WO2017185458A1 - Method and device for generating and acquiring authorization for deleting isd-p domain - Google Patents

Method and device for generating and acquiring authorization for deleting isd-p domain Download PDF

Info

Publication number
WO2017185458A1
WO2017185458A1 PCT/CN2016/084071 CN2016084071W WO2017185458A1 WO 2017185458 A1 WO2017185458 A1 WO 2017185458A1 CN 2016084071 W CN2016084071 W CN 2016084071W WO 2017185458 A1 WO2017185458 A1 WO 2017185458A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
authorization
esim
domain
certificate issuer
Prior art date
Application number
PCT/CN2016/084071
Other languages
French (fr)
Chinese (zh)
Inventor
钟焰涛
傅文治
蒋罗
Original Assignee
宇龙计算机通信科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 宇龙计算机通信科技(深圳)有限公司 filed Critical 宇龙计算机通信科技(深圳)有限公司
Publication of WO2017185458A1 publication Critical patent/WO2017185458A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of mobile communications, and in particular, to a method and apparatus for generating and acquiring an authorization for deleting an ISD-P domain.
  • eSIM embedded Subscriber Identity Module
  • a multi-level security domain is set up on the eSIM card.
  • the ISD-P (Issuer Security Domain Profile) domain is configured on each security zone.
  • the multiple ISD-P domains are isolated from each other.
  • the P domain contains personalized data such as carrier file systems and policy control rules.
  • MNO Mobile Network Operator
  • ISD-P, MNO, and SM-DP Subscribescription Manager Data Preparation
  • the inventors of the present invention have found that the above problem arises in that the "delete authorization" mechanism is not set in the prior art, and the eSIM card can delete the ISD-P without obtaining the "delete authorization”.
  • the present invention provides a method for obtaining an authorization for deleting an ISD-P domain, including:
  • the present invention also provides a method of generating an authorization for deleting an ISD-P domain, comprising:
  • the present invention also provides an apparatus for obtaining an authorization for deleting an ISD-P domain, including:
  • an authorization requesting module configured to send, to the mobile network operator, an instruction for obtaining authorization information, where the instruction is used to enable the mobile network operator to generate and return authorization information for deleting a certificate issuer security domain configuration domain;
  • an authorization receiving module configured to receive authorization information returned by the mobile network operator.
  • the present invention also provides an apparatus for generating an authorization for deleting an ISD-P domain, comprising:
  • An instruction receiving module configured to receive an instruction for obtaining authorization information issued by the contract management data
  • An authorization generation module configured to generate authorization information for deleting a certificate issuer security domain configuration domain according to the instruction
  • An authorization return module is configured to return the authorization information to the subscription management data preparation.
  • the method and system of the present invention implements a "delete authorization" mechanism, by which the security of deleting an ISD-P domain on an eSIM card can be effectively improved.
  • FIG. 1 is a flowchart of a method for obtaining an authorization for deleting an ISD-P domain in an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for generating an authorization for deleting an ISD-P domain in an embodiment of the present invention
  • FIG. 3 is a schematic diagram of interaction between an SM-DP and an MNO in an embodiment of the present invention
  • FIG. 4 is a schematic diagram of an apparatus for acquiring an authorization for deleting an ISD-P domain according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an apparatus for generating an authorization for deleting an ISD-P domain according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of another apparatus for obtaining an authorization for deleting an ISD-P domain in an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of another apparatus for generating an authorization for deleting an ISD-P domain in an embodiment of the present invention.
  • the present invention provides a method and an apparatus for generating and acquiring an authorization for deleting an ISD-P domain, which are described below with reference to the accompanying drawings and embodiments. The invention is further described in detail. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to be limiting.
  • an embodiment of the present invention provides a method for acquiring an authorization for deleting an ISD-P domain, where the method is used for a subscription management data preparation (SM-DP) side, including:
  • S101 Send an instruction for acquiring authorization information to a mobile network operator (MNO), where the instruction is used to enable the mobile network operator to generate and return authorization information for deleting a certificate issuer security domain configuration (ISD-P) domain. ;
  • MNO mobile network operator
  • ISD-P certificate issuer security domain configuration
  • the SM-DP sends an instruction to obtain the authorization information to the MNO, so that the MNO returns the authorization information, thereby implementing a mechanism for deleting the authorization, and the mechanism can effectively improve the deletion of the ISD-P on the eSIM card. Domain security.
  • the foregoing method is further optimized. Specifically, the method further includes:
  • an instruction to request authorization is issued to the mobile network operator.
  • multiple authentication technologies can be used for identity authentication, including digital signature technology (that is, both parties send their own signatures to each other, let the other party authenticate their identity), and a cryptographic identity authentication protocol.
  • the identity authentication of the MNO can effectively prevent some security problems caused by some masquerading MNOs issuing authorization information to the SM-DP.
  • the foregoing method is further optimized. Specifically, the method further includes:
  • the request information carries eSIM identity information, location information of the certificate issuer security domain configuration domain, and initiator identity of the deletion action initiated to the eSIM information;
  • the eSIM identity information, the location information, and the initiator identity information are added to an instruction requesting authorization from the mobile network operator.
  • the MNO can determine whether the deletion action conforms to the predetermined rule according to the information in the instruction, and only generates and returns the authorization information to the SM-DP when the predetermined rule is met, thereby more effectively improving the deletion on the eSIM card. Security of the ISD-P domain.
  • the foregoing method is further optimized. Specifically, the method further includes:
  • the SM-DP is made more secure and efficient when deleting the ISD-P domain of the eSIM card.
  • the step of sending the obtained authorization information to the eSIM card, so that the eSIM card deletes the certificate issuer security domain configuration domain according to the authorization information includes:
  • the foregoing method is further optimized. Specifically, the method further includes:
  • the received authorization information is verified.
  • the SM-DP can be enabled to obtain spoofed authorization information, thereby avoiding some unsafe deletion actions.
  • an embodiment of the present invention provides a method for generating an authorization for deleting an ISD-P domain, where the method is used on a mobile network operator side, including:
  • the MNO of the embodiment of the present invention generates and returns an authorization information for deleting a security domain configuration domain of a certificate issuer by acquiring an instruction of the SM-DP, thereby implementing a mechanism for deleting the authorization, and the mechanism can effectively improve the mechanism. Remove the security of the ISD-P domain on the eSIM card.
  • the foregoing method is further optimized. Specifically, the method further includes:
  • authorization information for deleting the certificate issuer security domain configuration domain is generated.
  • the identity authentication of the SM-DP can effectively prevent some of the security problems caused by some spoofed SM-DPs issuing instructions to the MNO to obtain authorization information.
  • the foregoing method is further optimized. Specifically, the method further includes:
  • the received instructions are verified.
  • the security of deleting the ISD-P domain on the eSIM card is further improved.
  • the step of verifying the received instruction includes:
  • Step 1 parsing eSIM identity information, location information of the certificate issuer security domain configuration domain, and initiator identity information of the deletion action initiated by the eSIM from the instruction;
  • Step 2 Determine, according to the eSIM identity information, the location information, and the identity information of the initiator, whether the deletion action meets a predetermined rule;
  • the predetermined rule is not specifically limited, and may be arbitrarily set according to the prior art; for example, when the specific step is implemented, the initiator code may be set, and if the initiator code in the instruction is wrong, the predetermined rule is not met; By setting the correspondence between the location information code and the eSIM card, if the correspondence in the command does not match the aforementioned correspondence, the predetermined rule is not met.
  • the eSIM identity information includes an integrated circuit card ID (ECCID) identity and an eUICC-ID identity of the eSIM.
  • ECCID integrated circuit card ID
  • the initiator identity information that initiates the delete action to the eSIM may be set to the form of an identity, and the initiator includes any one of an MNO, various applications, and a user (eg, a delete command issued by the user).
  • the location information of the certificate issuer security domain configuration domain includes at least one of path information and an ID identifier of the ISD-P.
  • Step 3 When it is determined that the predetermined rule is met, the authorization information for deleting the certificate issuer security domain configuration domain is generated.
  • the eSIM identity information, the location information, and the initiator identity information are used to determine whether the deletion action meets the predetermined rule.
  • the authorization information for deleting the certificate issuer security domain configuration domain is generated, and the authorization information is further improved.
  • the security of the authorization information is generated, thereby improving the security of deleting the ISD-P domain on the eSIM card.
  • the foregoing method is further optimized. Specifically, the method further includes:
  • the confirmation deletion information is generated, and the confirmation deletion information, the eSIM identity information, the location information, and the initiator identity information are added to the generated authorization information.
  • the SM-DP can verify the authorization information by using the information in the authorization information, and further improve the security of deleting the ISD-P domain on the eSIM card.
  • Step 1 Both parties authenticate each other. Authentication can use a variety of authentication technologies, including digital signature technology (that is, both parties send their own signatures to each other, let the other party authenticate their identity), cryptographic identity authentication protocols, and so on.
  • digital signature technology that is, both parties send their own signatures to each other, let the other party authenticate their identity
  • cryptographic identity authentication protocols and so on.
  • Step 2 if the authentication fails, terminate.
  • Step 3 The SM-DP requests the ISD-P to delete the authorization.
  • the content of the sent request message includes: an integrated circuit card ID (ECCID) identifier of the eSIM, an eUICC-ID identifier, an ID identifier of the target ISD-P, and an identity identifier of the initiator of the deletion action.
  • ECCID integrated circuit card ID
  • the MNO generates authorization information.
  • the authorization message shall include: all content sent by the SM-DP, a message confirming the deletion, and a signature of all the above contents and the confirmation information.
  • step 5 the MNO sends the authorization information.
  • step 6 the SM-DP receives and verifies the authorization information.
  • the SM-DP verifies the authorization information from the MNO, it mainly verifies that the signature of the MNO is correct. If it is correct, it considers that the correct authorization has been received.
  • Step 7 The SM-DP authorization information verification fails and is terminated.
  • an embodiment of the present invention provides an apparatus for acquiring an authorization for deleting an ISD-P domain, and an apparatus embodiment corresponding to the first embodiment, where the apparatus is used for a subscription management data preparation side, including:
  • an authorization requesting module configured to send, to the mobile network operator, an instruction for obtaining authorization information, where the instruction is used to enable the mobile network operator to generate and return authorization information for deleting a certificate issuer security domain configuration domain;
  • an authorization receiving module configured to receive authorization information returned by the mobile network operator.
  • the MNO implements a “delete authorization” mechanism by using the authorization request module and the authorization receiving module, and the mechanism can effectively improve the security of deleting the ISD-P domain on the eSIM card.
  • the device is further optimized. Specifically, the device further includes:
  • An identity authentication module configured to perform identity authentication on the mobile network operator
  • the authorization request module is triggered to issue an instruction requesting authorization to the mobile network operator.
  • the device is further optimized. Specifically, the device further includes:
  • An information receiving module configured to receive request information of a delete certificate issuer security domain configuration domain sent by an eSIM card; the request information carries eSIM identity information, location information of the certificate issuer security domain configuration domain, and is initiated to the eSIM Delete the identity information of the initiator of the action;
  • an information adding module configured to add the eSIM identity information, the location information, and the initiator identity information to an instruction requesting authorization from the mobile network operator.
  • the device is further optimized. Specifically, the device further includes:
  • an authorization deletion module configured to send the obtained authorization information to the eSIM card, so that the eSIM card deletes the certificate issuer security domain configuration domain according to the authorization information.
  • the authorization deletion module is specifically configured to parse the eSIM identity information, the location information of the certificate issuer security domain configuration domain, and the confirmation deletion information from the obtained authorization information.
  • the device is further optimized. Specifically, the device further includes:
  • An authorization verification module is configured to verify the received authorization information.
  • an embodiment of the present invention provides an apparatus for generating an authorization for deleting an ISD-P domain, and an apparatus embodiment corresponding to the second embodiment, where the apparatus is used by a mobile network operator side, including:
  • An instruction receiving module configured to receive an instruction for obtaining authorization information issued by the contract management data
  • An authorization generation module configured to generate authorization information for deleting a certificate issuer security domain configuration domain according to the instruction
  • An authorization return module is configured to return the authorization information to the subscription management data preparation.
  • the MNO of the embodiment of the present invention implements a mechanism for deleting an authorization by using an instruction receiving module, an authorization generating module, and an authorization returning module.
  • the mechanism can effectively improve the security of deleting an ISD-P domain on an eSIM card.
  • the device is further optimized. Specifically, the device further includes:
  • An identity authentication unit configured to perform identity authentication on the subscription management data
  • the trigger authorization generation module After the authentication is passed, the trigger authorization generation module generates authorization information for deleting the certificate issuer security domain configuration domain according to the instruction.
  • the device is further optimized. Specifically, the device further includes:
  • An instruction verification module for verifying received instructions.
  • the instruction verification module is specifically configured to parse the eSIM identity information, the location information of the certificate issuer security domain configuration domain, and the initiator identity information of the deletion action initiated by the eSIM from the instruction;
  • authorization information for deleting the certificate issuer security domain configuration domain is generated.
  • the device is further optimized. Specifically, the device further includes:
  • An information adding unit configured to generate confirmation deletion information when determining that the predetermined rule is met, and add the confirmation deletion information, the eSIM identity information, the location information, and the initiator identity information to the generated authorization Information.
  • the embodiment of the present invention provides another schematic diagram of an apparatus for obtaining an authorization for deleting an ISD-P domain.
  • the apparatus 6 may include: at least one processor 61, such as a CPU.
  • the memory 63 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory.
  • a set of program codes is stored in the memory 63, and the processor 61 is configured to call the program code stored in the memory 63 for performing the following operations:
  • the processor 61 also performs the following operations:
  • the request information carries eSIM identity information, location information of the certificate issuer security domain configuration domain, and initiator identity of the deletion action initiated to the eSIM information;
  • the eSIM identity information, the location information, and the initiator identity information are added to an instruction requesting authorization from the mobile network operator.
  • the processor 61 also performs the following operations:
  • the processor 61 performs the sending of the obtained authorization information to the eSIM card, so that the eSIM card deletes the certificate issuer security domain configuration according to the authorization information.
  • you step through the domain do the following:
  • an embodiment of the present invention provides another apparatus for generating an authorization for deleting an ISD-P domain.
  • the apparatus 7 may include: at least one processor 71, such as a CPU.
  • a set of program codes is stored in the memory 73, and the processor 71 is configured to call the program code stored in the memory 73 for performing the following operations:
  • the processor 71 also performs the following operations:
  • authorization information for deleting the certificate issuer security domain configuration domain is generated.
  • the processor 71 also performs the following operations:
  • the confirmation deletion information is generated, and the confirmation deletion information, the eSIM identity information, the location information, and the initiator identity information are added to the generated authorization information.

Abstract

A method and device for generating and acquiring authorization for deleting an ISD-P domain. The method for acquiring authorization for deleting an ISD-P domain comprises: sending to a mobile network operator (MNO) an instruction for acquiring authorization information (S101), the instruction is used to enable the mobile network operator to generate and return the authorization information for deleting an issuer security domain profile (ISD-P) domain; and receiving the authorization information returned by the mobile network operator (S102). The above method enables a mechanism for authorizing deletion, and employing the mechanism can effectively improve security of deleting an ISD-P domain on an eSIM card.

Description

生成和获取用于删除ISD-P域的授权的方法及装置Method and apparatus for generating and obtaining authorization for deleting an ISD-P domain
本申请要求于2016年4月29日提交中国专利局,申请号为201610281301.5、发明名称为“生成和获取用于删除ISD-P域的授权的方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201610281301.5, entitled "Generating and Obtaining Methods and Apparatus for Deleting Authorization for ISD-P Domains", filed on April 29, 2016, The entire contents are incorporated herein by reference.
技术领域Technical field
本发明涉及移动通讯领域,特别是涉及一种生成和获取用于删除ISD-P域的授权的方法及装置。The present invention relates to the field of mobile communications, and in particular, to a method and apparatus for generating and acquiring an authorization for deleting an ISD-P domain.
背景技术Background technique
随着技术的发展,eSIM(embeddedSubscriber Identity Module,嵌入式客户识别模块)卡逐渐流行。With the development of technology, eSIM (embedded Subscriber Identity Module) card has become popular.
eSIM卡上建立有多级安全域,各级安全域上配置有ISD-P(Issuer Security Domain Profile,证书发行方安全域配置)域;其中,多个ISD-P域相互隔离,每个ISD-P域包含运营商文件系统和策略控制规则等个人化数据。当一个ISD-P域与一个运营商MNO(Mobile Network Operator,移动网络运营商)签约后,ISD-P、MNO和SM-DP(Subscription Manager Data Preparation,签约管理数据准备)建立了对应关系。A multi-level security domain is set up on the eSIM card. The ISD-P (Issuer Security Domain Profile) domain is configured on each security zone. The multiple ISD-P domains are isolated from each other. The P domain contains personalized data such as carrier file systems and policy control rules. When an ISD-P domain is contracted with a carrier MNO (Mobile Network Operator), ISD-P, MNO, and SM-DP (Subscription Manager Data Preparation) establish a correspondence.
目前,在eSIM卡上删除ISD-P时存在安全隐患,例如:有可能存在误操作或恶意操作等情况。Currently, there are security risks when deleting ISD-P on the eSIM card. For example, there may be cases of misoperation or malicious operation.
发明内容Summary of the invention
本发明的发明人发现产生上述问题的原因在于:现有技术中没有设置“删除授权”机制,eSIM卡在没有获得“删除授权”即可删除ISD-P。The inventors of the present invention have found that the above problem arises in that the "delete authorization" mechanism is not set in the prior art, and the eSIM card can delete the ISD-P without obtaining the "delete authorization".
鉴于现有技术的缺陷及上述发现,本发明的目的是提供一种生成和获取用 于删除ISD-P域的授权的方法及装置,用以解决现有技术中在eSIM卡上删除ISD-P时存在安全隐患的问题。In view of the deficiencies of the prior art and the above findings, it is an object of the present invention to provide a generation and acquisition The method and device for deleting the authorization of the ISD-P domain are used to solve the problem of security risks when deleting the ISD-P on the eSIM card in the prior art.
本发明目的主要是通过以下技术方案实现的:The object of the present invention is mainly achieved by the following technical solutions:
根据本发明的一个方面,本发明提供一种获取用于删除ISD-P域的授权的方法,包括:According to an aspect of the present invention, the present invention provides a method for obtaining an authorization for deleting an ISD-P domain, including:
向移动网络运营商发出获取授权信息的指令,所述指令用于使所述移动网络运营商生成并返回用于删除证书发行方安全域配置域的授权信息;Sending to the mobile network operator an instruction to obtain authorization information, the instruction being used to cause the mobile network operator to generate and return authorization information for deleting a certificate issuer security domain configuration domain;
接收所述移动网络运营商返回的授权信息。Receiving authorization information returned by the mobile network operator.
根据本发明的另一个方面,本发明还提供一种生成用于删除ISD-P域的授权的方法,包括:According to another aspect of the present invention, the present invention also provides a method of generating an authorization for deleting an ISD-P domain, comprising:
接收签约管理数据准备发出的获取授权信息的指令;Receiving an instruction to obtain authorization information issued by the contract management data;
根据所述指令,生成用于删除证书发行方安全域配置域的授权信息;Generating authorization information for deleting a certificate issuer security domain configuration domain according to the instruction;
将所述授权信息返回给所述签约管理数据准备。Returning the authorization information to the subscription management data preparation.
根据本发明的另一个方面,本发明还提供一种获取用于删除ISD-P域的授权的装置,包括:According to another aspect of the present invention, the present invention also provides an apparatus for obtaining an authorization for deleting an ISD-P domain, including:
授权请求模块,用于向移动网络运营商发出获取授权信息的指令,所述指令用于使所述移动网络运营商生成并返回用于删除证书发行方安全域配置域的授权信息;And an authorization requesting module, configured to send, to the mobile network operator, an instruction for obtaining authorization information, where the instruction is used to enable the mobile network operator to generate and return authorization information for deleting a certificate issuer security domain configuration domain;
授权接收模块,用于接收所述移动网络运营商返回的授权信息。And an authorization receiving module, configured to receive authorization information returned by the mobile network operator.
根据本发明的另一个方面,本发明还提供一种生成用于删除ISD-P域的授权的装置,包括:According to another aspect of the present invention, the present invention also provides an apparatus for generating an authorization for deleting an ISD-P domain, comprising:
指令接收模块,用于接收签约管理数据准备发出的获取授权信息的指令;An instruction receiving module, configured to receive an instruction for obtaining authorization information issued by the contract management data;
授权生成模块,用根据所述指令,生成用于删除证书发行方安全域配置域的授权信息;An authorization generation module, configured to generate authorization information for deleting a certificate issuer security domain configuration domain according to the instruction;
授权返回模块,用于将所述授权信息返回给所述签约管理数据准备。 An authorization return module is configured to return the authorization information to the subscription management data preparation.
本发明有益效果如下:The beneficial effects of the present invention are as follows:
本发明中方法及系统实现了一种“删除授权”的机制,利用该机制,可以有效提高在eSIM卡上删除ISD-P域的安全性。The method and system of the present invention implements a "delete authorization" mechanism, by which the security of deleting an ISD-P domain on an eSIM card can be effectively improved.
附图说明DRAWINGS
图1是本发明实施例中一种获取用于删除ISD-P域的授权的方法流程图;1 is a flowchart of a method for obtaining an authorization for deleting an ISD-P domain in an embodiment of the present invention;
图2是本发明实施例中一种生成用于删除ISD-P域的授权的方法流程图;2 is a flowchart of a method for generating an authorization for deleting an ISD-P domain in an embodiment of the present invention;
图3是本发明实施例中SM-DP和MNO的交互示意图;3 is a schematic diagram of interaction between an SM-DP and an MNO in an embodiment of the present invention;
图4是本发明实施例中一种获取用于删除ISD-P域的授权的装置示意图;4 is a schematic diagram of an apparatus for acquiring an authorization for deleting an ISD-P domain according to an embodiment of the present invention;
图5是本发明实施例中一种生成用于删除ISD-P域的授权的装置示意图;FIG. 5 is a schematic diagram of an apparatus for generating an authorization for deleting an ISD-P domain according to an embodiment of the present invention; FIG.
图6是本发明实施例中另一种获取用于删除ISD-P域的授权的装置示意图;FIG. 6 is a schematic diagram of another apparatus for obtaining an authorization for deleting an ISD-P domain in an embodiment of the present invention; FIG.
图7是本发明实施例中另一种生成用于删除ISD-P域的授权的装置示意图。FIG. 7 is a schematic diagram of another apparatus for generating an authorization for deleting an ISD-P domain in an embodiment of the present invention.
具体实施方式detailed description
为了解决现有技术在eSIM卡上删除ISD-P时存在安全隐患的问题,本发明提供了一种生成和获取用于删除ISD-P域的授权的方法及装置,以下结合附图以及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本发明,并不限定本发明。In order to solve the problem that the prior art has a security risk when deleting the ISD-P on the eSIM card, the present invention provides a method and an apparatus for generating and acquiring an authorization for deleting an ISD-P domain, which are described below with reference to the accompanying drawings and embodiments. The invention is further described in detail. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to be limiting.
实施例一Embodiment 1
如图1所示,本发明实施例提供一种获取用于删除ISD-P域的授权的方法,所述方法用于签约管理数据准备(SM-DP)侧,包括:As shown in FIG. 1 , an embodiment of the present invention provides a method for acquiring an authorization for deleting an ISD-P domain, where the method is used for a subscription management data preparation (SM-DP) side, including:
S101,向移动网络运营商(MNO)发出获取授权信息的指令,所述指令用于使所述移动网络运营商生成并返回用于删除证书发行方安全域配置(ISD-P)域的授权信息; S101. Send an instruction for acquiring authorization information to a mobile network operator (MNO), where the instruction is used to enable the mobile network operator to generate and return authorization information for deleting a certificate issuer security domain configuration (ISD-P) domain. ;
S102,接收所述移动网络运营商返回的授权信息。S102. Receive authorization information returned by the mobile network operator.
本发明实施例SM-DP通过向MNO发出获取授权信息的指令,使MNO返回授权信息,从而实现了一种“删除授权”的机制,利用该机制,可以有效提高在eSIM卡上删除ISD-P域的安全性。In the embodiment of the present invention, the SM-DP sends an instruction to obtain the authorization information to the MNO, so that the MNO returns the authorization information, thereby implementing a mechanism for deleting the authorization, and the mechanism can effectively improve the deletion of the ISD-P on the eSIM card. Domain security.
在本发明的一个优选的实施方式中,还对上述方法进行了优化,具体来说,所述方法还包括:In a preferred embodiment of the present invention, the foregoing method is further optimized. Specifically, the method further includes:
对所述移动网络运营商进行身份认证;Perform identity authentication on the mobile network operator;
认证通过后,向所述移动网络运营商发出请求授权的指令。After the authentication is passed, an instruction to request authorization is issued to the mobile network operator.
其中,进行身份认证时可以使用多种认证技术,包括数字签名技术(即,双方互相发送自己的签名给对方,让对方认证自己的身份)、密码学身份认证协议等。Among them, multiple authentication technologies can be used for identity authentication, including digital signature technology (that is, both parties send their own signatures to each other, let the other party authenticate their identity), and a cryptographic identity authentication protocol.
通过该优选实施方式,对MNO进行身份认证,可以有效防止一些伪装的MNO对SM-DP发出授权信息而引起的一些安全性问题。Through the preferred embodiment, the identity authentication of the MNO can effectively prevent some security problems caused by some masquerading MNOs issuing authorization information to the SM-DP.
在本发明的一个优选的实施方式中,还对上述方法进行了优化,具体来说,所述方法还包括:In a preferred embodiment of the present invention, the foregoing method is further optimized. Specifically, the method further includes:
接收eSIM卡发送的删除证书发行方安全域配置域的请求信息;所述请求信息携带eSIM身份信息、所述证书发行方安全域配置域的位置信息和向所述eSIM发起删除动作的发起者身份信息;Receiving request information of the deleted certificate issuer security domain configuration domain sent by the eSIM card; the request information carries eSIM identity information, location information of the certificate issuer security domain configuration domain, and initiator identity of the deletion action initiated to the eSIM information;
将所述eSIM身份信息、所述位置信息和所述发起者身份信息添加到向所述移动网络运营商请求授权的指令中。The eSIM identity information, the location information, and the initiator identity information are added to an instruction requesting authorization from the mobile network operator.
通过该优选实施方式,可使MNO根据指令中的信息判断删除动作是否符合预定规则,只有在符合预定规则时,才对SM-DP生成和返回授权信息,从而更加有效的提高在eSIM卡上删除ISD-P域的安全性。According to the preferred embodiment, the MNO can determine whether the deletion action conforms to the predetermined rule according to the information in the instruction, and only generates and returns the authorization information to the SM-DP when the predetermined rule is met, thereby more effectively improving the deletion on the eSIM card. Security of the ISD-P domain.
在本发明的一个优选的实施方式中,还对上述方法进行了优化,具体来说,所述方法还包括: In a preferred embodiment of the present invention, the foregoing method is further optimized. Specifically, the method further includes:
将获取的所述授权信息发送给所述eSIM卡,以使所述eSIM卡根据所述授权信息删除证书发行方安全域配置域。And transmitting the obtained authorization information to the eSIM card, so that the eSIM card deletes the certificate issuer security domain configuration domain according to the authorization information.
通过该优选实施方式,使得SM-DP在删除eSIM卡的ISD-P域时更加安全有效。With this preferred embodiment, the SM-DP is made more secure and efficient when deleting the ISD-P domain of the eSIM card.
具体说,所述将获取的所述授权信息发送给所述eSIM卡,以使所述eSIM卡根据所述授权信息删除证书发行方安全域配置域的步骤,包括:Specifically, the step of sending the obtained authorization information to the eSIM card, so that the eSIM card deletes the certificate issuer security domain configuration domain according to the authorization information, includes:
从获取的所述授权信息中,解析出eSIM身份信息、证书发行方安全域配置域的位置信息和确认删除信息;Extracting the eSIM identity information, the location information of the certificate issuer security domain configuration domain, and confirming the deletion information from the obtained authorization information;
根据解析出的eSIM身份信息,将所述授权信息发送给对应的所述eSIM卡,以使所述eSIM卡根据解析出的所述确认删除信息和所述证书发行方安全域配置域的位置信息,删除对应的所述证书发行方安全域配置域。Sending, according to the parsed eSIM identity information, the authorization information to the corresponding eSIM card, so that the eSIM card according to the parsed confirmation deletion information and location information of the certificate issuer security domain configuration domain , delete the corresponding certificate issuer security domain configuration domain.
在本发明的一个优选的实施方式中,还对上述方法进行了优化,具体来说,所述方法还包括:In a preferred embodiment of the present invention, the foregoing method is further optimized. Specifically, the method further includes:
对接收的所述授权信息进行验证。The received authorization information is verified.
通过该优选实施方式,可以使SM-DP接收到伪装的授权信息,从而避免一些不安全的删除动作。With this preferred embodiment, the SM-DP can be enabled to obtain spoofed authorization information, thereby avoiding some unsafe deletion actions.
实施例二Embodiment 2
如图2所示,本发明实施例提供一种生成用于删除ISD-P域的授权的方法,所述方法用于移动网络运营商侧,包括:As shown in FIG. 2, an embodiment of the present invention provides a method for generating an authorization for deleting an ISD-P domain, where the method is used on a mobile network operator side, including:
S201,接收签约管理数据准备发出的获取授权信息的指令;S201. Receive an instruction for obtaining authorization information issued by the subscription management data;
S202,根据所述指令,生成用于删除证书发行方安全域配置域的授权信息;S202. Generate, according to the instruction, authorization information used to delete a certificate issuer security domain configuration domain.
S203,将所述授权信息返回给所述签约管理数据准备。S203. Return the authorization information to the subscription management data preparation.
本发明实施例MNO通过获取SM-DP的指令,从而生成并返回用于删除证书发行方安全域配置域的授权信息,从而实现了一种“删除授权”的机制,利用该机制,可以有效提高在eSIM卡上删除ISD-P域的安全性。 The MNO of the embodiment of the present invention generates and returns an authorization information for deleting a security domain configuration domain of a certificate issuer by acquiring an instruction of the SM-DP, thereby implementing a mechanism for deleting the authorization, and the mechanism can effectively improve the mechanism. Remove the security of the ISD-P domain on the eSIM card.
在本发明的一个优选的实施方式中,还对上述方法进行了优化,具体来说,所述方法还包括:In a preferred embodiment of the present invention, the foregoing method is further optimized. Specifically, the method further includes:
对所述签约管理数据准备进行身份认证;Preparing identity authentication for the subscription management data;
认证通过后,根据所述指令,生成用于删除证书发行方安全域配置域的授权信息。After the authentication is passed, according to the instruction, authorization information for deleting the certificate issuer security domain configuration domain is generated.
通过该优选实施方式,对SM-DP进行身份认证,可以有效防止一些伪装的SM-DP对MNO发出获取授权信息的指令,而引起的一些安全性问题。With the preferred embodiment, the identity authentication of the SM-DP can effectively prevent some of the security problems caused by some spoofed SM-DPs issuing instructions to the MNO to obtain authorization information.
在本发明的一个优选的实施方式中,还对上述方法进行了优化,具体来说,所述方法还包括:In a preferred embodiment of the present invention, the foregoing method is further optimized. Specifically, the method further includes:
对接收的指令进行验证。The received instructions are verified.
通过该优选实施方式,进一步提高在eSIM卡上删除ISD-P域的安全性。With this preferred embodiment, the security of deleting the ISD-P domain on the eSIM card is further improved.
具体说,所述对接收的指令进行验证的步骤,包括:Specifically, the step of verifying the received instruction includes:
步骤1,从所述指令中解析出eSIM身份信息、所述证书发行方安全域配置域的位置信息和向所述eSIM发起删除动作的发起者身份信息;Step 1, parsing eSIM identity information, location information of the certificate issuer security domain configuration domain, and initiator identity information of the deletion action initiated by the eSIM from the instruction;
步骤2,根据所述eSIM身份信息、所述位置信息和所述发起者身份信息,判断删除动作是否符合预定规则;Step 2: Determine, according to the eSIM identity information, the location information, and the identity information of the initiator, whether the deletion action meets a predetermined rule;
其中,预定规则不做具体限定,可以根据现有技术任意设置;例如,本步骤在具体实现时,可以通过设置发起者代码,如果指令中的发起者代码错误,则不符合预定规则;又如,通过设置位置信息代码和eSIM卡对应关系,如果指令中的对应关系与前述对应关系不符,则不符合预定规则。The predetermined rule is not specifically limited, and may be arbitrarily set according to the prior art; for example, when the specific step is implemented, the initiator code may be set, and if the initiator code in the instruction is wrong, the predetermined rule is not met; By setting the correspondence between the location information code and the eSIM card, if the correspondence in the command does not match the aforementioned correspondence, the predetermined rule is not met.
eSIM身份信息包括eSIM的集成电路卡ID(ECCID)标识和eUICC-ID标识。向所述eSIM发起删除动作的发起者身份信息可以设置成身份标识的形式,发起者包括MNO、各种应用和用户(例如用户发出的删除指令)中任意一种。证书发行方安全域配置域的位置信息包括路径信息和ISD-P的ID标识中至少一种。 The eSIM identity information includes an integrated circuit card ID (ECCID) identity and an eUICC-ID identity of the eSIM. The initiator identity information that initiates the delete action to the eSIM may be set to the form of an identity, and the initiator includes any one of an MNO, various applications, and a user (eg, a delete command issued by the user). The location information of the certificate issuer security domain configuration domain includes at least one of path information and an ID identifier of the ISD-P.
步骤3,在判定符合预定规则时,生成用于删除证书发行方安全域配置域的授权信息。Step 3: When it is determined that the predetermined rule is met, the authorization information for deleting the certificate issuer security domain configuration domain is generated.
本具体方式中,通过eSIM身份信息、位置信息和发起者身份信息,判断删除动作是否符合预定规则,在符合预定规则时,在生成用于删除证书发行方安全域配置域的授权信息,进一步提高生成授权信息的安全性,从而提高在eSIM卡上删除ISD-P域的安全性。In the specific mode, the eSIM identity information, the location information, and the initiator identity information are used to determine whether the deletion action meets the predetermined rule. When the predetermined rule is met, the authorization information for deleting the certificate issuer security domain configuration domain is generated, and the authorization information is further improved. The security of the authorization information is generated, thereby improving the security of deleting the ISD-P domain on the eSIM card.
在本发明的一个优选的实施方式中,还对上述方法进行了优化,具体来说,所述方法还包括:In a preferred embodiment of the present invention, the foregoing method is further optimized. Specifically, the method further includes:
在判定符合预定规则时,生成确认删除信息,并将所述确认删除信息、所述eSIM身份信息、所述位置信息和所述发起者身份信息添加到生成的所述授权信息中。When it is determined that the predetermined rule is met, the confirmation deletion information is generated, and the confirmation deletion information, the eSIM identity information, the location information, and the initiator identity information are added to the generated authorization information.
通过该优选方式,可以使SM-DP通过授权信息中的信息,对授权信息进行验证,进一步提高在eSIM卡上删除ISD-P域的安全性。In this preferred manner, the SM-DP can verify the authorization information by using the information in the authorization information, and further improve the security of deleting the ISD-P domain on the eSIM card.
以下用一具体应用例描述应用本发明实施例一中方法的SM-DP和应用本发明实施例二中方法的MNO的交互。如图3所示:The interaction between the SM-DP applying the method in the first embodiment of the present invention and the MNO applying the method in the second embodiment of the present invention will be described below with reference to a specific application example. As shown in Figure 3:
步骤1,双方相互认证。认证可以使用多种认证技术,包括数字签名技术(即,双方互相发送自己的签名给对方,让对方认证自己的身份)、密码学身份认证协议等。Step 1. Both parties authenticate each other. Authentication can use a variety of authentication technologies, including digital signature technology (that is, both parties send their own signatures to each other, let the other party authenticate their identity), cryptographic identity authentication protocols, and so on.
步骤2,若认证失败,终止。Step 2, if the authentication fails, terminate.
步骤3,SM-DP请求ISD-P删除授权。所发送请求消息包括的内容:eSIM的集成电路卡ID(ECCID)标识、eUICC-ID标识、目标ISD-P的ID标识、删除动作发起者的身份标识。Step 3. The SM-DP requests the ISD-P to delete the authorization. The content of the sent request message includes: an integrated circuit card ID (ECCID) identifier of the eSIM, an eUICC-ID identifier, an ID identifier of the target ISD-P, and an identity identifier of the initiator of the deletion action.
步骤4,MNO生成授权信息。授权消息应包括:SM-DP发来的所有内容、一个确认删除的信息、对上述所有内容和确认信息的签名。In step 4, the MNO generates authorization information. The authorization message shall include: all content sent by the SM-DP, a message confirming the deletion, and a signature of all the above contents and the confirmation information.
步骤5,MNO发送授权信息。 In step 5, the MNO sends the authorization information.
步骤6,SM-DP接收并验证授权信息。SM-DP验证来自MNO的授权信息时,主要是验证MNO的签名是否正确,如果正确则认为收到了正确的授权。In step 6, the SM-DP receives and verifies the authorization information. When the SM-DP verifies the authorization information from the MNO, it mainly verifies that the signature of the MNO is correct. If it is correct, it considers that the correct authorization has been received.
步骤7,SM-DP授权信息验证失败,终止。 Step 7. The SM-DP authorization information verification fails and is terminated.
实施例三Embodiment 3
如图4所示,本发明实施例提供一种获取用于删除ISD-P域的授权的装置,实施例一对应的装置实施例,所述装置用于签约管理数据准备侧,包括:As shown in FIG. 4, an embodiment of the present invention provides an apparatus for acquiring an authorization for deleting an ISD-P domain, and an apparatus embodiment corresponding to the first embodiment, where the apparatus is used for a subscription management data preparation side, including:
授权请求模块,用于向移动网络运营商发出获取授权信息的指令,所述指令用于使所述移动网络运营商生成并返回用于删除证书发行方安全域配置域的授权信息;And an authorization requesting module, configured to send, to the mobile network operator, an instruction for obtaining authorization information, where the instruction is used to enable the mobile network operator to generate and return authorization information for deleting a certificate issuer security domain configuration domain;
授权接收模块,用于接收所述移动网络运营商返回的授权信息。And an authorization receiving module, configured to receive authorization information returned by the mobile network operator.
本发明实施例MNO通过授权请求模块和授权接收模块实现了一种“删除授权”的机制,利用该机制,可以有效提高在eSIM卡上删除ISD-P域的安全性。In the embodiment of the present invention, the MNO implements a “delete authorization” mechanism by using the authorization request module and the authorization receiving module, and the mechanism can effectively improve the security of deleting the ISD-P domain on the eSIM card.
在本发明的一个优选的实施方式中,还对上述装置进行了优化,具体来说,所述装置还包括:In a preferred embodiment of the present invention, the device is further optimized. Specifically, the device further includes:
身份认证模块,用于对所述移动网络运营商进行身份认证;An identity authentication module, configured to perform identity authentication on the mobile network operator;
认证通过后,触发所述授权请求模块向移动网络运营商发出请求授权的指令。After the authentication is passed, the authorization request module is triggered to issue an instruction requesting authorization to the mobile network operator.
在本发明的一个优选的实施方式中,还对上述装置进行了优化,具体来说,所述装置还包括:In a preferred embodiment of the present invention, the device is further optimized. Specifically, the device further includes:
信息接收模块,用于接收eSIM卡发送的删除证书发行方安全域配置域的请求信息;所述请求信息携带eSIM身份信息、所述证书发行方安全域配置域的位置信息和向所述eSIM发起删除动作的发起者身份信息;An information receiving module, configured to receive request information of a delete certificate issuer security domain configuration domain sent by an eSIM card; the request information carries eSIM identity information, location information of the certificate issuer security domain configuration domain, and is initiated to the eSIM Delete the identity information of the initiator of the action;
信息添加模块,用于将所述eSIM身份信息、所述位置信息和所述发起者身份信息添加到向所述移动网络运营商请求授权的指令中。 And an information adding module, configured to add the eSIM identity information, the location information, and the initiator identity information to an instruction requesting authorization from the mobile network operator.
在本发明的一个优选的实施方式中,还对上述装置进行了优化,具体来说,所述装置还包括:In a preferred embodiment of the present invention, the device is further optimized. Specifically, the device further includes:
授权删除模块,用于将获取的所述授权信息发送给所述eSIM卡,以使所述eSIM卡根据所述授权信息删除证书发行方安全域配置域。And an authorization deletion module, configured to send the obtained authorization information to the eSIM card, so that the eSIM card deletes the certificate issuer security domain configuration domain according to the authorization information.
其中,授权删除模块,具体用于从获取的所述授权信息中,解析出eSIM身份信息、证书发行方安全域配置域的位置信息和确认删除信息;The authorization deletion module is specifically configured to parse the eSIM identity information, the location information of the certificate issuer security domain configuration domain, and the confirmation deletion information from the obtained authorization information.
根据解析出的eSIM身份信息,将所述授权信息发送给对应的所述eSIM卡,以使所述eSIM卡根据解析出的所述确认删除信息和所述证书发行方安全域配置域的位置信息,删除对应的所述证书发行方安全域配置域。Sending, according to the parsed eSIM identity information, the authorization information to the corresponding eSIM card, so that the eSIM card according to the parsed confirmation deletion information and location information of the certificate issuer security domain configuration domain , delete the corresponding certificate issuer security domain configuration domain.
在本发明的一个优选的实施方式中,还对上述装置进行了优化,具体来说,所述装置还包括:In a preferred embodiment of the present invention, the device is further optimized. Specifically, the device further includes:
授权验证模块,用于对接收的所述授权信息进行验证。An authorization verification module is configured to verify the received authorization information.
实施例四Embodiment 4
如图5所示,本发明实施例提供一种生成用于删除ISD-P域的授权的装置,实施例二对应的装置实施例,所述装置用于移动网络运营商侧,包括:As shown in FIG. 5, an embodiment of the present invention provides an apparatus for generating an authorization for deleting an ISD-P domain, and an apparatus embodiment corresponding to the second embodiment, where the apparatus is used by a mobile network operator side, including:
指令接收模块,用于接收签约管理数据准备发出的获取授权信息的指令;An instruction receiving module, configured to receive an instruction for obtaining authorization information issued by the contract management data;
授权生成模块,用根据所述指令,生成用于删除证书发行方安全域配置域的授权信息;An authorization generation module, configured to generate authorization information for deleting a certificate issuer security domain configuration domain according to the instruction;
授权返回模块,用于将所述授权信息返回给所述签约管理数据准备。An authorization return module is configured to return the authorization information to the subscription management data preparation.
本发明实施例MNO通过指令接收模块、授权生成模块和授权返回模块实现了一种“删除授权”的机制,利用该机制,可以有效提高在eSIM卡上删除ISD-P域的安全性。The MNO of the embodiment of the present invention implements a mechanism for deleting an authorization by using an instruction receiving module, an authorization generating module, and an authorization returning module. The mechanism can effectively improve the security of deleting an ISD-P domain on an eSIM card.
在本发明的一个优选的实施方式中,还对上述装置进行了优化,具体来说,所述装置还包括:In a preferred embodiment of the present invention, the device is further optimized. Specifically, the device further includes:
身份认证单元,用于对所述签约管理数据准备进行身份认证; An identity authentication unit, configured to perform identity authentication on the subscription management data;
认证通过后,触发授权生成模块根据所述指令,生成用于删除证书发行方安全域配置域的授权信息。After the authentication is passed, the trigger authorization generation module generates authorization information for deleting the certificate issuer security domain configuration domain according to the instruction.
在本发明的一个优选的实施方式中,还对上述装置进行了优化,具体来说,所述装置还包括:In a preferred embodiment of the present invention, the device is further optimized. Specifically, the device further includes:
指令验证模块,用于对接收的指令进行验证。An instruction verification module for verifying received instructions.
其中,指令验证模块,具体用于从所述指令中解析出eSIM身份信息、所述证书发行方安全域配置域的位置信息和向所述eSIM发起删除动作的发起者身份信息;The instruction verification module is specifically configured to parse the eSIM identity information, the location information of the certificate issuer security domain configuration domain, and the initiator identity information of the deletion action initiated by the eSIM from the instruction;
根据所述eSIM身份信息、所述位置信息和所述发起者身份信息,判断删除动作是否符合预定规则;Determining, according to the eSIM identity information, the location information, and the identity information of the initiator, whether the deletion action meets a predetermined rule;
在判定符合预定规则时,生成用于删除证书发行方安全域配置域的授权信息。When it is determined that the predetermined rule is met, authorization information for deleting the certificate issuer security domain configuration domain is generated.
在本发明的一个优选的实施方式中,还对上述装置进行了优化,具体来说,所述装置还包括:In a preferred embodiment of the present invention, the device is further optimized. Specifically, the device further includes:
信息添加单元,用于在判定符合预定规则时,生成确认删除信息,并将所述确认删除信息、所述eSIM身份信息、所述位置信息和所述发起者身份信息添加到生成的所述授权信息中。An information adding unit, configured to generate confirmation deletion information when determining that the predetermined rule is met, and add the confirmation deletion information, the eSIM identity information, the location information, and the initiator identity information to the generated authorization Information.
实施例五Embodiment 5
如图6所示,本发明实施例提供了另一种获取用于删除ISD-P域的授权的装置示意图,如图6所示,该装置6可以包括:至少一个处理器61,例如CPU,至少一个通信总线62以及存储器63;通信总线62用于实现这些组件之间的连接通信;存储器63可以是高速RAM存储器,也可以是非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。存储器63中存储一组程序代码,且处理器61用于调用存储器63中存储的程序代码,用于执行以下操作: As shown in FIG. 6, the embodiment of the present invention provides another schematic diagram of an apparatus for obtaining an authorization for deleting an ISD-P domain. As shown in FIG. 6, the apparatus 6 may include: at least one processor 61, such as a CPU. At least one communication bus 62 and a memory 63; the communication bus 62 is used to implement connection communication between these components; the memory 63 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory. . A set of program codes is stored in the memory 63, and the processor 61 is configured to call the program code stored in the memory 63 for performing the following operations:
向移动网络运营商发出获取授权信息的指令,所述指令用于使所述移动网络运营商生成并返回用于删除证书发行方安全域配置域的授权信息;Sending to the mobile network operator an instruction to obtain authorization information, the instruction being used to cause the mobile network operator to generate and return authorization information for deleting a certificate issuer security domain configuration domain;
接收所述移动网络运营商返回的授权信息。Receiving authorization information returned by the mobile network operator.
在本发明的一个优选的实施方式中,所述处理器61还执行以下操作:In a preferred embodiment of the present invention, the processor 61 also performs the following operations:
接收eSIM卡发送的删除证书发行方安全域配置域的请求信息;所述请求信息携带eSIM身份信息、所述证书发行方安全域配置域的位置信息和向所述eSIM发起删除动作的发起者身份信息;Receiving request information of the deleted certificate issuer security domain configuration domain sent by the eSIM card; the request information carries eSIM identity information, location information of the certificate issuer security domain configuration domain, and initiator identity of the deletion action initiated to the eSIM information;
将所述eSIM身份信息、所述位置信息和所述发起者身份信息添加到向所述移动网络运营商请求授权的指令中。The eSIM identity information, the location information, and the initiator identity information are added to an instruction requesting authorization from the mobile network operator.
在本发明的一个优选的实施方式中,所述处理器61还执行以下操作:In a preferred embodiment of the present invention, the processor 61 also performs the following operations:
将获取的所述授权信息发送给所述eSIM卡,以使所述eSIM卡根据所述授权信息删除证书发行方安全域配置域。And transmitting the obtained authorization information to the eSIM card, so that the eSIM card deletes the certificate issuer security domain configuration domain according to the authorization information.
在本发明的一个优选的实施方式中,所述处理器61在执行将获取的所述授权信息发送给所述eSIM卡,以使所述eSIM卡根据所述授权信息删除证书发行方安全域配置域的步骤时,具体执行以下操作:In a preferred embodiment of the present invention, the processor 61 performs the sending of the obtained authorization information to the eSIM card, so that the eSIM card deletes the certificate issuer security domain configuration according to the authorization information. When you step through the domain, do the following:
从获取的所述授权信息中,解析出eSIM身份信息、证书发行方安全域配置域的位置信息和确认删除信息;Extracting the eSIM identity information, the location information of the certificate issuer security domain configuration domain, and confirming the deletion information from the obtained authorization information;
根据解析出的eSIM身份信息,将所述授权信息发送给对应的所述eSIM卡,以使所述eSIM卡根据解析出的所述确认删除信息和所述证书发行方安全域配置域的位置信息,删除对应的所述证书发行方安全域配置域。Sending, according to the parsed eSIM identity information, the authorization information to the corresponding eSIM card, so that the eSIM card according to the parsed confirmation deletion information and location information of the certificate issuer security domain configuration domain , delete the corresponding certificate issuer security domain configuration domain.
实施例六 Embodiment 6
如图7所示,本发明实施例提供了另一种生成用于删除ISD-P域的授权的装置示意图,如图7所示,该装置7可以包括:至少一个处理器71,例如CPU,至少一个通信总线72以及存储器73;通信总线72用于实现这些组件之间的连接通信;存储器73可以是高速RAM存储器,也可以是非易 失性存储器(non-volatile memory),例如至少一个磁盘存储器。存储器73中存储一组程序代码,且处理器71用于调用存储器73中存储的程序代码,用于执行以下操作:As shown in FIG. 7, an embodiment of the present invention provides another apparatus for generating an authorization for deleting an ISD-P domain. As shown in FIG. 7, the apparatus 7 may include: at least one processor 71, such as a CPU. At least one communication bus 72 and a memory 73; the communication bus 72 is used to implement connection communication between these components; the memory 73 may be a high speed RAM memory or may be non-easy Non-volatile memory, such as at least one disk storage. A set of program codes is stored in the memory 73, and the processor 71 is configured to call the program code stored in the memory 73 for performing the following operations:
接收签约管理数据准备发出的获取授权信息的指令;Receiving an instruction to obtain authorization information issued by the contract management data;
根据所述指令,生成用于删除证书发行方安全域配置域的授权信息;Generating authorization information for deleting a certificate issuer security domain configuration domain according to the instruction;
将所述授权信息返回给所述签约管理数据准备。Returning the authorization information to the subscription management data preparation.
在本发明的一个优选的实施方式中,所述处理器71还执行以下操作:In a preferred embodiment of the present invention, the processor 71 also performs the following operations:
从所述指令中解析出eSIM身份信息、所述证书发行方安全域配置域的位置信息和向所述eSIM发起删除动作的发起者身份信息;Parsing eSIM identity information, location information of the certificate issuer security domain configuration domain, and initiator identity information for initiating a deletion action to the eSIM from the instruction;
根据所述eSIM身份信息、所述位置信息和所述发起者身份信息,判断删除动作是否符合预定规则;Determining, according to the eSIM identity information, the location information, and the identity information of the initiator, whether the deletion action meets a predetermined rule;
在判定符合预定规则时,生成用于删除证书发行方安全域配置域的授权信息。When it is determined that the predetermined rule is met, authorization information for deleting the certificate issuer security domain configuration domain is generated.
在本发明的一个优选的实施方式中,所述处理器71还执行以下操作:In a preferred embodiment of the present invention, the processor 71 also performs the following operations:
在判定符合预定规则时,生成确认删除信息,并将所述确认删除信息、所述eSIM身份信息、所述位置信息和所述发起者身份信息添加到生成的所述授权信息中。When it is determined that the predetermined rule is met, the confirmation deletion information is generated, and the confirmation deletion information, the eSIM identity information, the location information, and the initiator identity information are added to the generated authorization information.
尽管为示例目的,已经公开了本发明的优选实施例,本领域的技术人员将意识到各种改进、增加和取代也是可能的,因此,本发明的范围应当不限于上述实施例。 While the preferred embodiments of the present invention have been disclosed for purposes of illustration, those skilled in the art will recognize that various modifications, additions and substitutions are possible, and the scope of the invention should not be limited to the embodiments described above.

Claims (14)

  1. 一种获取用于删除ISD-P域的授权的方法,其特征在于,包括:A method for obtaining an authorization for deleting an ISD-P domain, comprising:
    向移动网络运营商发出获取授权信息的指令,所述指令用于使所述移动网络运营商生成并返回用于删除证书发行方安全域配置域的授权信息;Sending to the mobile network operator an instruction to obtain authorization information, the instruction being used to cause the mobile network operator to generate and return authorization information for deleting a certificate issuer security domain configuration domain;
    接收所述移动网络运营商返回的授权信息。Receiving authorization information returned by the mobile network operator.
  2. 如权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1 wherein the method further comprises:
    接收eSIM卡发送的删除证书发行方安全域配置域的请求信息;所述请求信息携带eSIM身份信息、所述证书发行方安全域配置域的位置信息和向所述eSIM发起删除动作的发起者身份信息;Receiving request information of the deleted certificate issuer security domain configuration domain sent by the eSIM card; the request information carries eSIM identity information, location information of the certificate issuer security domain configuration domain, and initiator identity of the deletion action initiated to the eSIM information;
    将所述eSIM身份信息、所述位置信息和所述发起者身份信息添加到向所述移动网络运营商请求授权的指令中。The eSIM identity information, the location information, and the initiator identity information are added to an instruction requesting authorization from the mobile network operator.
  3. 如权利要求1或2所述的方法,其特征在于,所述方法还包括:The method of claim 1 or 2, wherein the method further comprises:
    将获取的所述授权信息发送给所述eSIM卡,以使所述eSIM卡根据所述授权信息删除证书发行方安全域配置域。And transmitting the obtained authorization information to the eSIM card, so that the eSIM card deletes the certificate issuer security domain configuration domain according to the authorization information.
  4. 如权利要求3所述的方法,其特征在于,所述将获取的所述授权信息发送给所述eSIM卡,以使所述eSIM卡根据所述授权信息删除证书发行方安全域配置域的步骤,包括:The method according to claim 3, wherein the step of transmitting the obtained authorization information to the eSIM card to cause the eSIM card to delete a certificate issuer security domain configuration field according to the authorization information ,include:
    从获取的所述授权信息中,解析出eSIM身份信息、证书发行方安全域配置域的位置信息和确认删除信息;Extracting the eSIM identity information, the location information of the certificate issuer security domain configuration domain, and confirming the deletion information from the obtained authorization information;
    根据解析出的eSIM身份信息,将所述授权信息发送给对应的所述eSIM卡,以使所述eSIM卡根据解析出的所述确认删除信息和所述证书发行方安全域配置域的位置信息,删除对应的所述证书发行方安全域配置域。Sending, according to the parsed eSIM identity information, the authorization information to the corresponding eSIM card, so that the eSIM card according to the parsed confirmation deletion information and location information of the certificate issuer security domain configuration domain , delete the corresponding certificate issuer security domain configuration domain.
  5. 一种生成用于删除ISD-P域的授权的方法,其特征在于,包括:A method for generating an authorization for deleting an ISD-P domain, comprising:
    接收签约管理数据准备发出的获取授权信息的指令;Receiving an instruction to obtain authorization information issued by the contract management data;
    根据所述指令,生成用于删除证书发行方安全域配置域的授权信息; Generating authorization information for deleting a certificate issuer security domain configuration domain according to the instruction;
    将所述授权信息返回给所述签约管理数据准备。Returning the authorization information to the subscription management data preparation.
  6. 如权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, wherein the method further comprises:
    从所述指令中解析出eSIM身份信息、所述证书发行方安全域配置域的位置信息和向所述eSIM发起删除动作的发起者身份信息;Parsing eSIM identity information, location information of the certificate issuer security domain configuration domain, and initiator identity information for initiating a deletion action to the eSIM from the instruction;
    根据所述eSIM身份信息、所述位置信息和所述发起者身份信息,判断删除动作是否符合预定规则;Determining, according to the eSIM identity information, the location information, and the identity information of the initiator, whether the deletion action meets a predetermined rule;
    在判定符合预定规则时,生成用于删除证书发行方安全域配置域的授权信息。When it is determined that the predetermined rule is met, authorization information for deleting the certificate issuer security domain configuration domain is generated.
  7. 如权利要求5或6所述的方法,其特征在于,所述方法还包括:The method of claim 5 or claim 6, wherein the method further comprises:
    在判定符合预定规则时,生成确认删除信息,并将所述确认删除信息、所述eSIM身份信息、所述位置信息和所述发起者身份信息添加到生成的所述授权信息中。When it is determined that the predetermined rule is met, the confirmation deletion information is generated, and the confirmation deletion information, the eSIM identity information, the location information, and the initiator identity information are added to the generated authorization information.
  8. 一种获取用于删除ISD-P域的授权的装置,其特征在于,包括:An apparatus for obtaining an authorization for deleting an ISD-P domain, comprising:
    授权请求模块,用于向移动网络运营商发出获取授权信息的指令,所述指令用于使所述移动网络运营商生成并返回用于删除证书发行方安全域配置域的授权信息;And an authorization requesting module, configured to send, to the mobile network operator, an instruction for obtaining authorization information, where the instruction is used to enable the mobile network operator to generate and return authorization information for deleting a certificate issuer security domain configuration domain;
    授权接收模块,用于接收所述移动网络运营商返回的授权信息。And an authorization receiving module, configured to receive authorization information returned by the mobile network operator.
  9. 如权利要求8所述的装置,其特征在于,所述装置还包括:The device of claim 8 further comprising:
    信息接收模块,用于接收eSIM卡发送的删除证书发行方安全域配置域的请求信息;所述请求信息携带eSIM身份信息、所述证书发行方安全域配置域的位置信息和向所述eSIM发起删除动作的发起者身份信息;An information receiving module, configured to receive request information of a delete certificate issuer security domain configuration domain sent by an eSIM card; the request information carries eSIM identity information, location information of the certificate issuer security domain configuration domain, and is initiated to the eSIM Delete the identity information of the initiator of the action;
    信息添加模块,用于将所述eSIM身份信息、所述位置信息和所述发起者身份信息添加到向所述移动网络运营商请求授权的指令中。And an information adding module, configured to add the eSIM identity information, the location information, and the initiator identity information to an instruction requesting authorization from the mobile network operator.
  10. 如权利要求8或9所述的装置,其特征在于,所述装置还包括:The device according to claim 8 or 9, wherein the device further comprises:
    授权删除模块,用于将获取的所述授权信息发送给所述eSIM卡,以使所 述eSIM卡根据所述授权信息删除证书发行方安全域配置域。An authorization deletion module, configured to send the obtained authorization information to the eSIM card, so as to The eSIM card deletes the certificate issuer security domain configuration domain according to the authorization information.
  11. 如权利要求10所述的装置,其特征在于,所示授权删除模块,具体用于从获取的所述授权信息中,解析出eSIM身份信息、证书发行方安全域配置域的位置信息和确认删除信息;The device of claim 10, wherein the authorization deletion module is configured to parse out eSIM identity information, location information of a certificate issuer security domain configuration domain, and confirm deletion from the obtained authorization information. information;
    根据解析出的eSIM身份信息,将所述授权信息发送给对应的所述eSIM卡,以使所述eSIM卡根据解析出的所述确认删除信息和所述证书发行方安全域配置域的位置信息,删除对应的所述证书发行方安全域配置域。Sending, according to the parsed eSIM identity information, the authorization information to the corresponding eSIM card, so that the eSIM card according to the parsed confirmation deletion information and location information of the certificate issuer security domain configuration domain , delete the corresponding certificate issuer security domain configuration domain.
  12. 一种生成用于删除ISD-P域的授权的装置,其特征在于,包括:An apparatus for generating an authorization for deleting an ISD-P domain, comprising:
    指令接收模块,用于接收签约管理数据准备发出的获取授权信息的指令;An instruction receiving module, configured to receive an instruction for obtaining authorization information issued by the contract management data;
    授权生成模块,用根据所述指令,生成用于删除证书发行方安全域配置域的授权信息;An authorization generation module, configured to generate authorization information for deleting a certificate issuer security domain configuration domain according to the instruction;
    授权返回模块,用于将所述授权信息返回给所述签约管理数据准备。An authorization return module is configured to return the authorization information to the subscription management data preparation.
  13. 如权利要求12所述的装置,其特征在于,所述装置还包括:The device of claim 12, wherein the device further comprises:
    指令验证模块,用于从所述指令中解析出eSIM身份信息、所述证书发行方安全域配置域的位置信息和向所述eSIM发起删除动作的发起者身份信息;An instruction verification module, configured to parse, from the instruction, eSIM identity information, location information of the certificate issuer security domain configuration domain, and initiator identity information that initiates a deletion action to the eSIM;
    根据所述eSIM身份信息、所述位置信息和所述发起者身份信息,判断删除动作是否符合预定规则;Determining, according to the eSIM identity information, the location information, and the identity information of the initiator, whether the deletion action meets a predetermined rule;
    在判定符合预定规则时,触发所述授权生成模块生成用于删除证书发行方安全域配置域的授权信息。When it is determined that the predetermined rule is met, the authorization generation module is triggered to generate authorization information for deleting the certificate issuer security domain configuration domain.
  14. 如权利要求12或13所述的装置,其特征在于,所述装置还包括:The device according to claim 12 or 13, wherein the device further comprises:
    信息添加单元,用于在判定符合预定规则时,生成确认删除信息,并将所述确认删除信息、所述eSIM身份信息、所述位置信息和所述发起者身份信息添加到生成的所述授权信息中。 An information adding unit, configured to generate confirmation deletion information when determining that the predetermined rule is met, and add the confirmation deletion information, the eSIM identity information, the location information, and the initiator identity information to the generated authorization Information.
PCT/CN2016/084071 2016-04-29 2016-05-31 Method and device for generating and acquiring authorization for deleting isd-p domain WO2017185458A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610281301.5 2016-04-29
CN201610281301.5A CN105792178A (en) 2016-04-29 2016-04-29 Method of generating and acquiring authorization used for deleting ISD-P domain and apparatus thereof

Publications (1)

Publication Number Publication Date
WO2017185458A1 true WO2017185458A1 (en) 2017-11-02

Family

ID=56400226

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/084071 WO2017185458A1 (en) 2016-04-29 2016-05-31 Method and device for generating and acquiring authorization for deleting isd-p domain

Country Status (2)

Country Link
CN (1) CN105792178A (en)
WO (1) WO2017185458A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108235821B (en) * 2016-11-30 2020-05-08 华为技术有限公司 Method and device for obtaining authorization file
CN108574683A (en) * 2017-03-13 2018-09-25 中兴通讯股份有限公司 Subscription data processing method, signing management server and subscription data processing unit
CN108966208A (en) * 2017-05-19 2018-12-07 中兴通讯股份有限公司 The method for down loading and device of eUICC subscription data
CN112839334B (en) * 2017-08-28 2022-06-28 华为技术有限公司 Information verification method and related equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282330A (en) * 2007-04-04 2008-10-08 华为技术有限公司 Method and apparatus for managing network memory access authority, network memory access control method
CN102970137A (en) * 2011-08-31 2013-03-13 北京中电华大电子设计有限责任公司 Safe issuing method of multi-functional intelligent card
US20140134981A1 (en) * 2011-07-08 2014-05-15 Kt Corporation Method for changing mno in embedded sim on basis of special privilege, and embedded sim and recording medium therefor
US20140140507A1 (en) * 2011-07-08 2014-05-22 Kt Corporation Method for changing mno in embedded sim on basis of dynamic key generation and embedded sim and recording medium therefor
CN103957210A (en) * 2014-04-30 2014-07-30 捷德(中国)信息科技有限公司 Smart card and safety control method, device and system thereof
CN104350501A (en) * 2012-05-25 2015-02-11 佳能株式会社 Authorization server and client apparatus, server cooperative system, and token management method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013048084A2 (en) * 2011-09-28 2013-04-04 주식회사 케이티 Profile management method, embedded uicc, and device provided with the embedded uicc
KR102231948B1 (en) * 2014-07-17 2021-03-25 삼성전자 주식회사 A method and apparatus for updating profile managing server
FI3764678T3 (en) * 2014-09-17 2024-02-02 Simless Inc Apparatus for implementing a trusted subscription management platform
CN105050071B (en) * 2015-07-10 2019-09-24 惠州Tcl移动通信有限公司 A kind of multi-apparatus management method and system based on eUICC

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282330A (en) * 2007-04-04 2008-10-08 华为技术有限公司 Method and apparatus for managing network memory access authority, network memory access control method
US20140134981A1 (en) * 2011-07-08 2014-05-15 Kt Corporation Method for changing mno in embedded sim on basis of special privilege, and embedded sim and recording medium therefor
US20140140507A1 (en) * 2011-07-08 2014-05-22 Kt Corporation Method for changing mno in embedded sim on basis of dynamic key generation and embedded sim and recording medium therefor
CN102970137A (en) * 2011-08-31 2013-03-13 北京中电华大电子设计有限责任公司 Safe issuing method of multi-functional intelligent card
CN104350501A (en) * 2012-05-25 2015-02-11 佳能株式会社 Authorization server and client apparatus, server cooperative system, and token management method
CN103957210A (en) * 2014-04-30 2014-07-30 捷德(中国)信息科技有限公司 Smart card and safety control method, device and system thereof

Also Published As

Publication number Publication date
CN105792178A (en) 2016-07-20

Similar Documents

Publication Publication Date Title
US11764966B2 (en) Systems and methods for single-step out-of-band authentication
WO2018113437A1 (en) Authentication device-based electronic identity card authentication service system
WO2016015436A1 (en) Platform authorization method, platform server, application client, system, and storage medium
WO2021004392A1 (en) Authentication method, device, and server
KR20210133985A (en) Systems and methods for assuring new authenticators
KR20170067527A (en) Apparatus and Method for Providing API Authentication using Two API Tokens
WO2018064881A1 (en) Method and system for saving user login state for use in ios client terminal
CN107426235B (en) Authority authentication method, device and system based on equipment fingerprint
WO2017185458A1 (en) Method and device for generating and acquiring authorization for deleting isd-p domain
CN111034118B (en) Secure delegation credentials in third party networks
TW201814547A (en) Electronic device, server, communication system and communication method
CN109729000B (en) Instant messaging method and device
TW201729562A (en) Server, mobile terminal, and internet real name authentication system and method
CN111949959B (en) Authorization authentication method and device in Oauth protocol
CN107274182B (en) Service processing method and device
CN112929881A (en) Machine card verification method applied to extremely simple network and related equipment
WO2014180431A1 (en) Network management security authentication method, device and system, and computer storage medium
CN111404695B (en) Token request verification method and device
WO2013149426A1 (en) Method, device and system for authenticating access for application to smart card
KR20210116407A (en) Cross authentication method and system between online service server and client
WO2016131272A1 (en) Online authentication method based on smart card, smart card and authentication server
CN109302425A (en) Identity identifying method and terminal device
CN109361681A (en) The close certificate authentication method of state, device and equipment
TWI657350B (en) APP certification system and method
CN109995821A (en) Method and system, the client, server, object storage system of file upload

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16899968

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16899968

Country of ref document: EP

Kind code of ref document: A1