-19 | Samsung Electronics Co., Ltd. | Method and system for secured remote provisioning of a universal integrated circuit card of a user equipment |
US9100810B2 (en) * | 2010-10-28 | 2015-08-04 | Apple Inc. | Management systems for multiple access control entities |
US8555067B2 (en) | 2010-10-28 | 2013-10-08 | Apple Inc. | Methods and apparatus for delivering electronic identification components over a wireless network |
WO2012146282A1 (en) * | 2011-04-27 | 2012-11-01 | Telefonaktiebolaget L M Ericsson (Publ) | Authenticating a device in a network |
KR101937487B1 (ko) | 2011-06-22 | 2019-01-11 | 주식회사 케이티 | 내장 uicc를 갖는 단말, 단말의 개통 방법, 단말의 해지 방법, 단말 관리 서버, 단말 관리 서버의 단말 발주 방법, 및 단말 관리 서버의 단말 개통 방법 |
KR102001869B1 (ko) * | 2011-09-05 | 2019-07-19 | 주식회사 케이티 | eUICC의 프로파일 관리방법 및 그를 이용한 eUICC, eUICC 탑재 단말과, 프로비저닝 방법 및 MNO 변경 방법 |
CN102523578B (zh) * | 2011-12-09 | 2015-02-25 | 北京握奇数据系统有限公司 | 空中写卡方法、装置及系统 |
CN102769850B (zh) * | 2012-04-16 | 2015-10-28 | 中兴通讯股份有限公司 | 单卡多模多运营商鉴权方法及装置 |
ES2647088T3 (es) * | 2012-12-21 | 2017-12-19 | Giesecke+Devrient Mobile Security Gmbh | Procedimientos y dispositivos para la gestión de suscripciones OTA |
KR102138315B1 (ko) | 2013-05-30 | 2020-07-27 | 삼성전자주식회사 | 프로파일 설치를 위한 방법 및 장치 |
US9537659B2 (en) * | 2013-08-30 | 2017-01-03 | Verizon Patent And Licensing Inc. | Authenticating a user device to access services based on a device ID |
-
2014
- 2014-12-30 CN CN201410838428.3A patent/CN104519480B/zh not_active Expired - Fee Related
-
2015
- 2015-08-05 HK HK15107543.0A patent/HK1207233A1/zh not_active IP Right Cessation
- 2015-08-19 TW TW104126955A patent/TW201625029A/zh not_active IP Right Cessation
- 2015-11-24 SG SG10201509653XA patent/SG10201509653XA/en unknown
- 2015-11-25 AU AU2015261578A patent/AU2015261578B2/en not_active Ceased
- 2015-11-25 EP EP15196361.8A patent/EP3041189A1/en not_active Withdrawn
- 2015-11-27 CA CA2913456A patent/CA2913456C/en not_active Expired - Fee Related
- 2015-12-04 US US14/959,053 patent/US9723549B2/en not_active Expired - Fee Related
- 2015-12-10 RU RU2015153111A patent/RU2636679C2/ru not_active IP Right Cessation
- 2015-12-16 WO PCT/CN2015/097559 patent/WO2016107410A1/zh active Application Filing
- 2015-12-16 MY MYPI2015704593A patent/MY175039A/en unknown
- 2015-12-16 KR KR1020150180437A patent/KR101727414B1/ko active IP Right Grant
- 2015-12-22 JP JP2015249777A patent/JP2016127598A/ja active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2006095216A1 (en) * | 2005-03-11 | 2006-09-14 | N-Tel Communications Limited | Communications method and system |
US20140148162A1 (en) * | 2011-05-23 | 2014-05-29 | Gigsky, Inc. | GLOBAL e-MARKETPLACE FOR MOBILE SERVICES |
CN102711096A (zh) * | 2012-05-30 | 2012-10-03 | 中国联合网络通信集团有限公司 | 空中写卡的方法、装置及终端 |
CN103716781A (zh) * | 2013-12-27 | 2014-04-09 | 北京大唐智能卡技术有限公司 | 一种实现移动终端智能卡写卡的方法、装置及系统 |
CN104519480A (zh) * | 2014-12-30 | 2015-04-15 | 悠游宝(天津)网络科技有限公司 | 通信控制装置、鉴权装置、中心控制装置及通信系统 |
CN105101163A (zh) * | 2015-07-22 | 2015-11-25 | 联通兴业通信技术有限公司 | 空中写卡的方法和装置 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9723549B2 (en) | 2014-12-30 | 2017-08-01 | Youyoubao (Tianjin) Network Technology Co., Ltd. | Communication control apparatus, authentication device, central control apparatus and communication system |
Also Published As
Publication number | Publication date |
---|---|
US9723549B2 (en) | 2017-08-01 |
CN104519480A (zh) | 2015-04-15 |
RU2636679C2 (ru) | 2017-11-27 |
MY175039A (en) | 2020-06-03 |
TW201625029A (zh) | 2016-07-01 |
EP3041189A1 (en) | 2016-07-06 |
AU2015261578B2 (en) | 2017-03-09 |
KR101727414B1 (ko) | 2017-04-14 |
SG10201509653XA (en) | 2016-07-28 |
JP2016127598A (ja) | 2016-07-11 |
KR20160081798A (ko) | 2016-07-08 |
CA2913456A1 (en) | 2016-06-30 |
US20160192287A1 (en) | 2016-06-30 |
TWI563858B (zh) | 2016-12-21 |
HK1207233A1 (zh) | 2016-01-22 |
CN104519480B (zh) | 2016-02-17 |
AU2015261578A1 (en) | 2016-07-14 |
RU2015153111A (ru) | 2017-06-16 |
CA2913456C (en) | 2017-07-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2016107410A1 (zh) | 通信控制装置、鉴权装置、中心控制装置及通信系统 | |
CN106161359B (zh) | 认证用户的方法及装置、注册可穿戴设备的方法及装置 | |
JP2021036453A (ja) | ソフトウェアアプリケーションの信頼を最初に確立し、かつ定期的に確認するシステム及び方法 | |
JP5688458B2 (ja) | セキュリティ部品及び携帯通信装置において複数の加入者プロファイルを安全に使用するシステムと方法 | |
US8196188B2 (en) | Systems and methods for providing network credentials | |
US9445262B2 (en) | Authentication server, mobile terminal and method for issuing radio frequency card key using authentication server and mobile terminal | |
CN104093139B (zh) | 空中写卡方法、服务器和智能卡 | |
US8191124B2 (en) | Systems and methods for acquiring network credentials | |
CN104363250B (zh) | 一种用于设备连接的方法和系统 | |
US20140140507A1 (en) | Method for changing mno in embedded sim on basis of dynamic key generation and embedded sim and recording medium therefor | |
US20120300932A1 (en) | Systems and Methods for Encrypting Mobile Device Communications | |
WO2019199836A1 (en) | Secure communication using device-identity information linked to cloud-based certificates | |
KR20160101581A (ko) | 프로파일을 전달하는 방법과 이를 지원하는 전자 장치 | |
US8990960B2 (en) | Method for near field communication operation, a device and a system thereto | |
CN107979835B (zh) | 一种eSIM卡及其管理方法 | |
CN104205891A (zh) | 虚拟sim卡云平台 | |
US20150312758A1 (en) | Providing Network Credentials | |
KR20120046376A (ko) | 결제수단 관리 시스템 및 방법, 결제수단 관리를 위한 장치 및 단말 | |
JP2010503319A (ja) | ネットワーク信用証明書を獲得するためのシステムおよび方法 | |
KR101604927B1 (ko) | Nfc를 이용한 자동 접속 시스템 및 방법 | |
KR101365889B1 (ko) | 이동통신 단말기의 모바일 네트워크 보안 방법, 시스템 및 그 프로그램을 기록한 기록매체 | |
CN105635096A (zh) | 数据模块的访问方法、系统和终端 | |
US20230033931A1 (en) | Method, ledger and system for establishing a secure connection from a chip to a network and corresponding network | |
WO2024175747A1 (en) | Virtual subscriber identity module distribution | |
EP3267651A1 (en) | Method, device and system for storing securely data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15875088 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15875088 Country of ref document: EP Kind code of ref document: A1 |