WO2017166976A1 - Procédé, dispositif et système pour distribuer et vérifier un service d'application - Google Patents

Procédé, dispositif et système pour distribuer et vérifier un service d'application Download PDF

Info

Publication number
WO2017166976A1
WO2017166976A1 PCT/CN2017/075760 CN2017075760W WO2017166976A1 WO 2017166976 A1 WO2017166976 A1 WO 2017166976A1 CN 2017075760 W CN2017075760 W CN 2017075760W WO 2017166976 A1 WO2017166976 A1 WO 2017166976A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
service
terminal
operator
issuance request
Prior art date
Application number
PCT/CN2017/075760
Other languages
English (en)
Chinese (zh)
Inventor
冯春来
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017166976A1 publication Critical patent/WO2017166976A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of wireless, and in particular, to a method, device and system for issuing and verifying an application service.
  • the mobile phone number Since the mobile phone number has already achieved legal mandatory real-name authentication, the mobile phone number is of great significance to the user.
  • a large number of personal mobile applications use the short message verification code as the main auxiliary method to confirm the identity of the user terminal during the user registration or business use process.
  • today's users have a large number of user names in various applications, passwords, passwords forgotten to become a very common phenomenon, this time a common strategy for password recovery is to retrieve through the mobile phone SMS verification code.
  • the telecommunication application service such as wifi-based voice service (vowifi), LTE-based voice service (volte), or the like, or the Internet provides the user with various application services (Over The Top, OTT) application services.
  • the service opening of the application service bound to the user's mobile phone number is mostly verified by sending a short message verification code to the mobile phone. The reason is that the short message channel is based on the operator channel, and the operator is authenticated. Only the mobile phone where the mobile phone number is located can Receive text messages and therefore have the ability to resist counterfeiting.
  • the service provider will send a short message verification code to the mobile phone to confirm the mobile phone, and ensure that the user service belongs to the user to which the mobile phone number belongs. initiate.
  • the embodiment of the invention provides a method, a device and a system for issuing and verifying an application service, so as to provide a reliable service delivery verification solution that does not depend on a short message of a mobile phone.
  • the first aspect provides a method for issuing and verifying an application service, including:
  • the terminal When receiving the service issuance request, the terminal establishes a first security channel with the operator authentication center, where the service release request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
  • an authentication parameter used by the terminal for the EAP authentication of the extensible authentication protocol and transmitting, by using the first security channel, the authentication parameter to the operator authentication center, by using the operator
  • the authentication center will describe the The weight parameter is passed to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the carrier network;
  • the terminal acquires a second MSISDN of the terminal;
  • the terminal forwards the service release request to the application provider corresponding to the service release request by using the operator authentication center. .
  • the terminal acquires an authentication parameter used by the terminal for EAP authentication, including:
  • the terminal interacts with a user identification module embedded in the terminal to obtain an authentication parameter used by the terminal for EAP authentication.
  • the method further includes: after the terminal forwards the service issuance request to the application provider corresponding to the service release request by using the operator authentication center, the method further includes:
  • the terminal removes a first secure channel from the authentication center.
  • the acquiring, by the terminal, the MSISDN of the terminal includes:
  • the terminal interacts with a user identification module embedded in the terminal to obtain an international mobile subscriber identity (IMSI) of the terminal, and sends the IMSI to the operator authentication center by using the first secure channel.
  • IMSI international mobile subscriber identity
  • the operator authentication center sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI.
  • the terminal forwards the service release request to the application provider corresponding to the service release request by using the operator authentication center, including:
  • the second aspect provides a method for issuing and verifying an application service, including:
  • the operator authentication center establishes a first secure channel between the terminal and the terminal, and uses the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the terminal.
  • Extensible authentication protocol EAP authentication with the AAA server;
  • the operator authentication center transmits the authentication parameter to the AAA server for EAP authentication, and the AAA server is located in the operator network;
  • the operator authentication center receives the service issuance request sent by the terminal, and sends the service release request to the application provider corresponding to the service release request.
  • the operator authentication center before receiving the service issuance request sent by the terminal, the operator authentication center further includes:
  • the operator authentication center receives the international mobile subscriber identity (IMSI) of the terminal sent by the terminal by using the first secure channel, and sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI, and Sending the MSISDN to the terminal through the first secure channel.
  • IMSI international mobile subscriber identity
  • the operator authentication center receives the service issuance request sent by the terminal, and sends the service release request to the application provider corresponding to the service release request, including :
  • the operator authentication center receives the service release request sent by the terminal by using the first secure channel, and uses the second secure channel between the service security center and the application provider corresponding to the service release request, Forwarding the service release request to an application provider corresponding to the service release request.
  • an apparatus for issuing and verifying an application service including:
  • the establishing unit when receiving the service issuance request, establishes a first security channel with the operator authentication center, where the service issuance request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
  • a processing unit configured to obtain an authentication parameter of the device for extensible authentication protocol EAP authentication, and use the first secure channel to transmit the authentication parameter to the operator authentication center, by using the The operator authentication center passes the authentication parameter to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the carrier network;
  • the service issuance request is forwarded by the operator authentication center to the application provider corresponding to the service issuance request.
  • the processing unit acquires an authentication parameter used by the device for EAP authentication, specifically for:
  • the processing unit forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center, the establishing unit further Used for:
  • the first secure passage between the authentication center and the authentication center is removed.
  • the processing unit when the processing unit acquires the MSISDN of the device, the processing unit is specifically configured to:
  • IMSI International Mobile Subscriber Identity
  • the processing unit is specifically configured to: when the service delivery request is forwarded to the application provider corresponding to the service release request by the operator authentication center, specifically:
  • the service issuance request is forwarded to an application provider corresponding to the service issuance request.
  • a fourth aspect provides a device for issuing and verifying an application service, including:
  • a transceiver unit configured to establish a first secure channel with the terminal, and use the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the terminal Extensible authentication protocol EAP authentication with the AAA server;
  • An authentication unit configured to pass the authentication parameter to an AAA server for performing an Extensible Authentication Protocol (EAP) authentication, where the AAA server is located in an operator network;
  • EAP Extensible Authentication Protocol
  • the transceiver unit is further configured to: after the EAP authentication is passed, receive a service issuance request sent by the terminal, and send the service release request to an application provider corresponding to the service release request.
  • the transceiver unit is further configured to: before receiving the service issuance request sent by the terminal,
  • the first secure channel Receiving, by the first secure channel, the international mobile subscriber identity (IMSI) of the terminal sent by the middle station, sending the IMSI to an operator BOSS, acquiring an MSISDN corresponding to the IMSI, and adopting the first security A channel transmits the MSISDN to the terminal.
  • IMSI international mobile subscriber identity
  • the transceiver unit receives the service issuance request sent by the terminal,
  • the service issuance request is sent to the application provider corresponding to the service issuance request, it is specifically used to:
  • a terminal device comprising a processor, a memory, a transmitter, and a receiver, wherein the memory stores a computer readable program, and the processor runs the program in the memory And controlling the transmitter and the receiver to implement an issuance verification method of the application service related to the first aspect.
  • a server device comprising a processor, a memory, a transceiver, wherein the memory stores a computer readable program, and the processor controls the program by running a program in the memory
  • the transmitter and the receiver implement the verification verification method for the application service involved in the second aspect.
  • the seventh aspect provides an application verification verification system, where the application verification verification system includes a first device and a second device, where the first device is a device related to the third aspect or the fifth aspect relates to A terminal device, which is the device related to the fourth aspect or the server device related to the sixth aspect.
  • the terminal When the terminal receives the service issuance request, the terminal establishes a first security channel with the operator authentication center, where the service delivery request carries the first MSISDN, and the terminal obtains the authentication parameter. Passing the authentication parameter to the operator authentication center, and transmitting the authentication parameter to the AAA server for EAP authentication through the operator authentication center, and acquiring the second terminal after the EAP authentication is passed.
  • the MSISDN when the first MSISDN is the same as the second MSISDN, the terminal forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center, compared to the prior art, the application When the service is issued, the authentication scheme of the mobile phone short message is used.
  • the application service provider does not need to use the operator to send the short message verification code to the terminal, thereby eliminating the dependence on the short message and reducing the dependency.
  • the application cost of the application service reduces the development difficulty of the service side of the operator.
  • FIG. 1 is a schematic diagram of an application verification and verification system in an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a terminal device according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of a network side device according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of a method for issuing and verifying an application service according to an embodiment of the present invention
  • FIG. 5 is a flowchart of a method for issuing and verifying an application service in an application scenario according to an embodiment of the present disclosure
  • FIG. 6 is a flowchart of a method for issuing and verifying an application service in another application scenario according to an embodiment of the present disclosure
  • FIG. 7 is a schematic diagram of an apparatus for issuing and verifying an application service on a terminal side according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a device for issuing and verifying a network-side application service according to an embodiment of the present invention.
  • the embodiment of the invention provides a method and device for issuing and verifying an application service, and considers that after the lapse of the short message service in the future, a trusted terminal authentication solution that does not depend on the mobile phone short message is used to distribute the APP self-service service.
  • Terminal authentication provides protection. This solution requires the same trusted credibility as the short message authentication method by means of the Internet-based trusted authentication method of the wifi network accessed by the terminal.
  • an embodiment of the present invention provides an application verification and verification system, including a terminal 11 with an authentication application, an operator authentication center 12, authentication, authorization, and accounting (Authentication, Authorization, Accounting, AAA).
  • the terminal 11 is configured to establish a first secure channel with the operator authentication center 12 when receiving the service issuance request, where the service issuance request carries the first international public subscriber identification number (Mobile Subscriber International ISDN/PSTN number) Obtaining an authentication parameter of the terminal for Extensible Authentication Protocol (EAP) authentication, and transmitting the authentication parameter to the operator authentication by using the first secure channel
  • the center 12 transmits the authentication parameter to the AAA server 13 for EAP authentication through the operator authentication center 12; after the EAP authentication is passed, acquires the second MSISDN of the terminal;
  • the service issuance request is forwarded by the operator authentication center 12 to the application provider corresponding to the service issuance request.
  • the operator authentication center 12 is configured to establish a first secure channel with the terminal 11, and use the first secure channel to receive an authentication parameter sent by the terminal 11 for the received service release request, where the authentication is performed.
  • the parameter is used for EAP authentication between the terminal and the AAA server 13; the authentication parameter is transmitted to the AAA server 13 for EAP authentication; after the EAP authentication is passed, the service issuance request sent by the terminal is received. And sending the service issuance request to an application provider corresponding to the service issuance request.
  • an embodiment of the present invention provides a terminal device 200, which may be a mobile phone terminal or a tablet computer capable of running a Subscriber Identity Module (SIM) card.
  • SIM Subscriber Identity Module
  • 1 shows a block diagram of a terminal device 200 including a processor 201 and a memory 202, optionally including an input unit, a display unit, a gravitational acceleration sensor, a proximity light sensor, etc., in accordance with some embodiments.
  • FIG. 2 is only an example of the terminal device 200, and does not constitute a limitation of the terminal device, and may include more or less components than those illustrated, or combine some components or different components. .
  • the input unit is operative to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the portable multifunction device.
  • the input unit can include a touch screen as well as other input devices.
  • the touch screen may collect a touch operation on or near the user (such as an operation of the user using a finger, a joint, a stylus, or the like on the touch screen or in the vicinity of the touch screen), and drive the corresponding according to a preset program. Connect the device.
  • the touch screen can detect a user's touch action on the touch screen, convert the touch action into a touch signal and send the signal to the processor 201, and can receive and execute a command sent by the processor 201; the touch signal includes at least a touch Point coordinate information.
  • the touch screen may provide an input interface and an output interface between the terminal device 200 and a user.
  • touch screens can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves.
  • the input unit may also include other input devices.
  • other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as a volume control button, a switch button processor 201, etc.), a trackball, a mouse, a joystick, and the like.
  • the display unit terminal device 200 can be used to display information input by a user or information provided to a user and various menus of the terminal device 200.
  • the touch screen may cover the display panel, and when the touch screen detects a touch operation on or near it, the touch screen is transmitted to the processor 201 to determine the type of the touch event, and then the processor 201 provides corresponding on the display panel according to the type of the touch event.
  • Visual output In this embodiment, the touch screen and the display unit can be integrated into one component to implement the input, output, and display functions of the terminal device 200.
  • the embodiment of the present invention uses the touch screen to represent the function set of the touch screen and the display unit; In an embodiment, the touch screen and the display unit can also function as two separate components.
  • the gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally three axes), and the gravity acceleration sensor can also be used to detect the magnitude and direction of gravity when the terminal is stationary, and can be used to identify the gesture of the mobile phone (such as horizontal and vertical). Screen switching, related games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; in the embodiment of the invention, the gravity acceleration sensor is used to acquire a user's touch motion contact touch screen in z Gravity acceleration in the axial direction.
  • the terminal device 200 may also include one or more proximity light sensors for turning off and disabling the touch screen to avoid erroneous operation of the touch screen by the user when the terminal device 200 is closer to the user (eg, close to the ear when the user is making a call)
  • the terminal device 200 may also include one or more ambient light sensors for keeping the touch screen off when the terminal device 200 is located in a user's pocket or other dark area to prevent the terminal device 200 from consuming unnecessary battery power when in the locked state.
  • the proximity light sensor and the ambient light sensor may be integrated into one component or as two separate components.
  • the terminal device 200 can also be configured with other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor, and the like, and details are not described herein again.
  • FIG. 2 shows the proximity photosensor and the ambient light sensor, it can be understood that it does not belong to the essential configuration of the terminal device 200, and may be omitted as needed within the scope of not changing the essence of the invention.
  • the memory 202 can be used to store instructions and data, the memory 202 can mainly include a storage instruction area and a storage data area, the storage data area can store an association relationship between the joint touch gesture and the application function; the storage instruction area can store an operating system, at least one The instructions and the like are required for the function; the instruction may cause the processor 201 to perform the following method, the specific method includes: when receiving the service issuance request, establishing a first secure channel with the operator authentication center, where the service issuance request is carried The first international public subscriber identification number MSISDN, the authentication center is located in the operator network; the authentication parameter used by the terminal device 200 for EAP authentication is obtained, and the authentication parameter is transmitted to the first secure channel to The operator authentication center transmits the authentication parameter to the AAA server for EAP authentication through the operator authentication center, and the AAA server is located in the carrier network; after the EAP authentication is passed, the acquiring a second MSISDN of the terminal; when the first MSISDN carried in the service issuance request is the same as the second MSISDN, the service
  • the processor 201 is a control center of the terminal device 200, and connects various parts of the entire mobile phone by using various interfaces and lines, and executes the terminal device 200 by operating or executing an instruction stored in the memory 202 and calling data stored in the memory 202.
  • the processor 201 may include one or more processing units; preferably, the processor 201 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like. , the main processing of the modem processor Wireless communication. It can be understood that the above modem processor may not be integrated into the processor 201.
  • the processors, memories can be implemented on a single chip, and in some embodiments, they can also be implemented separately on separate chips.
  • the processor 201 is further configured to invoke an instruction in the memory to implement terminal authentication verification in an application service release process.
  • the code corresponding to the method shown in FIG. 4 is solidified into the chip, so that the chip can perform the operation function of the terminal in the method shown in FIG. 4 during operation.
  • How to design and program the processor is a technique well known to those skilled in the art, and details are not described herein.
  • the radio frequency unit can be used for receiving and transmitting signals during the transmission and reception of information or during the call.
  • the processing is performed by the processor 201.
  • the data designed for the uplink is sent to the base station.
  • RF circuits include, but are not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like.
  • the radio unit can communicate with network devices and other devices through wireless communication.
  • the wireless communication may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code). Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), etc.
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long
  • An audio circuit, a speaker, and a microphone can provide an audio interface between the user and the terminal device 200.
  • the audio circuit can transmit the converted electrical signal of the received audio data to the speaker and convert it into a sound signal output by the speaker; on the other hand, the microphone converts the collected sound signal into an electrical signal, which is received by the audio circuit and converted into audio.
  • the data is processed by the audio data output processor 201, sent to the terminal such as another terminal via the radio frequency unit, or outputted to the memory 202 for further processing.
  • the audio circuit may also include a headphone jack 163 for providing audio. The interface between the circuit and the headset.
  • WiFi is a short-range wireless transmission technology
  • the terminal device 200 can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module, which provides wireless broadband Internet access for users.
  • FIG. 2 shows the WiFi module, it can be understood that it does not belong to the essential configuration of the terminal device 200, and may be omitted as needed within the scope of not changing the essence of the invention.
  • Bluetooth is a short-range wireless communication technology. With Bluetooth technology, communication between mobile communication terminal devices such as handheld computers, notebook computers, and mobile phones can be effectively simplified, and communication between the above devices and the Internet can be successfully simplified.
  • the terminal device 200 is enabled by the Bluetooth module.
  • the data transmission between the terminal device 200 and the Internet becomes more rapid and efficient, broadening the road for wireless communication.
  • Bluetooth technology is an open solution for wireless transmission of voice and data.
  • FIG. 2 shows the Bluetooth module, it can be understood that it does not belong to the essential configuration of the terminal device 200, and may be omitted as needed within the scope of not changing the essence of the invention.
  • the terminal device 200 also includes a power source (such as a battery) that supplies power to the various components.
  • a power source such as a battery
  • the power source can be logically coupled to the processor 201 through the power management system 194 to manage charging, discharging, and power management through the power management system 194.
  • the terminal device 200 further includes an external interface, which may be a standard Micro USB interface, or a multi-pin connector, which may be used to connect the terminal device 200 to communicate with other devices, or may be used to connect the charger to the terminal. Device 200 is charged.
  • an external interface which may be a standard Micro USB interface, or a multi-pin connector, which may be used to connect the terminal device 200 to communicate with other devices, or may be used to connect the charger to the terminal. Device 200 is charged.
  • the terminal device 200 may further include a camera, a flash, and the like, and details are not described herein again.
  • an embodiment of the present invention provides a network side device 300.
  • the device 300 includes a processor 301 and a memory 302.
  • the program code for executing the solution of the present invention is stored in the memory 302 and controlled by the processor 301. carried out.
  • the program stored in the memory 302 is used by the instruction processor 301 to perform the issuance verification method of the application service, including: establishing a first secure channel with the terminal, and receiving, by using the first secure channel, the terminal to issue the service for the received service.
  • An authentication parameter requested to be sent the authentication parameter being used for EAP authentication of the extensible authentication protocol between the terminal and the AAA server; and the authentication parameter is transmitted to the AAA server for performing an Extensible Authentication Protocol (EAP)
  • EAP Extensible Authentication Protocol
  • the AAA server is located in the carrier network; after the EAP authentication is passed, the service issuance request sent by the terminal is received, and the service issuance request is sent to the application provider corresponding to the service issuance request.
  • the processor involved in the foregoing apparatus 300 may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more.
  • One or more memories included in the computer system which may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or Other types of dynamic storage devices that store information and instructions may also be disk storage. These memories are connected to the processor via a bus.
  • a memory such as a RAM, holds an operating system and a program for executing the inventive scheme.
  • the operating system is a program that controls the running of other programs and manages system resources.
  • These memories can be connected to the processor via a bus or can be connected to the processor via dedicated connection lines.
  • the code corresponding to the method shown in FIG. 4 is solidified into the chip, so that the chip can perform the operation function of the operator authentication center in the method shown in FIG. 4 during operation.
  • How to design and program the processor is a technique well known to those skilled in the art, and details are not described herein.
  • an embodiment of the present invention provides a method for issuing and verifying an application service, and the process of the method is as follows.
  • Step 41 The terminal receives a service issuance request, where the service issuance request carries the first MSISDN.
  • the first MSISDN may obtain the MSISDN corresponding to the user information according to the user information input by the user, and the first MSISDN and the application involved in the service issuance request are in a one-to-one binding relationship.
  • Step 42 The terminal establishes a first secure channel with the operator authentication center.
  • the first secure channel is a secure connection channel based on a Transport Layer Security (TLS) protocol.
  • TLS Transport Layer Security
  • Step 43 The terminal acquires an authentication parameter used by the terminal for EAP authentication, and transmits the authentication parameter to the AAA server through the operator authentication center to perform an EAP authentication process.
  • the terminal transmits the authentication parameter to the operator authentication center through the first secure channel, and the operator authentication center forwards the authentication parameter to the AAA server for EAP authentication.
  • Step 44 After the EAP authentication is passed, the terminal acquires the second MSISDN of the terminal.
  • the terminal interacts with a user identification module embedded in the terminal to obtain an international mobile subscriber identification number (IMSI) of the terminal, and the terminal sends the IMSI to the operator for authentication.
  • IMSI international mobile subscriber identification number
  • Center the operator authentication center sends the IMSI to the operator's business operation support
  • the system Business & Operation Support System. BOSS
  • BOSS Business & Operation Support System
  • Step 45 The terminal forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center when the first MSISDN is the same as the second MSISDN.
  • the terminal sends the service issuance request to the operator authentication center by using the first secure channel
  • the application security center uses an application provider corresponding to the service release request.
  • the second security channel forwards the service release request to the application provider corresponding to the service release request.
  • the operator authentication center establishes a second secure channel with each application provider in the configuration phase, and the second secure channel is a TLS-based secure connection channel.
  • the following is a description of the method in FIG. 4 by taking the terminal as a mobile phone terminal as an example.
  • the specific application scenario is: setting the operator authentication center on the operator side and setting the client authentication application on the mobile terminal side to operate the mobile terminal and the mobile terminal.
  • a trusted secure channel is established between the business authentication centers through the Internet, and the authentication parameters of the mobile terminal are obtained by the client's authentication application, and the authentication parameters are transmitted to the AAA server on the operator side to authenticate the terminal.
  • EAP authentication after the authentication is passed, the authentication application of the client obtains the second MSISDN of the mobile terminal to match the first MSISDN carried in the service issuance request, and confirms that the service issuance request is verified when the matching succeeds, thereby eliminating the pair.
  • the verification of mobile phone text messages depends.
  • the authentication APP under the mobile phone operating system interacts with the operator authentication center to implement the APP service delivery.
  • the APP service provides the services provided by the APP of the application service (Over The Top, OTT) type to the Internet. See Figure 5.
  • Step 51 Establish a secure channel between the operator authentication center and the APP provider, where a long connection based on TLS is established.
  • Step 52 The application APP of the mobile phone client initiates a self-service service issuance request and sends it to the authentication APP of the mobile phone client.
  • the service issuance request carries the mobile phone number bound to the application APP.
  • Step 53 The authentication APP of the mobile client establishes a secure channel between the Internet and the operator's authentication center, where a long connection based on TLS is established.
  • Step 54 The authentication APP of the mobile phone client obtains the orientation system authority by cooperation with the mobile phone operating system manufacturer, and can perform EAP-AKA authentication by using the interface to interact with the mobile phone SIM card to determine the authenticity of the SIM card.
  • Step 55 When the EAP-AKA authentication is passed, the authentication APP of the mobile phone client obtains the real mobile phone number of the mobile phone from the operator BOSS through the operator's authentication center.
  • Step 56 When the mobile phone number bound by the application APP is the same as the real mobile phone number of the mobile phone, the authentication APP of the mobile phone client forwards the self-service service issuance request to the operator authentication center.
  • Step 57 The operator authentication authorization center sends the self-service service issuance request to the APP provider through a secure channel with the APP provider.
  • Step 58 The authentication channel of the mobile phone client is removed from the secure channel established between the operator authentication and authorization center.
  • Step 59 The APP provider receives the self-service provisioning request of the user, and after the service is released, the mobile phone system manufacturer can be notified of the service delivery success message.
  • Step 510 The mobile phone system manufacturer sends a push message to the mobile phone by using the push message server to successfully deliver the service.
  • the APP provider does not need to perform the authenticity verification of the user terminal, so that the SMS verification code does not need to be sent to the user terminal.
  • the application provider for the application service in scenario 2 is the self-service distribution process of the carrier BOSS system. For the specific process, refer to Figure 6.
  • Step 61 The application APP of the mobile client provided by the operator initiates a self-service issuance request, and sends the request to the mobile client's authentication APP.
  • Step 62 The authentication client of the mobile client establishes a secure channel between the Internet and the operator's authentication center, where a long connection based on TLS is established.
  • Step 63 The authentication APP of the mobile phone client obtains the orientation system authority by cooperation with the mobile phone operating system manufacturer, and can perform EAP-AKA authentication by using the interface to interact with the mobile phone SIM card to determine the authenticity of the SIM card.
  • Step 64 When the EAP-AKA authentication is passed, the authentication APP of the mobile phone client obtains the real mobile phone number of the mobile phone from the operator BOSS through the operator's authentication center.
  • Step 65 When the mobile phone number bound by the application APP is the same as the real mobile phone number of the mobile phone, the authentication APP of the mobile phone client forwards the self-service service issuance request to the APP provider, where the APP provider is the operator BOSS system.
  • Step 66 The authentication channel of the mobile client is removed from the secure channel established between the operator and the authorization center of the operator.
  • Step 67 After receiving the self-service provisioning request of the user, the operator BOSS system performs service delivery, and after the service is released, sends a service delivery success message to the operator authentication center.
  • Step 68 The operator authentication center sends a service delivery success message to the mobile phone system manufacturer.
  • Step 69 The mobile phone system manufacturer sends a push message to the mobile phone by using the push message server to successfully deliver the service.
  • FIG. 7 is a schematic structural diagram of a device 700 according to an embodiment of the present invention. As shown in FIG. 7, the device 700 includes an establishing unit 701. And processing unit 702, wherein:
  • the establishing unit 701 when receiving the service issuance request, establishes a first secure channel with the operator authentication center, where the service issuance request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
  • the processing unit 702 is configured to obtain an authentication parameter used by the device for the EAP authentication of the Extensible Authentication Protocol, and use the first secure channel to transmit the authentication parameter to the operator authentication center.
  • the operator authentication center passes the authentication parameter to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the operator network;
  • the service issuance request is forwarded by the operator authentication center to the application provider corresponding to the service issuance request.
  • the processing unit 702 is configured to obtain an authentication parameter used by the device for EAP authentication, specifically, to:
  • the establishing unit 701 is further configured to:
  • the first secure passage between the authentication center and the authentication center is removed.
  • the processing unit 702 when the processing unit 702 acquires the MSISDN of the device, the processing unit 702 is specifically configured to:
  • the heart sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI.
  • IMSI International Mobile Subscriber Identity
  • the processing unit 702 is specifically configured to: when the service issuance request is forwarded to the application provider corresponding to the service issuance request by the operator authentication center, specifically:
  • the service issuance request is forwarded to an application provider corresponding to the service issuance request.
  • the device 700 involved in the above embodiments may be a separate component or integrated into other components.
  • the embodiment of the present invention provides an application verification verification device 800, which can be used to execute the operator certificate in the method described in FIG.
  • the device 800 can be the device described in FIG. 3, and FIG. 8 is a schematic structural diagram of the device 800 according to the embodiment of the present invention.
  • the device 800 includes a transceiver unit 801 and a card.
  • Right unit 802 wherein:
  • the transceiver unit 801 is configured to establish a first secure channel with the terminal, and use the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the Extensible authentication protocol EAP authentication between the terminal and the AAA server;
  • the authentication unit 802 is configured to: pass the authentication parameter to an AAA server for performing an Extensible Identity Authentication Protocol EAP authentication, where the AAA server is located in an operator network;
  • the transceiver unit 801 is further configured to: after the EAP authentication is passed, receive a service issuance request sent by the terminal, and send the service release request to an application provider corresponding to the service release request.
  • the transceiver unit 801 before receiving the service issuance request sent by the terminal, the transceiver unit 801 is further configured to:
  • the first secure channel Receiving, by the first secure channel, the international mobile subscriber identity (IMSI) of the terminal sent by the middle station, sending the IMSI to an operator BOSS, acquiring an MSISDN corresponding to the IMSI, and adopting the first security A channel transmits the MSISDN to the terminal.
  • IMSI international mobile subscriber identity
  • the transceiver unit 801 is configured to: when receiving the service issuance request sent by the terminal, and sending the service release request to the application provider corresponding to the service release request, specifically:
  • the device 800 involved in the above embodiments may be a separate component or integrated into other components.
  • the terminal when the terminal receives the service issuance request, the terminal establishes a first security channel with the operator authentication center, where the service issuance request carries the first MSISDN, and the authentication center is located in the operation. And the terminal obtains the authentication parameter used by the terminal for EAP authentication, and uses the first security channel to transmit the authentication parameter to the operator authentication center, and authenticates by the operator.
  • the center passes the authentication parameter to the AAA server for EAP authentication, and the AAA server is located in the carrier network; after the EAP authentication is passed, the terminal acquires the second MSISDN of the terminal;
  • the service issuance request is forwarded to the service delivery request by the operator authentication center.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé, un dispositif et un système pour distribuer et vérifier un service d'application de façon à fournir une solution de distribution et de vérification de service fiable, indépendamment de messages courts de téléphone mobile. Le procédé comprend les opérations suivantes : un terminal, lors de la réception d'une requête de distribution de service, établit un premier canal de sécurité avec un centre d'authentification d'opérateur, la requête de distribution de service acheminant un premier MSISDN dans celle-ci ; le terminal acquiert un paramètre d'authentification, transmet le paramètre d'authentification au centre d'authentification d'opérateur, et distribue le paramètre d'authentification, au moyen du centre d'authentification d'opérateur, à un serveur AAA pour une authentification d'EAP, et acquiert, après que l'authentification d'EAP est réussie, un second MSISDN du terminal ; le terminal transfère, lorsque le premier MSISDN et le second MSISDN sont les mêmes, la requête de distribution de service, au moyen du centre d'authentification d'opérateur, à un fournisseur d'application auquel la requête de distribution de service correspond. De cette manière, lorsqu'un service d'application est distribué, il n'est pas nécessaire d'envoyer au terminal un code de vérification de message court, éliminant la dépendance vis-à-vis de messages courts.
PCT/CN2017/075760 2016-03-30 2017-03-06 Procédé, dispositif et système pour distribuer et vérifier un service d'application WO2017166976A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610195162.4 2016-03-30
CN201610195162.4A CN105744520B (zh) 2016-03-30 2016-03-30 一种应用业务的发放验证方法、装置和系统

Publications (1)

Publication Number Publication Date
WO2017166976A1 true WO2017166976A1 (fr) 2017-10-05

Family

ID=56253562

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/075760 WO2017166976A1 (fr) 2016-03-30 2017-03-06 Procédé, dispositif et système pour distribuer et vérifier un service d'application

Country Status (2)

Country Link
CN (1) CN105744520B (fr)
WO (1) WO2017166976A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105744520B (zh) * 2016-03-30 2019-12-24 华为技术有限公司 一种应用业务的发放验证方法、装置和系统
CN107222861B (zh) * 2017-05-19 2020-10-09 珠海市魅族科技有限公司 身份验证方法、身份验证装置、终端及非易失性存储介质
CN109903022B (zh) * 2018-10-25 2023-08-22 创新先进技术有限公司 资源发放方法、装置、设备及计算机可读存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729578A (zh) * 2008-10-27 2010-06-09 华为技术有限公司 应用业务接入鉴权方法及接入鉴权代理
CN102572815A (zh) * 2010-12-29 2012-07-11 中国移动通信集团公司 一种对终端应用请求的处理方法、系统及装置
WO2014094822A1 (fr) * 2012-12-17 2014-06-26 Telefonaktiebolaget L M Ericsson (Publ) Authentification de réseaux mobiles terrestres publics sur des stations mobiles
CN105744520A (zh) * 2016-03-30 2016-07-06 华为技术有限公司 一种应用业务的发放验证方法、装置和系统

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848434B (zh) * 2009-03-24 2013-10-09 华为技术有限公司 设备、业务配置管理方法及系统
CN102075933B (zh) * 2009-11-19 2013-03-13 中国移动通信集团吉林有限公司 在智能终端上运行应用软件的方法、系统及相关设备
CN102231746B (zh) * 2011-07-11 2014-03-12 华为技术有限公司 验证标识信息的方法及终端
CN102724647B (zh) * 2012-06-06 2014-08-13 电子科技大学 一种能力访问授权方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729578A (zh) * 2008-10-27 2010-06-09 华为技术有限公司 应用业务接入鉴权方法及接入鉴权代理
CN102572815A (zh) * 2010-12-29 2012-07-11 中国移动通信集团公司 一种对终端应用请求的处理方法、系统及装置
WO2014094822A1 (fr) * 2012-12-17 2014-06-26 Telefonaktiebolaget L M Ericsson (Publ) Authentification de réseaux mobiles terrestres publics sur des stations mobiles
CN105744520A (zh) * 2016-03-30 2016-07-06 华为技术有限公司 一种应用业务的发放验证方法、装置和系统

Also Published As

Publication number Publication date
CN105744520B (zh) 2019-12-24
CN105744520A (zh) 2016-07-06

Similar Documents

Publication Publication Date Title
US10637668B2 (en) Authentication method, system and equipment
US11488234B2 (en) Method, apparatus, and system for processing order information
WO2015101273A1 (fr) Procédé de vérification de sécurité et dispositif et système associés
EP3605989A1 (fr) Procédé d'envoi d'informations, procédé de réception d'informations, appareil et système
AU2018421189B2 (en) Method for quickly opening application or application function, and terminal
WO2017118412A1 (fr) Procédé, appareil et système de mise à jour de clé
EP2798904B1 (fr) Dispositif de communication mobile simplifié
CN107483213B (zh) 一种安全认证的方法、相关装置及系统
US9635018B2 (en) User identity verification method and system, password protection apparatus and storage medium
WO2017041599A1 (fr) Procédé de traitement de service et dispositif électronique
CN108920366B (zh) 一种子应用调试方法、装置及系统
CN110198301B (zh) 一种服务数据获取方法、装置及设备
US20170373869A1 (en) Method, apparatus, and system for providing specified communications service, and terminal
KR101304006B1 (ko) 개인 정보 엑세스를 위한 무선 인증을 제공하는 통신 시스템 및 관련 방법
WO2015027712A1 (fr) Procédé d'accès à un réseau d'un terminal mobile, terminal mobile et dispositif de terminal
CN111542822A (zh) 用于共享屏幕数据的电子装置和方法
CN108288154B (zh) 一种支付应用程序的启动方法、装置及移动终端
CN108881103B (zh) 一种接入网络的方法及装置
CN106550361B (zh) 一种数据传输方法,设备及计算机可读存储介质
CN108075899B (zh) 一种身份验证方法、移动终端和计算机可读存储介质
CN105704712B (zh) 网络资源共享方法、移动终端及服务器
CN104954126A (zh) 敏感操作验证方法、装置及系统
CN109102297A (zh) 一种可撤销的支付方法和装置
WO2017166976A1 (fr) Procédé, dispositif et système pour distribuer et vérifier un service d'application
CN106713319B (zh) 终端间的远程控制方法、装置、系统及移动终端

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17773007

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17773007

Country of ref document: EP

Kind code of ref document: A1