WO2019056957A1 - Data processing and identity authentication methods and systems, and terminal - Google Patents

Data processing and identity authentication methods and systems, and terminal Download PDF

Info

Publication number
WO2019056957A1
WO2019056957A1 PCT/CN2018/104763 CN2018104763W WO2019056957A1 WO 2019056957 A1 WO2019056957 A1 WO 2019056957A1 CN 2018104763 W CN2018104763 W CN 2018104763W WO 2019056957 A1 WO2019056957 A1 WO 2019056957A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
key
sim card
management server
data
Prior art date
Application number
PCT/CN2018/104763
Other languages
French (fr)
Chinese (zh)
Inventor
杨涛
姜金龙
董侃
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to CN201710852631.X priority Critical
Priority to CN201710852631.XA priority patent/CN109525989B/en
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2019056957A1 publication Critical patent/WO2019056957A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier

Abstract

Disclosed in the present application are data processing and identity authentication methods and systems, and a terminal. The data processing method comprises: a terminal acquires an authentication ciphertext, the authentication ciphertext being ciphertext generated on the basis of a first key stored in the SIM card of a terminal; the terminal applies for updated sensitive data from a service server, and sends the authentication ciphertext to a management server via the service server; the terminal receives encrypted data sent by the management server via the service server, the encrypted data being obtained by means of the management server using a second key corresponding to the first key to encrypt sensitive data provided by the service server; and the terminal uses the first key stored in the SIM card to decrypt the encrypted data and stores the decrypted sensitive data.

Description

数据处理、身份认证方法及系统、终端Data processing, identity authentication method and system, terminal
本申请要求2017年09月19日递交的申请号为201710852631.X、发明名称为“数据处理、身份认证方法及系统、终端”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims the priority of the Chinese Patent Application No. 201710852631.X filed on Sep. 19, 2017, entitled "Data Processing, Identity Authentication Method and System, Terminal", the entire contents of which are incorporated herein by reference. in.
技术领域Technical field
本申请涉及认证领域,具体而言,涉及一种数据处理、身份认证方法及系统、终端。The present application relates to the field of authentication, and in particular, to a data processing, an identity authentication method and system, and a terminal.
背景技术Background technique
传统物联网(Internet of Things,简称IoT)设备安全的做法,是通过外挂安全载体或者直接使用微控制单元(Miro Controller Unit,简称为MCU)存储密钥。但是外挂安全载体需要厂商改动硬件设计并增加成本;密钥直接存储在MCU中,缺乏安全存储环境的保护,容易被攻击者窃取。The traditional Internet of Things (IoT) device security method is to store keys through a plug-in security carrier or directly using a Miro Controller Unit (MCU). However, the external security carrier requires the manufacturer to change the hardware design and increase the cost; the key is directly stored in the MCU, lacking the protection of the secure storage environment, and is easily stolen by the attacker.
并且,如果采用复杂的网络安全协议或者运营商专线解决安全问题,都会给产品的成本和部署带来一定的挑战。Moreover, if a complex network security protocol or carrier line is used to solve security problems, it will bring certain challenges to the cost and deployment of the product.
针对上述的问题,目前尚未提出有效的解决方案。In response to the above problems, no effective solution has been proposed yet.
发明内容Summary of the invention
本申请实施例提供了一种数据处理、身份认证方法及系统、终端,以至少解决相关技术中安全认证方案存在的无法兼顾成本和高安全性的需求的技术问题。The embodiment of the present application provides a data processing, an identity authentication method, a system, and a terminal, so as to solve at least the technical problem that the security authentication scheme in the related technology cannot meet the requirements of cost and high security.
根据本申请实施例的一个方面,提供了一种数据处理系统,包括:终端,设置有用户身份识别模块(Subscriber Identification Module,简称为SIM)卡,所述SIM卡存储有第一密钥,所述终端用于向业务服务器发送基于所述第一密钥产生的认证密文;业务服务器,用于提供敏感数据,并将该敏感数据发送至管理服务器;所述管理服务器,用于对所述认证密文进行认证,在认证通过后,与所述第一密钥对应的第二密钥对所述敏感数据进行加密;将加密后的敏感数据经由所述业务服务器发送至所述终端,其中,所述终端使用所述SIM卡中存储的所述第一密钥对所述加密后的敏感数据进行解密。According to an aspect of the embodiments of the present application, a data processing system is provided, including: a terminal, configured with a Subscriber Identification Module (SIM) card, where the SIM card stores a first key, The terminal is configured to send the authentication ciphertext generated by the first key to the service server, the service server is configured to provide the sensitive data, and send the sensitive data to the management server, where the management server is configured to The authentication cipher text is authenticated, and after the authentication is passed, the second key corresponding to the first key encrypts the sensitive data; and the encrypted sensitive data is sent to the terminal via the service server, where And the terminal decrypts the encrypted sensitive data by using the first key stored in the SIM card.
根据本申请实施例的另一方面,提供了一种终端,包括:SIM卡,用于存储预先写入的第一密钥,该第一密钥用于生成认证密文;处理器,耦接至所述SIM卡,用于存储敏感数据。According to another aspect of the embodiments of the present application, a terminal is provided, including: a SIM card, configured to store a pre-written first key, where the first key is used to generate an authentication ciphertext; and a processor coupled To the SIM card for storing sensitive data.
根据本申请实施例的又一方面,提供了另一种终端,包括:安全模块,用于存储安全密钥;处理器,耦接至所述安全模块,用于存储敏感数据。According to still another aspect of the embodiments of the present application, another terminal is provided, including: a security module, configured to store a security key; and a processor coupled to the security module for storing sensitive data.
根据本申请实施例的又一方面,还提供了一种数据处理方法,包括:终端根据SIM卡中的第一密钥生成认证信息;所述终端向业务服务器申请获取敏感数据,并经由所述业务服务器将所述认证信息发送至管理服务器;所述终端接收所述管理服务器经由所述业务服务器发送的加密数据,其中,所述加密数据为所述管理服务器使用与所述第一密钥对应的第二密钥对所述业务服务器提供的敏感数据进行加密得到的;所述终端根据所述第一密钥对所述加密数据进行解密,得到所述敏感数据。According to still another aspect of the embodiments of the present application, a data processing method is provided, including: a terminal generating authentication information according to a first key in a SIM card; the terminal applying to the service server for acquiring sensitive data, and The service server sends the authentication information to the management server; the terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is used by the management server to correspond to the first key The second key is obtained by encrypting the sensitive data provided by the service server; the terminal decrypts the encrypted data according to the first key to obtain the sensitive data.
根据本申请实施例的又一方面,还提供了一种存储介质,所述存储介质包括存储的程序,其中,在所述程序运行时控制所述存储介质所在设备执行以上所述的数据处理方法。According to still another aspect of the embodiments of the present application, a storage medium is provided, where the storage medium includes a stored program, wherein, when the program is running, controlling a device where the storage medium is located to execute the data processing method described above .
根据本申请实施例的又一方面,还提供了一种处理器,所述处理器用于运行程序,其中,所述程序运行时执行以上所述的数据处理方法。According to still another aspect of embodiments of the present application, there is also provided a processor for running a program, wherein the program is executed to execute the data processing method described above.
根据本申请实施例的再一方面,还提供了一种SIM卡的生产方法,包括:启动用户身份识别模块SIM卡上的应用;通过所述应用接收管理服务器下发的安全密钥,并存储至所述SIM卡中。According to still another aspect of the embodiments of the present application, a method for manufacturing a SIM card is provided, including: starting an application on a SIM card of a user identity module; receiving, by the application, a security key delivered by a management server, and storing To the SIM card.
根据本申请实施例的再一方面,提供了一种身份认证方法,包括:管理服务器接收终端经由业务服务器转发的认证密文,其中,所述认证密文为所述终端基于终端中SIM卡存储的第一密钥生成的;所述管理服务器对所述认证密文进行认证。According to still another aspect of the embodiments of the present application, an identity authentication method is provided, including: a management server receiving an authentication ciphertext forwarded by a terminal via a service server, where the authentication ciphertext is based on a SIM card storage in the terminal The first key is generated; the management server authenticates the authentication ciphertext.
根据本申请实施例的再一方面,提供了一种数据处理方法,包括:终端接收管理服务器经由业务服务器发送的加密数据,其中,所述加密数据为所述管理服务器使用第二密钥,对所述业务服务器提供的敏感数据进行加密得到的;所述第二密钥为所述终端中的用户身份识别模块SIM卡中存储的第一密钥对应的密钥;所述终端使用所述第一密钥对所述加密数据进行解密,并存储解密得到的所述敏感数据。According to still another aspect of the embodiments of the present application, a data processing method includes: receiving, by a terminal, encrypted data sent by a management server via a service server, wherein the encrypted data is a second key used by the management server, The sensitive data provided by the service server is encrypted; the second key is a key corresponding to the first key stored in the SIM card of the user identity module in the terminal; A key decrypts the encrypted data and stores the decrypted sensitive data.
根据本申请实施例的再一方面,提供了一种数据处理方法,包括:终端根据安全模块中的第一密钥生成认证信息;所述终端向业务服务器申请获取敏感数据,并经由所述业务服务器将所述认证信息发送至管理服务器;所述终端接收所述管理服务器经由所述业务服务器发送的加密数据,其中,所述加密数据为所述管理服务器使用与所述第一密钥对应的第二密钥对所述业务服务器提供的敏感数据进行加密得到的;所述终端根据所述第一密钥对所述加密数据进行解密,得到所述敏感数据。According to still another aspect of the embodiments of the present application, a data processing method is provided, including: a terminal generates authentication information according to a first key in a security module; and the terminal applies to the service server to acquire sensitive data, and The server sends the authentication information to the management server; the terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is used by the management server corresponding to the first key The second key is obtained by encrypting the sensitive data provided by the service server; the terminal decrypts the encrypted data according to the first key to obtain the sensitive data.
根据本申请实施例的再一方面,提供了一种身份认证方法,包括:终端根据安全模块中的第一密钥生成认证信息;所述终端经由业务服务器将所述认证信息发送至管理服务器;所述管理服务器根据所述认证信息对所述终端进行认证。According to still another aspect of the embodiments of the present application, an identity authentication method is provided, including: a terminal generates authentication information according to a first key in a security module; and the terminal sends the authentication information to a management server via a service server; The management server authenticates the terminal according to the authentication information.
根据本申请实施例的再一方面,提供了一种身份认证方法,包括:管理服务器接收终端经由业务服务器转发的认证信息,其中,所述认证信息为所述终端基于终端中安全模块存储的第一密钥生成的;所述管理服务器对所述认证信息进行认证。According to still another aspect of the embodiments of the present application, an identity authentication method is provided, including: a management server receiving authentication information forwarded by a terminal via a service server, where the authentication information is a terminal that is stored by the terminal based on a security module in the terminal. A key is generated; the management server authenticates the authentication information.
根据本申请实施例的再一方面,提供了一种数据处理方法,包括:终端接收管理服务器经由业务服务器发送的加密数据,其中,所述加密数据为所述管理服务器使用第二密钥,对所述业务服务器提供的敏感数据进行加密得到的;所述第二密钥为所述终端中的安全模块中存储的第一密钥对应的密钥;所述终端使用所述第一密钥对所述加密数据进行解密,并存储解密得到的所述敏感数据。According to still another aspect of the embodiments of the present application, a data processing method includes: receiving, by a terminal, encrypted data sent by a management server via a service server, wherein the encrypted data is a second key used by the management server, The sensitive data provided by the service server is encrypted; the second key is a key corresponding to the first key stored in the security module in the terminal; and the terminal uses the first key pair The encrypted data is decrypted and the decrypted sensitive data is stored.
在本申请实施例中,采用预先写入了第一密钥的SIM卡和管理服务器实现了设备的合法性认证和安全通道的建立,由于SIM卡中的第一密钥是预先写入的,例如在SIM卡的生产环节中写入,因此,保证了密钥在存储环节的安全性,并且可以基于认证报文实现安全通道的建立,从而进一步增强了认证的安全性,进而解决了相关技术中安全认证方案存在的无法兼顾成本和高安全性的需求的技术问题。In the embodiment of the present application, the SIM card and the management server pre-written with the first key are used to implement the legality authentication and the establishment of the secure channel. Since the first key in the SIM card is pre-written, For example, it is written in the production link of the SIM card, thus ensuring the security of the key in the storage link, and establishing a secure channel based on the authentication message, thereby further enhancing the security of the authentication, thereby solving the related technology. The technical problem of the medium security certification scheme that cannot meet the requirements of cost and high security.
附图说明DRAWINGS
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the present application, and are intended to be a part of this application. In the drawing:
图1是根据本申请实施例的一种数据处理系统的结构示意图;1 is a schematic structural diagram of a data processing system according to an embodiment of the present application;
图2为根据本申请实施例的一种SIM卡应用流程示意图;2 is a schematic diagram of a SIM card application process according to an embodiment of the present application;
图3是根据本申请实施例的一种终端的结构示意图;FIG. 3 is a schematic structural diagram of a terminal according to an embodiment of the present application; FIG.
图4是根据本申请实施例的另一种终端的结构示意图;4 is a schematic structural diagram of another terminal according to an embodiment of the present application;
图5为根据本申请实施例的一种安全通道的建立流程示意图;FIG. 5 is a schematic diagram of a process for establishing a secure channel according to an embodiment of the present application; FIG.
图6是根据本申请实施例的一种计算机终端的结构示意图;FIG. 6 is a schematic structural diagram of a computer terminal according to an embodiment of the present application; FIG.
图7是根据本申请实施例的一种数据处理方法的流程示意图;FIG. 7 is a schematic flowchart diagram of a data processing method according to an embodiment of the present application; FIG.
图8是根据本申请实施例的另一种身份认证方法的流程示意图;FIG. 8 is a schematic flowchart diagram of another identity authentication method according to an embodiment of the present application; FIG.
图9是根据本申请实施例的一种身份认证方法的流程示意图;9 is a schematic flowchart of an identity authentication method according to an embodiment of the present application;
图10是根据本申请实施例的另一种数据处理方法的流程示意图;FIG. 10 is a schematic flowchart diagram of another data processing method according to an embodiment of the present application; FIG.
图11是根据本申请实施例的一种SIM卡的生产方法流程示意图;11 is a schematic flow chart of a method for manufacturing a SIM card according to an embodiment of the present application;
图12是根据本申请实施例的另一种数据处理方法的流程示意图;FIG. 12 is a schematic flowchart diagram of another data processing method according to an embodiment of the present application; FIG.
图13是根据本申请实施例的另一种身份认证方法的流程示意图;FIG. 13 is a schematic flowchart diagram of another identity authentication method according to an embodiment of the present application; FIG.
图14是根据本申请实施例的另一种身份认证方法的流程示意图;以及FIG. 14 is a schematic flowchart diagram of another identity authentication method according to an embodiment of the present application;
图15是根据本申请实施例的另一种数据处理方法的流程示意图。FIG. 15 is a schematic flowchart diagram of another data processing method according to an embodiment of the present application.
具体实施方式Detailed ways
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分的实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本申请保护的范围。The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present application. It is an embodiment of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope shall fall within the scope of the application.
需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first", "second" and the like in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or order. It is to be understood that the data so used may be interchanged where appropriate, so that the embodiments of the present application described herein can be implemented in a sequence other than those illustrated or described herein. In addition, the terms "comprises" and "comprises" and "the" and "the" are intended to cover a non-exclusive inclusion, for example, a process, method, system, product, or device that comprises a series of steps or units is not necessarily limited to Those steps or units may include other steps or units not explicitly listed or inherent to such processes, methods, products or devices.
首先,在对本申请实施例进行描述的过程中出现的部分名词或术语适用于如下解释:First, some of the nouns or terms that appear in the process of describing the embodiments of the present application are applicable to the following explanations:
安全芯片:可信任平台模块,是一个可独立进行密钥生成、加解密的装置,内部拥有独立的处理器和存储单元,可存储密钥和特征数据,为电脑提供加密和安全认证服务。Security chip: The trusted platform module is a device that can independently generate key, encrypt and decrypt. It has an independent processor and storage unit, which can store key and feature data, and provide encryption and security authentication services for the computer.
安全密钥:用公钥加密的数据只有私钥才能解密,相反的,用私钥加密的数据只有公钥才能解密。Security key: Data encrypted with the public key can only be decrypted by the private key. Conversely, the data encrypted with the private key can only be decrypted by the public key.
敏感数据:是指不当使用或未经授权被人接触或修改会不利于公众利益或不利于个人依法享有的个人隐私权的所有信息。Sensitive data: refers to all information that is improperly used or unauthorized to be contacted or modified to be harmful to the public interest or to personal privacy enjoyed by individuals.
实施例1Example 1
相关技术中,在对密钥进行存储时,往往通过安全载体或使用MCU存储,但是,外 挂安全载体,需要对设备的设计进行改动,会增加成本,密钥存储在MCU中,易被破解,存储环境不安全。In the related art, when the key is stored, it is often stored by a security carrier or by using an MCU. However, the external security carrier needs to modify the design of the device, which increases the cost, and the key is stored in the MCU and is easily cracked. The storage environment is not secure.
为了满足厂商对于低成本、易部署、高安全的密钥服务需求,本申请实施例将密钥与SIM卡结合,在安全标准满足EAL4+的SIM卡产线上,安全预制密钥,并实现了的不可篡改性密钥在设备端的安全存储性。同时,管理服务器在云平台上安全存储密钥,并为设备提供在线的密钥使用服务。In order to meet the requirements of the manufacturer for the low-cost, easy-to-deploy, and high-security key service, the embodiment of the present application combines the key with the SIM card, and implements the security pre-made key on the SIM card production line that meets the EAL4+ security standard. The non-definable modified key is securely stored on the device side. At the same time, the management server securely stores keys on the cloud platform and provides online key usage services for the devices.
为实现上述目的,本申请实施例提供一种数据处理系统,如图1所示,该系统包括:To achieve the above objective, the embodiment of the present application provides a data processing system. As shown in FIG. 1, the system includes:
终端10,设置有SIM卡,上述SIM卡存储有第一密钥,上述终端用于向业务服务器发送基于上述第一密钥产生的认证密文;The terminal 10 is provided with a SIM card, and the SIM card stores a first key, and the terminal is configured to send the authentication ciphertext generated based on the first key to the service server;
可选地,该终端10在结构上包括但不限于:SIM卡卡槽,该SIM卡卡槽中安装有SIM卡;处理器,用于与SIM卡耦合连接,用于存储敏感数据。其中,该处理器包括但不限于微控制单元(MCU)。Optionally, the terminal 10 is structurally included, but not limited to: a SIM card slot, a SIM card is installed in the SIM card slot, and a processor is coupled to the SIM card for storing sensitive data. Wherein, the processor includes but is not limited to a micro control unit (MCU).
其中,为保证第一密钥的存储环境的安全,可以在SIM卡的生产线上写入上述第一密钥。例如,如图2所示:步骤S202,在SIM卡中安装应用,其中,该安装过程可以为SIM卡生产商在安全生产线上进行;步骤S204,进行密钥数据的烧录:与云平台对接,实现密钥数据的安全写入;步骤S206,运营商进行SIM卡卡号的烧录;步骤S208,进行SIM卡与终端的集成:在终端厂商这一侧,使用写入密钥数据的SIM卡,与终端设备进行硬件和软件的集成,形成最终产品;步骤S210:终端对接管理服务器:终端在使用过程中,可以通过访问在线服务器(即管理服务器14),与设备上集成的SIM卡一起建立云端到设备端的安全链路。In order to ensure the security of the storage environment of the first key, the first key may be written on the production line of the SIM card. For example, as shown in FIG. 2: Step S202, installing an application in a SIM card, wherein the installation process can be performed by a SIM card manufacturer on a secure production line; and in step S204, key data is burned: docking with the cloud platform. The secure writing of the key data is implemented; in step S206, the operator performs the burning of the SIM card number; in step S208, the integration of the SIM card and the terminal is performed: on the side of the terminal manufacturer, the SIM card that writes the key data is used. Integrating hardware and software with the terminal device to form a final product; Step S210: Terminal docking management server: The terminal can be established by using the SIM card integrated with the device by accessing the online server (ie, the management server 14) during use. A secure link from the cloud to the device.
上述第一密钥也可以在SIM卡卡号烧录时写入(即在运营商环节完成第一密钥的写入);上述第一密钥也可以在终端生产环节写入上述第一密钥,即在SIM卡集成至终端过程中实现第一密钥的写入。上述第一密钥写入SIM卡的时机是可以根据实际情况灵活确定的,并不限于上述写入时机。The first key may also be written when the SIM card number is programmed (that is, the first key is written in the operator link); the first key may also be written in the terminal production link. That is, the writing of the first key is implemented in the process of integrating the SIM card into the terminal. The timing at which the first key is written to the SIM card can be flexibly determined according to actual conditions, and is not limited to the above-mentioned writing timing.
在一个可选实施例中,上述终端包括但不限于智能移动终端、平板电脑等,但不限于此。In an optional embodiment, the foregoing terminal includes, but is not limited to, a smart mobile terminal, a tablet computer, etc., but is not limited thereto.
业务服务器12,用于提供敏感数据,并将该敏感数据发送至管理服务器;该业务服务器用于提供具体的业务数据,例如,共享单车相关的业务数据,在终端请求业务数据时,业务服务器将该业务数据发送至管理服务器,经管理服务器加密后,再将加密后的业务数据发送至终端,此时,便实现了业务数据的安全传输。The service server 12 is configured to provide sensitive data and send the sensitive data to the management server. The service server is configured to provide specific service data, for example, sharing bicycle-related service data. When the terminal requests service data, the service server will The service data is sent to the management server, and after being encrypted by the management server, the encrypted service data is sent to the terminal, and at this time, the secure transmission of the service data is realized.
在一种可选的实施例中,上述敏感数据可以为用户的隐私信息数据:用户的通讯号码、通讯记录、图片、视频等;还可以为用户权限信息数据:登陆密码、支付密码等,但不限于此,上述敏感数据可以包括:使用不当或未经授权被他人接触或修改,不利于公众利益或不利于个人依法享有的个人隐私权的所有信息。In an optional embodiment, the sensitive data may be the user's private information data: the user's communication number, communication record, picture, video, etc.; and may also be user rights information data: login password, payment password, etc., but Not limited to this, the above sensitive data may include: all information that is improperly or unauthorisedly contacted or modified by others, is not conducive to the public interest or is not conducive to the personal privacy rights of the individual according to law.
上述管理服务器14,用于对上述认证密文进行认证,在认证通过后,第二密钥对上述敏感数据进行加密,其中,上述第二密钥与第一密钥对应;将加密后的敏感数据经由上述业务服务器发送至上述终端,其中,上述终端使用上述SIM卡中存储的上述第一密钥对上述加密后的敏感数据进行解密。通过上述过程可以看出,通过管理服务器对敏感数据的加密以及对认证密文的认证,实现了认证过程和敏感数据传输的安全性需求。The management server 14 is configured to authenticate the encrypted ciphertext, and after the authentication is passed, the second key encrypts the sensitive data, wherein the second key corresponds to the first key; The data is transmitted to the terminal via the service server, wherein the terminal decrypts the encrypted sensitive data using the first key stored in the SIM card. Through the above process, it can be seen that the authentication process and the authentication of the encrypted ciphertext are realized by the management server, and the security process of the authentication process and the sensitive data transmission is realized.
在一个可选实施例中,上述管理服务器14可以为网络侧的一个服务器,也可以是云网络中的一个服务器。具体地,一个或多个管理服务器14可以组成云平台,该云平台用于提供上述第一密钥和上述第二密钥,其中,该第一密钥和第二密钥可以是相同的密钥,或者是具有对应关系的密钥。In an optional embodiment, the management server 14 may be a server on the network side or a server in the cloud network. Specifically, the one or more management servers 14 may be configured to provide a cloud platform, where the cloud platform is configured to provide the first key and the second key, where the first key and the second key may be the same secret The key, or a key with a corresponding relationship.
通过上述各个部分所实现的过程,可以实现云端和设备端安全链路的建立。为便于理解,以下结合一个可选实施例详细说明上述数据处理系统中各个组成部分的流程。其中,终端中的处理器包括MCU,但不限于此。Through the processes implemented in the above sections, the establishment of a secure link between the cloud and the device can be achieved. For ease of understanding, the flow of the various components of the above data processing system is described in detail below in conjunction with an alternative embodiment. The processor in the terminal includes an MCU, but is not limited thereto.
作为本申请的一个可选实施例,终端10的结构可以参见图3所示,如图3所示,该终端包括:As an alternative embodiment of the present application, the structure of the terminal 10 can be as shown in FIG. 3. As shown in FIG. 3, the terminal includes:
SIM卡30,用于存储预先写入的第一密钥,该第一密钥用于生成认证密文;a SIM card 30, configured to store a pre-written first key, where the first key is used to generate an authentication ciphertext;
由于SIM卡是大多数设备采用的上网鉴权载体。将密钥与SIM结合,可以在厂商不修改现有产品设计、不自建密钥系统的情况下,实现安全密钥的管理。同时,利用密钥的在线服务器,帮助设备进行合法性认证和安全通道建立。Since the SIM card is the Internet authentication carrier adopted by most devices. By combining the key with the SIM, the security key can be managed without the manufacturer modifying the existing product design or constructing the key system. At the same time, the online server using the key helps the device to perform legality authentication and secure channel establishment.
此外,需要说明的是,为了实现帮助设备进行合法性认证的目的,可以在线服务器上预先存储一个或多个合法性判断标准,该合法性判断标准可以为:已确定其准确性和安全性的一个或者多个密钥,具体的,上述一个或者多个密钥与上述设备对应设置,可以由在线服务器进行在线管理和更新。In addition, it should be noted that, in order to achieve the purpose of helping the device to perform the legality authentication, one or more legality judgment standards may be pre-stored on the online server, and the legality judgment standard may be: the accuracy and security of the device have been determined. One or more keys, specifically, one or more of the above-mentioned keys are set corresponding to the above-mentioned devices, and can be online managed and updated by the online server.
在一种可选的实施例中,若设备端输入的密钥与在线服务器中存储该设备的密钥一致,则确定该设备的合法性认证通过,否则,则确定该设备的合法性认证失败。In an optional embodiment, if the key input by the device is consistent with the key for storing the device in the online server, it is determined that the legality authentication of the device is passed; otherwise, the legality authentication of the device is determined to be invalid. .
处理器32,耦接至上述SIM卡30,用于存储敏感数据,其中,该敏感数据用于对业务数据进行解密。The processor 32 is coupled to the SIM card 30 for storing sensitive data, wherein the sensitive data is used to decrypt the service data.
可选地,上述处理器32,用于向上述SIM卡发送用于获取上述认证密文的请求;上述SIM卡,用于基于上述第一密钥产生认证密文,并反馈至上述处理器32。Optionally, the processor 32 is configured to send a request for acquiring the authentication ciphertext to the SIM card, where the SIM card is configured to generate an authentication ciphertext based on the first key, and feed back to the processor 32. .
如图3所示,在一个可选实施例中,上述终端还可以包括:通信模块34,用于将上述认证密文经由业务服务器发送至管理服务器;其中,该管理服务器,用于对上述认证密文进行认证,在认证通过后,对上述敏感数据进行加密;以及将与上述第一密钥对应的第二密钥和加密后的敏感数据经由上述业务服务器发送至上述终端,其中,上述终端使用SIM卡中存储的第一密钥对第二密钥进行认证。As shown in FIG. 3, in an optional embodiment, the terminal may further include: a communication module 34, configured to send the authentication ciphertext to the management server via the service server; wherein the management server is configured to authenticate the foregoing The ciphertext is authenticated, and after the authentication is passed, the sensitive data is encrypted; and the second key corresponding to the first key and the encrypted sensitive data are sent to the terminal by using the service server, where the terminal is The second key is authenticated using the first key stored in the SIM card.
可选地,上述SIM卡预先写入的第一密钥是上述管理服务器预先发送至上述SIM卡的。Optionally, the first key previously written by the SIM card is sent by the management server to the SIM card in advance.
作为本申请的另一个可选实施例,本申请实施例还提供了另一种终端。图4是根据本申请实施例的另一种终端的结构示意图。如图4所示,该终端包括:As another alternative embodiment of the present application, the embodiment of the present application further provides another terminal. FIG. 4 is a schematic structural diagram of another terminal according to an embodiment of the present application. As shown in FIG. 4, the terminal includes:
安全模块40,用于存储安全密钥;可选地,该安全模块可以为安全芯片,也可以为内置有密钥的SIM卡等。The security module 40 is configured to store a security key. Alternatively, the security module may be a security chip or a SIM card with a built-in key.
处理器42,耦接至上述安全模块42,用于存储敏感数据,其中,该敏感数据用于对业务数据进行解密。The processor 42 is coupled to the security module 42 for storing sensitive data, wherein the sensitive data is used to decrypt the service data.
可选地,如图4所示,该终端还可以包括通信模块44,用于接收管理服务器下发的上述安全密钥。Optionally, as shown in FIG. 4, the terminal may further include a communication module 44, configured to receive the foregoing security key delivered by the management server.
图5为根据本申请实施例的一种安全通道的建立流程示意图。如图5所示,该流程包括以下处理步骤:FIG. 5 is a schematic diagram of a process of establishing a secure channel according to an embodiment of the present application. As shown in Figure 5, the process includes the following processing steps:
步骤S502,业务服务器向终端中的MCU发送更新请求,该更新请求用于请求更新MCU中的敏感数据。Step S502, the service server sends an update request to the MCU in the terminal, where the update request is used to request to update the sensitive data in the MCU.
步骤S504,MCU开启敏感数据的更新功能;Step S504, the MCU enables the update function of the sensitive data;
步骤S506,MCU向SIM卡发送获取认证密文的请求;Step S506, the MCU sends a request for obtaining the authentication ciphertext to the SIM card;
步骤S508,SIM卡向MCU返回认证密文;Step S508, the SIM card returns the authentication ciphertext to the MCU;
步骤S510,MCU向业务服务器上传认证密文,并申请更新敏感数据;Step S510, the MCU uploads the authentication ciphertext to the service server, and applies for updating the sensitive data.
步骤S512,业务服务器生成新的敏感数据,并将新的敏感数据和认证密文发送至管理服务器,其中,上述新的敏感数据和认证密文可以分别通过单独的消息发送,也可以通过一条消息发送,在通过一条消息发送时,可以将上述新的敏感数据和认证密文作为该消息的两个参数发送。其中,在发送新的敏感数据和认证密文时,可以对其进行哈希运算,得到哈希值,以便后续进行认证;Step S512, the service server generates new sensitive data, and sends the new sensitive data and the authentication ciphertext to the management server, where the new sensitive data and the authentication ciphertext can be sent through separate messages or through a message. Sending, when sending through a message, the above new sensitive data and the authenticated ciphertext can be sent as two parameters of the message. Wherein, when sending new sensitive data and authenticating ciphertext, it may be hashed to obtain a hash value for subsequent authentication;
步骤S514,管理服务器对认证密文进行认证,并在认证通过后,对接收的敏感数据进行加密,得到加密数据;Step S514, the management server authenticates the authentication ciphertext, and after the authentication is passed, encrypts the received sensitive data to obtain encrypted data.
步骤S516,管理服务器将加密数据发送至业务服务器;Step S516, the management server sends the encrypted data to the service server.
步骤S518,业务服务器将上述加密数据发送至MCU;Step S518, the service server sends the encrypted data to the MCU;
步骤S520,MCU向SIM卡调用SIM卡中的第一密钥进行解密;Step S520, the MCU calls the first key in the SIM card to decrypt the SIM card;
步骤S522,SIM卡向MCU反馈解密后的敏感数据;Step S522, the SIM card feeds back the decrypted sensitive data to the MCU;
步骤S524,MCU更新敏感数据;Step S524, the MCU updates the sensitive data;
步骤S526,MCU关闭更新功能;Step S526, the MCU turns off the update function;
步骤S528,终端将敏感数据更新成功消息发送至业务服务器;Step S528, the terminal sends a sensitive data update success message to the service server.
步骤S530,业务数据使用敏感数据对业务数据进行加密;Step S530, the service data uses the sensitive data to encrypt the service data.
步骤S532,向MCU发送加密后的业务数据;Step S532, sending the encrypted service data to the MCU;
步骤S534,解密业务数据。Step S534, decrypting the service data.
基于上述实施例,密钥与SIM卡结合,在安全标准满足要求的SIM卡产线上,安全预制密钥,并实现了密钥的不可篡改性和密钥在设备端的安全存储。同时,管理服务器在云上安全存储密钥,并为设备提供在线的密钥使用服务。由于SIM卡本来就是大多数设备采用的上网鉴权载体。密钥与SIM结合,可以在厂商不修改现有产品设计、不自建密钥系统的情况下,实现安全密钥的管理。同时,利用存储有密钥的在线服务器,可以帮助设备进行合法性认证和安全通道的建立。Based on the above embodiment, the key is combined with the SIM card, and the key is securely pre-made on the SIM card production line where the security standard meets the requirements, and the key is not modified and the key is securely stored on the device side. At the same time, the management server securely stores keys on the cloud and provides online key usage services for the devices. Since the SIM card is originally the Internet authentication carrier used by most devices. The combination of the key and the SIM enables the management of the security key without the manufacturer modifying the existing product design or constructing the key system. At the same time, the online server storing the key can help the device to establish the legality authentication and secure channel.
实施例2Example 2
本申请实施例一所提供的方法实施例可以在移动终端、计算机终端或者类似的运算装置中执行。图6示出了一种用于实现数据处理方法的计算机终端(或移动设备)的硬件结构框图。如图6所示,计算机终端60可以包括一个或多个(图中采用602a、602b,……,602n来示出)处理器602(处理器602可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)、用于存储数据的存储器604、以及用于通信功能的传输模块606。除此以外,还可以包括:显示器、输入/输出接口(I/O接口)、通用串行总线(USB)端口(可以作为I/O接口的端口中的一个端口被包括)、网络接口、电源和/或相机。本领域普通技术人员可以理解,图6所示的结构仅为示意,其并不对上述电子装置的结构造成限定。例如,计算机终端60还可包括比图6中所示更多或者更少的组件,或者具有与图6所示不同的配置。The method embodiment provided in Embodiment 1 of the present application can be executed in a mobile terminal, a computer terminal or the like. FIG. 6 shows a hardware block diagram of a computer terminal (or mobile device) for implementing a data processing method. As shown in FIG. 6, computer terminal 60 may include one or more (shown in the figures 602a, 602b, ..., 602n) processor 602 (processor 602 may include, but is not limited to, a microprocessor MCU or programmable A processing device such as a logic device FPGA, a memory 604 for storing data, and a transmission module 606 for communication functions. In addition, it can also include: display, input/output interface (I/O interface), universal serial bus (USB) port (which can be included as one of the ports of the I/O interface), network interface, power supply And / or camera. It will be understood by those skilled in the art that the structure shown in FIG. 6 is merely illustrative and does not limit the structure of the above electronic device. For example, computer terminal 60 may also include more or fewer components than shown in FIG. 6, or have a different configuration than that shown in FIG.
应当注意到的是上述一个或多个处理器602和/或其他数据处理电路在本文中通常可以被称为“数据处理电路”。该数据处理电路可以全部或部分的体现为软件、硬件、固件或其他任意组合。此外,数据处理电路可为单个独立的处理模块,或全部或部分的结合到计算机终端60(或移动设备)中的其他元件中的任意一个内。如本申请实施例中所涉及到的,该数据处理电路作为一种处理器控制(例如与接口连接的可变电阻终端路径的选择)。It should be noted that one or more of the above-described processors 602 and/or other data processing circuits may be referred to herein generally as "data processing circuits." The data processing circuit may be embodied in whole or in part as software, hardware, firmware or any other combination. Moreover, the data processing circuitry can be a single, separate processing module, or incorporated in whole or in part into any of the other components in computer terminal 60 (or mobile device). As referred to in the embodiments of the present application, the data processing circuit is controlled as a processor (e.g., selection of a variable resistance terminal path connected to the interface).
存储器604可用于存储应用软件的软件程序以及模块,如本申请实施例中的方法对应的程序指令/数据存储装置,处理器602通过运行存储在存储器604内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现上述的应用程序的漏洞检测方法。存储器604可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器604可进一步包括相对于处理器602远程设置的存储器,这些远程存储器可以通过网络连接至计算机终端60。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 604 can be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the methods in the embodiments of the present application, and the processor 602 executes various programs by running software programs and modules stored in the memory 604. Functional application and data processing, that is, the vulnerability detection method for implementing the above application. Memory 604 can include high speed random access memory and can also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, memory 604 can further include memory remotely located relative to processor 602, which can be connected to computer terminal 60 over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
传输装置606用于经由一个网络接收或者发送数据。上述的网络具体实例可包括计算机终端60的通信供应商提供的无线网络。在一个实例中,传输装置606包括一个网络适配器(Network Interface Controller,NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置606可以为射频(Radio Frequency,RF)模块,其用于通过无线方式与互联网进行通讯。Transmission device 606 is for receiving or transmitting data via a network. The network specific examples described above may include a wireless network provided by a communication provider of computer terminal 60. In one example, transmission device 606 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet. In one example, the transmission device 606 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
显示器可以例如触摸屏式的液晶显示器(LCD),该液晶显示器可使得用户能够与计算机终端60(或移动设备)的用户界面进行交互。The display can be, for example, a touch screen liquid crystal display (LCD) that enables a user to interact with a user interface of computer terminal 60 (or mobile device).
图7是根据本申请实施例的一种数据处理方法的流程示意图。如图7所示,该计算机终端包括:FIG. 7 is a schematic flowchart diagram of a data processing method according to an embodiment of the present application. As shown in FIG. 7, the computer terminal includes:
步骤S702,终端根据SIM卡中的第一密钥生成认证信息;Step S702, the terminal generates authentication information according to the first key in the SIM card.
在一个可选实施例中,上述第一密钥为上述管理服务器生成并下发至上述终端的随机值。In an optional embodiment, the first key is a random value generated by the management server and delivered to the terminal.
需要说明的是,上述认证信息可以为:认证密文,认证报文。It should be noted that the foregoing authentication information may be: an authentication ciphertext and an authentication packet.
上述第一密钥写入SIM卡的时机是可以根据实际情况灵活确定的,例如,为保证第一密钥的存储环境的安全,可以在SIM卡的生产线上写入上述第一密钥。例如在SIM卡安装有与管理服务器通信的应用,该应用接收来自管理服务器下发的第一密钥,并存储。 这样,便保证了SIM卡在生产环节的安全性。上述第一密钥也可以在SIM卡卡号烧录时写入(即在运营商环节完成第一密钥的写入);上述第一密钥也可以在终端生产环节写入上述第一密钥,即在SIM卡集成至终端过程中实现第一密钥的写入。The timing of writing the first key to the SIM card can be flexibly determined according to actual conditions. For example, to ensure the security of the storage environment of the first key, the first key can be written on the production line of the SIM card. For example, the SIM card is installed with an application that communicates with the management server, and the application receives the first key delivered from the management server and stores it. In this way, the security of the SIM card in the production process is guaranteed. The first key may also be written when the SIM card number is programmed (that is, the first key is written in the operator link); the first key may also be written in the terminal production link. That is, the writing of the first key is implemented in the process of integrating the SIM card into the terminal.
其中,终端获取认证信息可以是主动获取,例如定时获取;也可以被动获取,例如在终端获取认证信息之前,上述终端接收来自上述业务服务器的触发消息,该触发消息用于触发上述终端获取上述认证信息。上述触发消息包括但不限于密钥更新消息。The terminal obtains the authentication information, which may be an active acquisition, for example, a timing acquisition, or may be passively obtained. For example, before the terminal obtains the authentication information, the terminal receives a trigger message from the service server, where the trigger message is used to trigger the terminal to obtain the authentication. information. The above trigger message includes but is not limited to a key update message.
在一个可选实施例中,终端中的MCU接收上述触发消息,在上述触发消息为密钥更新消息时,开启密钥更新功能,并触发获取上述认证信息。In an optional embodiment, the MCU in the terminal receives the trigger message, and when the trigger message is a key update message, the key update function is started, and the obtaining the authentication information is triggered.
终端可以通过以下方式获取认证信息:终端中的处理器向上述SIM卡发送用于获取上述认证信息的请求;上述SIM卡依据上述请求向上述处理器反馈上述认证信息。The terminal may obtain the authentication information by: the processor in the terminal sends a request for acquiring the authentication information to the SIM card; and the SIM card feeds back the authentication information to the processor according to the request.
步骤S704,终端向业务服务器申请获取敏感数据,并经由业务服务器将认证信息发送至管理服务器;Step S704, the terminal applies to the service server for acquiring sensitive data, and sends the authentication information to the management server via the service server.
此处需要说明的是,当终端中没有敏感数据时,也即终端向业务服务器申请获取上述敏感数据;但是当终端中已经存在有敏感数据时,终端向业务服务器申请获取敏感数据可以理解为:终端向业务服务器申请更新敏感数据。It should be noted that when there is no sensitive data in the terminal, the terminal requests the service server to obtain the sensitive data. However, when sensitive data exists in the terminal, the terminal can apply for obtaining sensitive data from the service server. The terminal requests the service server to update the sensitive data.
步骤S706,终端接收上述管理服务器经由上述业务服务器发送的加密数据,其中,上述加密数据为上述管理服务器使用与上述第一密钥对应的第二密钥对上述业务服务器提供的敏感数据进行加密得到的;Step S706, the terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is obtained by the management server encrypting the sensitive data provided by the service server by using a second key corresponding to the first key. of;
步骤S708,终端根据第一密钥对加密数据进行解密,得到敏感数据。Step S708, the terminal decrypts the encrypted data according to the first key to obtain sensitive data.
在一个可选实施例中,上述终端使用SIM卡中存储的上述第一密钥对上述加密数据进行解密,并存储解密得到的上述敏感数据之后,上述终端接收上述业务服务器发送的业务数据,其中,该业务数据为使用上述敏感数据加密后的业务数据;上述终端使用存储的上述敏感数据解密上述业务数据。其中,在终端接收上述业务服务器发送的业务数据之前,可以执行以下实现过程:上述终端向上述业务服务器发送通知消息,该通知消息用于指示上述终端已经完成密钥更新,即业务服务器在接收到上述通知消息后,发送业务数据。当然,在一个可选实施例中,业务服务器也可以根据预设规则确定发送业务数据的时机,例如,业务服务器按照预设周期定期发送业务数据。In an optional embodiment, after the terminal decrypts the encrypted data by using the first key stored in the SIM card, and stores the decrypted sensitive data, the terminal receives the service data sent by the service server, where The service data is service data encrypted by using the above sensitive data; the terminal decrypts the service data by using the stored sensitive data. Before the terminal receives the service data sent by the service server, the following implementation process may be performed: the terminal sends a notification message to the service server, where the notification message is used to indicate that the terminal has completed the key update, that is, the service server receives the data. After the above notification message, the service data is sent. Of course, in an optional embodiment, the service server may also determine the timing of sending the service data according to the preset rule. For example, the service server periodically sends the service data according to a preset period.
需要说明的是,本实施例的优选实施方式可以参见实施例1中的相关描述,此处不再赘述。It should be noted that the preferred embodiment of the present embodiment can be referred to the related description in Embodiment 1, and details are not described herein again.
实施例3Example 3
基于上述系统或终端,根据本申请实施例,还提供了一种身份认证的方法实施例,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。Based on the above system or terminal, according to an embodiment of the present application, an embodiment of a method for identity authentication is also provided. It should be noted that the steps shown in the flowchart of the drawing may be in a computer such as a set of computer executable instructions. The steps are performed in the system, and although the logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
本申请实施例提供一种数据处理方法,如图8所示,该方法包括:The embodiment of the present application provides a data processing method, as shown in FIG. 8, the method includes:
步骤S802,终端根据SIM卡中的第一密钥生成认证信息。Step S802, the terminal generates authentication information according to the first key in the SIM card.
可选地,上述第一密钥为上述管理服务器生成并下发至上述终端的随机值。Optionally, the first key is a random value generated by the management server and delivered to the terminal.
需要说明的是,上述认证信息可以为:认证密文,认证报文。It should be noted that the foregoing authentication information may be: an authentication ciphertext and an authentication packet.
可选地,SIM卡可以主动生成上述认证信息认证报文,并发送给处理器,也可以采用被动的方式生成,例如,对于后者,可以通过以下方式实现:上述终端中的处理器向上述SIM卡发送用于获取上述认证密文信息的请求;上述SIM卡依据上述请求向上述处理器反馈上述认证信息。Optionally, the SIM card may actively generate the foregoing authentication information authentication message, and send the information to the processor, or may be generated in a passive manner. For example, for the latter, the method may be implemented by: The SIM card sends a request for acquiring the above-mentioned authentication ciphertext information; the SIM card feeds back the authentication information to the processor according to the request.
步骤S804,终端经由业务服务器将认证信息发送至管理服务器。Step S804, the terminal sends the authentication information to the management server via the service server.
步骤S806,管理服务器根据认证信息对终端进行认证。Step S806, the management server authenticates the terminal according to the authentication information.
通过上述各个处理步骤,可以实现管理服务器对终端的认证,由于其是利用终端中的第一密钥生成的认证密文进行认证,因此,可以保证认证密文传输过程的安全性。Through the above various processing steps, the authentication of the terminal by the management server can be realized. Since the authentication is performed by using the authentication ciphertext generated by the first key in the terminal, the security of the authentication ciphertext transmission process can be ensured.
需要说明的是,本实施例的优选实施方式,可以参见实施例1-2中的相关描述,此处不再赘述。It should be noted that, in the preferred embodiment of the present embodiment, reference may be made to the related description in Embodiment 1-2, and details are not described herein again.
实施例4Example 4
本申请实施例还提供另外一种数据处理方法,如图9所示,该方法包括:The embodiment of the present application further provides another data processing method, as shown in FIG. 9, the method includes:
步骤S902,管理服务器接收终端经由业务服务器转发的认证信息,其中,上述认证信息为上述终端基于终端中SIM卡存储的第一密钥生成的;Step S902, the management server receives the authentication information that the terminal forwards via the service server, where the authentication information is generated by the terminal based on the first key stored in the SIM card in the terminal;
可选地,管理服务器接收终端经由业务服务器转发的认证信息之前,上述管理服务器向上述终端的SIM卡发送上述第一密钥。Optionally, before the management server receives the authentication information forwarded by the terminal via the service server, the management server sends the first key to the SIM card of the terminal.
其中,为保证第一密钥的存储环境的安全,可以在SIM卡的生产线上写入上述第一密钥。例如,SIM卡生产商在安全产线上,在SIM上安装应用,通过该应用接收第一密钥并存储;上述第一密钥也可以在SIM卡卡号烧录时写入(即在运营商环节完成第一密钥的写入);上述第一密钥也可以在终端生产环节写入上述第一密钥,即在SIM卡集成 至终端过程中实现第一密钥的写入。上述第一密钥写入SIM卡的时机是可以根据实际情况灵活确定的,并不限于上述写入时机。In order to ensure the security of the storage environment of the first key, the first key may be written on the production line of the SIM card. For example, the SIM card manufacturer installs an application on the SIM on the security production line, receives the first key and stores it through the application; the first key can also be written when the SIM card number is burned (ie, at the operator) The link completes the writing of the first key; the first key may also write the first key in the production process of the terminal, that is, the first key is written during the integration of the SIM card into the terminal. The timing at which the first key is written to the SIM card can be flexibly determined according to actual conditions, and is not limited to the above-mentioned writing timing.
步骤S904,管理服务器对上述认证信息进行认证。可选地,在认证通过时,则确认上述终端合法。Step S904, the management server authenticates the above authentication information. Optionally, when the authentication is passed, it is confirmed that the terminal is legal.
需要说明的是,本实施例的优选实施方式,可以参见实施例1-2中的相关描述,此处不再赘述。It should be noted that, in the preferred embodiment of the present embodiment, reference may be made to the related description in Embodiment 1-2, and details are not described herein again.
实施例5Example 5
本申请实施例提供一种数据处理方法,如图10所示,该方法包括:The embodiment of the present application provides a data processing method, as shown in FIG. 10, the method includes:
步骤S1002,终端接收管理服务器经由业务服务器发送的加密数据,其中,上述加密数据为上述管理服务器使用第二密钥,对上述业务服务器提供的敏感数据进行加密得到的;上述第二密钥为上述终端中的SIM卡中存储的第一密钥对应的密钥。Step S1002: The terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is obtained by using the second key by the management server to encrypt the sensitive data provided by the service server; the second key is the foregoing The key corresponding to the first key stored in the SIM card in the terminal.
在一个可选实施例中,上述第一密钥和第二密钥可以是相同的密钥,也可以是对应的密钥。In an optional embodiment, the first key and the second key may be the same key or a corresponding key.
步骤S1004,终端使用上述第一密钥对上述加密数据进行解密,并存储解密得到的上述敏感数据。Step S1004: The terminal decrypts the encrypted data by using the first key, and stores the decrypted sensitive data.
需要说明的是,本实施例的优选实施方式,可以参见实施例1-2中的相关描述,此处不再赘述。It should be noted that, in the preferred embodiment of the present embodiment, reference may be made to the related description in Embodiment 1-2, and details are not described herein again.
实施例6Example 6
本实施例还提供一种SIM卡的生产方法,如图11所示,该方法包括:This embodiment further provides a method for producing a SIM card. As shown in FIG. 11, the method includes:
步骤S1102,启动用户身份识别模块SIM卡上的应用;Step S1102, starting an application on the SIM card of the user identity module;
其中,为保证第一密钥的存储环境的安全,可以在SIM卡的生产线上写入上述第一密钥。例如,SIM卡生产商在安全产线上,在SIM上安装应用,通过该应用接收第一密钥并存储;上述第一密钥也可以在SIM卡卡号烧录时写入(即在运营商环节完成第一密钥的写入);上述第一密钥也可以在终端生产环节写入上述第一密钥,即在SIM卡集成至终端过程中实现第一密钥的写入。上述第一密钥写入SIM卡的时机是可以根据实际情况灵活确定的,并不限于上述写入时机。In order to ensure the security of the storage environment of the first key, the first key may be written on the production line of the SIM card. For example, the SIM card manufacturer installs an application on the SIM on the security production line, receives the first key and stores it through the application; the first key can also be written when the SIM card number is burned (ie, at the operator) The link completes the writing of the first key; the first key may also write the first key in the production process of the terminal, that is, the first key is written during the integration of the SIM card into the terminal. The timing at which the first key is written to the SIM card can be flexibly determined according to actual conditions, and is not limited to the above-mentioned writing timing.
步骤S1104,通过应用接收管理服务器下发的安全密钥,并存储至SIM卡中。In step S1104, the security key issued by the management server is received by the application and stored in the SIM card.
在一个可选实施例中,上述管理服务器可以为网络侧的一个服务器,也可以是云网 络中的一个服务器。具体地,一个或多个管理服务器可以组成云平台,该云平台用于提供上述第一密钥和上述第二密钥,其中,该第一密钥和第二密钥可以是相同的密钥,或者是具有对应关系的密钥。In an optional embodiment, the foregoing management server may be a server on the network side or a server in the cloud network. Specifically, the one or more management servers may be configured to provide a cloud platform, where the cloud platform is configured to provide the first key and the second key, where the first key and the second key may be the same key Or a key with a corresponding relationship.
实施例7Example 7
本实施例还提供一种数据处理方法,如图12所示,该方法包括:This embodiment further provides a data processing method. As shown in FIG. 12, the method includes:
步骤S1202,终端根据安全模块中的第一密钥生成认证信息;Step S1202: The terminal generates authentication information according to the first key in the security module.
在一个可选实施例中,上述安全模块可以为但不限于SIM卡,上述第一密钥为上述管理服务器生成并下发至上述终端的随机值。In an optional embodiment, the security module may be, but not limited to, a SIM card, and the first key is a random value generated by the management server and delivered to the terminal.
步骤S1204,终端向业务服务器申请获取敏感数据,并经由业务服务器将认证信息发送至管理服务器;Step S1204: The terminal applies to the service server for acquiring sensitive data, and sends the authentication information to the management server via the service server.
步骤S1206,终端接收管理服务器经由业务服务器发送的加密数据,其中,加密数据为管理服务器使用与第一密钥对应的第二密钥对业务服务器提供的敏感数据进行加密得到的;Step S1206: The terminal receives the encrypted data sent by the management server via the service server, where the encrypted data is obtained by the management server encrypting the sensitive data provided by the service server by using the second key corresponding to the first key;
步骤S1208,终端根据第一密钥对加密数据进行解密,得到敏感数据。Step S1208: The terminal decrypts the encrypted data according to the first key to obtain sensitive data.
需要说明的是,本实施例的优选实施方式,可以参见实施例1-2中的相关描述,此处不再赘述。It should be noted that, in the preferred embodiment of the present embodiment, reference may be made to the related description in Embodiment 1-2, and details are not described herein again.
实施例8Example 8
本实施例还提供一种身份认证方法,如图13所示,该方法包括:This embodiment further provides an identity authentication method. As shown in FIG. 13, the method includes:
步骤S1302,终端根据安全模块中的第一密钥生成认证信息;Step S1302: The terminal generates authentication information according to the first key in the security module.
在一个可选实施例中,上述安全模块可以为但不限于SIM卡。In an alternative embodiment, the security module described above may be, but is not limited to, a SIM card.
可选地,上述第一密钥为上述管理服务器生成并下发至上述终端的随机值。Optionally, the first key is a random value generated by the management server and delivered to the terminal.
需要说明的是,上述认证信息可以为:认证密文,认证报文。It should be noted that the foregoing authentication information may be: an authentication ciphertext and an authentication packet.
可选地,SIM卡可以主动生成上述认证信息,并发送给处理器,也可以采用被动的方式生成,例如,对于后者,可以通过以下方式实现:上述终端中的处理器向上述SIM卡发送用于获取上述认证信息的请求;上述SIM卡依据上述请求向上述处理器反馈上述认证信息。Optionally, the SIM card may actively generate the foregoing authentication information, and send the information to the processor, or may be generated in a passive manner. For example, for the latter, the method may be implemented by: sending, by the processor in the terminal, the SIM card to the SIM card. a request for acquiring the above authentication information; the SIM card feeding back the authentication information to the processor according to the request.
步骤S1304,终端经由业务服务器将认证信息发送至管理服务器;Step S1304, the terminal sends the authentication information to the management server via the service server;
步骤S1306,管理服务器根据认证信息对终端进行认证。In step S1306, the management server authenticates the terminal according to the authentication information.
通过上述各个处理步骤,可以实现管理服务器对终端的认证,由于其是利用终端中的第一密钥生成的认证密文进行认证,因此,可以保证认证密文传输过程的安全性。Through the above various processing steps, the authentication of the terminal by the management server can be realized. Since the authentication is performed by using the authentication ciphertext generated by the first key in the terminal, the security of the authentication ciphertext transmission process can be ensured.
需要说明的是,本实施例的优选实施方式,可以参见实施例1-2中的相关描述,此处不再赘述。It should be noted that, in the preferred embodiment of the present embodiment, reference may be made to the related description in Embodiment 1-2, and details are not described herein again.
实施例9Example 9
本实施例还提供一种身份认证方法,如图14所示,该方法包括:This embodiment further provides an identity authentication method. As shown in FIG. 14, the method includes:
步骤S1402,管理服务器接收终端经由业务服务器转发的认证信息,其中,认证信息为终端基于终端中安全模块存储的第一密钥生成的;In step S1402, the management server receives the authentication information that the terminal forwards via the service server, where the authentication information is generated by the terminal based on the first key stored by the security module in the terminal;
在一个可选实施例中,上述安全模块可以为但不限于SIM卡。In an alternative embodiment, the security module described above may be, but is not limited to, a SIM card.
可选地,管理服务器接收终端经由业务服务器转发的认证信息之前,上述管理服务器向上述终端的SIM卡发送上述第一密钥。Optionally, before the management server receives the authentication information forwarded by the terminal via the service server, the management server sends the first key to the SIM card of the terminal.
其中,为保证第一密钥的存储环境的安全,可以在SIM卡的生产线上写入上述第一密钥。例如,SIM卡生产商在安全产线上,在SIM上安装应用,通过该应用接收第一密钥并存储;上述第一密钥也可以在SIM卡卡号烧录时写入(即在运营商环节完成第一密钥的写入);上述第一密钥也可以在终端生产环节写入上述第一密钥,即在SIM卡集成至终端过程中实现第一密钥的写入。上述第一密钥写入SIM卡的时机是可以根据实际情况灵活确定的,并不限于上述写入时机。In order to ensure the security of the storage environment of the first key, the first key may be written on the production line of the SIM card. For example, the SIM card manufacturer installs an application on the SIM on the security production line, receives the first key and stores it through the application; the first key can also be written when the SIM card number is burned (ie, at the operator) The link completes the writing of the first key; the first key may also write the first key in the production process of the terminal, that is, the first key is written during the integration of the SIM card into the terminal. The timing at which the first key is written to the SIM card can be flexibly determined according to actual conditions, and is not limited to the above-mentioned writing timing.
步骤S1404,管理服务器对认证信息进行认证。可选地,其中,在认证通过时,则确认终端合法。In step S1404, the management server authenticates the authentication information. Optionally, where the authentication is passed, the terminal is confirmed to be legal.
需要说明的是,本实施例的优选实施方式,可以参见实施例1-2中的相关描述,此处不再赘述。It should be noted that, in the preferred embodiment of the present embodiment, reference may be made to the related description in Embodiment 1-2, and details are not described herein again.
实施例10Example 10
本实施例还提供一种数据处理方法,如图15所示,该方法包括:This embodiment further provides a data processing method, as shown in FIG. 15, the method includes:
步骤S1502,终端接收管理服务器经由业务服务器发送的加密数据,其中,加密数据为管理服务器使用第二密钥,对业务服务器提供的敏感数据进行加密得到的;第二密钥为终端中的安全模块中存储的第一密钥对应的密钥;Step S1502: The terminal receives the encrypted data sent by the management server via the service server, where the encrypted data is obtained by the management server using the second key to encrypt the sensitive data provided by the service server; the second key is the security module in the terminal. a key corresponding to the first key stored therein;
在一个可选实施例中,上述安全模块可以为但不限于SIM卡。In an alternative embodiment, the security module described above may be, but is not limited to, a SIM card.
在一个可选实施例中,上述第一密钥和第二密钥可以是相同的密钥,也可以是对应 的密钥。In an optional embodiment, the first key and the second key may be the same key or a corresponding key.
步骤S1504,终端使用第一密钥对加密数据进行解密,并存储解密得到的敏感数据。In step S1504, the terminal decrypts the encrypted data by using the first key, and stores the decrypted sensitive data.
需要说明的是,本实施例的优选实施方式,可以参见实施例1-2中的相关描述,此处不再赘述。It should be noted that, in the preferred embodiment of the present embodiment, reference may be made to the related description in Embodiment 1-2, and details are not described herein again.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请并不受所描述的动作顺序的限制,因为依据本申请,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本申请所必须的。It should be noted that, for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the present application is not limited by the described action sequence. Because certain steps may be performed in other sequences or concurrently in accordance with the present application. In the following, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present application.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the present application, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods of various embodiments of the present application.
本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步骤是可以通过程序来指令终端设备相关的硬件来完成,该程序可以存储于一计算机可读存储介质中,存储介质可以包括:闪存盘、只读存储器(Read-Only Memory,ROM)、随机存取器(Random Access Memory,RAM)、磁盘或光盘等。A person of ordinary skill in the art may understand that all or part of the steps of the foregoing embodiments may be completed by a program to instruct terminal device related hardware, and the program may be stored in a computer readable storage medium, and the storage medium may be Including: flash disk, read-only memory (ROM), random access memory (RAM), disk or optical disk.
实施例11Example 11
本申请的实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以用于保存上述实施例2所提供的数据处理方法所执行的程序代码。Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the foregoing storage medium may be used to save the program code executed by the data processing method provided in Embodiment 2 above.
可选地,在本实施例中,上述存储介质可以位于计算机网络中计算机终端群中的任意一个计算机终端中,或者位于移动终端群中的任意一个移动终端中。Optionally, in this embodiment, the foregoing storage medium may be located in any one of the computer terminal groups in the computer network, or in any one of the mobile terminal groups.
在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:终端获取认证密文,其中,上述认证密文为基于终端中SIM卡存储的第一密钥生成的密文;终端向业务服务器申请更新敏感数据,并经由上述业务服务器将上述认证密文发送至管理服务器;终端接收上述管理服务器经由上述业务服务器发送的加密数据,其中,上述加密数据为上述管理服务器使用与上述第一密钥对应的第二密钥对上述业务服务器提供的敏 感数据进行加密得到的;终端使用SIM卡中存储的上述第一密钥对上述加密数据进行解密,并存储解密得到的上述敏感数据。In this embodiment, the storage medium is configured to store program code for performing the following steps: the terminal acquires the authentication ciphertext, wherein the authentication ciphertext is a ciphertext generated based on the first key stored by the SIM card in the terminal; The terminal applies for updating the sensitive data to the service server, and sends the encrypted ciphertext to the management server via the service server; the terminal receives the encrypted data sent by the management server via the service server, where the encrypted data is used by the management server. The second key corresponding to the first key is obtained by encrypting the sensitive data provided by the service server; the terminal decrypts the encrypted data by using the first key stored in the SIM card, and stores the decrypted sensitive data. .
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:在终端获取认证密文之前,上述终端接收来自上述业务服务器的触发消息,该触发消息用于触发上述终端获取上述认证密文。Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: before the terminal acquires the authentication ciphertext, the terminal receives a trigger message from the service server, where the trigger message is used to trigger The terminal acquires the above authentication ciphertext.
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:终端中的MCU接收上述触发消息,在上述触发消息为密钥更新消息时,开启密钥更新功能,并触发获取上述认证密文。Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the MCU in the terminal receives the trigger message, and when the trigger message is a key update message, the key update function is enabled. And triggering the acquisition of the above authentication ciphertext.
实施例12Example 12
本申请的实施例还提供了一种处理器。可选地,在本实施例中,上述处理器可以用于执行实现上述实施例2所提供的数据处理方法的程序代码。An embodiment of the present application also provides a processor. Optionally, in this embodiment, the foregoing processor may be used to execute program code that implements the data processing method provided in Embodiment 2 above.
可选地,在本实施例中,上述处理器可以位于计算机网络中计算机终端群中的任意一个计算机终端中,或者位于移动终端群中的任意一个移动终端中。Optionally, in this embodiment, the processor may be located in any one of the computer terminal groups in the computer network, or in any one of the mobile terminal groups.
在本实施例中,处理器被设置为执行以下步骤的程序代码:终端获取认证密文,其中,上述认证密文为基于终端中SIM卡存储的第一密钥生成的密文;终端向业务服务器申请更新敏感数据,并经由上述业务服务器将上述认证密文发送至管理服务器;终端接收上述管理服务器经由上述业务服务器发送的加密数据,其中,上述加密数据为上述管理服务器使用与上述第一密钥对应的第二密钥对上述业务服务器提供的敏感数据进行加密得到的;终端使用SIM卡中存储的上述第一密钥对上述加密数据进行解密,并存储解密得到的上述敏感数据。In this embodiment, the processor is configured to execute the following steps: the terminal acquires the authentication ciphertext, wherein the authentication ciphertext is a ciphertext generated based on the first key stored in the SIM card in the terminal; The server applies for updating the sensitive data, and sends the encrypted ciphertext to the management server via the service server; the terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is used by the management server and the first secret The second key corresponding to the key is obtained by encrypting the sensitive data provided by the service server; the terminal decrypts the encrypted data by using the first key stored in the SIM card, and stores the decrypted sensitive data.
可选地,在本实施例中,处理器被设置为执行以下步骤的程序代码:在终端获取认证密文之前,上述终端接收来自上述业务服务器的触发消息,该触发消息用于触发上述终端获取上述认证密文。Optionally, in this embodiment, the processor is configured to execute the following steps: before the terminal obtains the authentication ciphertext, the terminal receives a trigger message from the service server, where the trigger message is used to trigger the terminal to acquire The above authentication ciphertext.
可选地,在本实施例中,处理器被设置为执行以下步骤的程序代码:终端中的MCU接收上述触发消息,在上述触发消息为密钥更新消息时,开启密钥更新功能,并触发获取上述认证密文。Optionally, in this embodiment, the processor is configured to execute the following steps: the MCU in the terminal receives the trigger message, and when the trigger message is a key update message, the key update function is enabled, and the trigger is triggered. Obtain the above authentication ciphertext.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the embodiments of the present application are merely for the description, and do not represent the advantages and disadvantages of the embodiments.
在本申请的上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above-mentioned embodiments of the present application, the descriptions of the various embodiments are different, and the parts that are not detailed in a certain embodiment can be referred to the related descriptions of other embodiments.
在本申请所提供的几个实施例中,应该理解到,所揭露的技术内容,可通过其它的方式实现。其中,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,单元或模块的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed technical contents may be implemented in other manners. The device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner. For example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, unit or module, and may be electrical or otherwise.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a U disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and the like. .
以上所述仅是本申请的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本申请的保护范围。The above description is only a preferred embodiment of the present application, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present application. It should be considered as the scope of protection of this application.

Claims (25)

  1. 一种数据处理系统,其特征在于,包括:A data processing system, comprising:
    终端,设置有用户身份识别模块SIM卡,所述SIM卡存储有第一密钥,所述终端用于向业务服务器发送基于所述第一密钥产生的认证密文;The terminal is provided with a user identity module SIM card, the SIM card stores a first key, and the terminal is configured to send the authentication ciphertext generated based on the first key to the service server;
    业务服务器,用于提供敏感数据,并将该敏感数据发送至管理服务器;a service server for providing sensitive data and transmitting the sensitive data to a management server;
    所述管理服务器,用于对所述认证密文进行认证,在认证通过后,与所述第一密钥对应的第二密钥对所述敏感数据进行加密;将加密后的敏感数据经由所述业务服务器发送至所述终端,其中,所述终端使用所述SIM卡中存储的所述第一密钥对所述加密后的敏感数据进行解密。The management server is configured to authenticate the authentication ciphertext, and after the authentication is passed, the second key corresponding to the first key encrypts the sensitive data; and the encrypted sensitive data is used to The service server sends the terminal to the terminal, wherein the terminal decrypts the encrypted sensitive data by using the first key stored in the SIM card.
  2. 根据权利要求1所述的系统,其特征在于,所述管理服务器,还用于生成随机值,并将所述随机值作为所述第一密钥发送至所述终端。The system according to claim 1, wherein the management server is further configured to generate a random value and send the random value as the first key to the terminal.
  3. 一种终端,其特征在于,包括:A terminal, comprising:
    用户身份识别模块SIM卡,用于存储预先写入的第一密钥,该第一密钥用于生成认证密文;a user identity module SIM card, configured to store a pre-written first key, where the first key is used to generate an authentication ciphertext;
    处理器,耦接至所述SIM卡,用于存储敏感数据。The processor is coupled to the SIM card for storing sensitive data.
  4. 根据权利要求3所述的终端,其特征在于,所述处理器,用于向所述SIM卡发送用于获取所述认证密文的请求;所述SIM卡,用于基于所述第一密钥产生认证密文,并反馈至所述处理器。The terminal according to claim 3, wherein the processor is configured to send a request for acquiring the authentication ciphertext to the SIM card, and the SIM card is configured to be based on the first secret The key generates an authentication ciphertext and feeds back to the processor.
  5. 根据权利要求4所述的终端,其特征在于,所述终端还包括:The terminal according to claim 4, wherein the terminal further comprises:
    通信模块,用于将所述认证密文经由业务服务器发送至管理服务器,以及接收管理服务器经由业务服务器发送的加密数据,其中,所述加密数据为所述管理服务器使用与所述第一密码对应的第二密钥对所述敏感数据进行加密得到的;a communication module, configured to send the authentication ciphertext to the management server via the service server, and receive encrypted data sent by the management server via the service server, where the encrypted data is used by the management server to correspond to the first password The second key is obtained by encrypting the sensitive data;
    所述处理器,调用所述SIM卡中存储的所述第一密钥对所述加密数据进行解密。The processor, by calling the first key stored in the SIM card, decrypts the encrypted data.
  6. 根据权利要求5所述的终端,其特征在于,所述SIM卡预先写入的第一密钥是所述管理服务器在SIM卡的生产过程中预先发送至所述SIM卡的。The terminal according to claim 5, wherein the first key pre-written by the SIM card is pre-sent to the SIM card by the management server during the production process of the SIM card.
  7. 一种数据处理方法,其特征在于,包括:A data processing method, comprising:
    终端根据SIM卡中的第一密钥生成认证信息;The terminal generates authentication information according to the first key in the SIM card;
    所述终端向业务服务器申请获取敏感数据,并经由所述业务服务器将所述认证信息发送至管理服务器;The terminal applies for acquiring sensitive data to the service server, and sends the authentication information to the management server via the service server;
    所述终端接收所述管理服务器经由所述业务服务器发送的加密数据,其中,所述加 密数据为所述管理服务器使用与所述第一密钥对应的第二密钥对所述业务服务器提供的敏感数据进行加密得到的;Receiving, by the terminal, the encrypted data sent by the management server via the service server, wherein the encrypted data is provided by the management server to the service server by using a second key corresponding to the first key Sensitive data is encrypted;
    所述终端根据所述第一密钥对所述加密数据进行解密,得到所述敏感数据。The terminal decrypts the encrypted data according to the first key to obtain the sensitive data.
  8. 根据权利要求7所述的方法,其特征在于,所述第一密钥为所述管理服务器生成并下发至所述终端的随机值。The method according to claim 7, wherein the first key is a random value generated by the management server and delivered to the terminal.
  9. 根据权利要求7所述的方法,其特征在于,终端根据SIM卡中的第一密钥生成认证信息之前,所述方法还包括:The method according to claim 7, wherein before the terminal generates the authentication information according to the first key in the SIM card, the method further includes:
    所述终端接收来自所述业务服务器的触发消息,该触发消息用于触发所述终端获取所述认证信息。The terminal receives a trigger message from the service server, where the trigger message is used to trigger the terminal to acquire the authentication information.
  10. 根据权利要求7所述的方法,其特征在于,终端根据SIM卡中的第一密钥生成认证信息包括:The method according to claim 7, wherein the generating the authentication information by the terminal according to the first key in the SIM card comprises:
    所述终端中的处理器向所述SIM卡发送用于获取所述认证信息的请求;The processor in the terminal sends a request for acquiring the authentication information to the SIM card;
    所述SIM卡依据所述请求向所述处理器反馈所述认证信息。The SIM card feeds back the authentication information to the processor according to the request.
  11. 根据权利要求7所述的方法,其特征在于,所述终端使用SIM卡中存储的所述第一密钥对所述加密数据进行解密,并存储解密得到的所述敏感数据之后,所述方法还包括:The method according to claim 7, wherein said terminal decrypts said encrypted data using said first key stored in said SIM card, and stores said decrypted said sensitive data, said method Also includes:
    所述终端接收所述业务服务器发送的业务数据,其中,该业务数据为使用所述敏感数据加密后的业务数据;Receiving, by the terminal, service data sent by the service server, where the service data is service data encrypted by using the sensitive data;
    所述终端使用存储的所述敏感数据解密所述业务数据。The terminal decrypts the service data using the stored sensitive data.
  12. 根据权利要求11所述的方法,其特征在于,所述终端接收所述业务服务器发送的业务数据之前,所述方法还包括:The method according to claim 11, wherein before the receiving the service data sent by the service server, the method further includes:
    所述终端向所述业务服务器发送通知消息,该通知消息用于指示所述终端已经完成密钥更新。The terminal sends a notification message to the service server, where the notification message is used to indicate that the terminal has completed the key update.
  13. 一种存储介质,其特征在于,所述存储介质包括存储的程序,其中,在所述程序运行时控制所述存储介质所在设备执行权利要求7至12中任意一项所述的数据处理方法。A storage medium, characterized in that the storage medium comprises a stored program, wherein the device in which the storage medium is located is controlled to execute the data processing method according to any one of claims 7 to 12 while the program is running.
  14. 一种处理器,其特征在于,所述处理器用于运行程序,其中,所述程序运行时执行权利要求7至12中任意一项所述的数据处理方法。A processor, wherein the processor is configured to execute a program, wherein the program is executed to execute the data processing method according to any one of claims 7 to 12.
  15. 一种SIM卡的生产方法,其特征在于,包括:A method for producing a SIM card, comprising:
    启动用户身份识别模块SIM卡上的应用;Launching an application on the SIM card of the subscriber identity module;
    通过所述应用接收管理服务器下发的安全密钥,并存储至所述SIM卡中。The security key delivered by the management server is received by the application and stored in the SIM card.
  16. 一种身份认证方法,其特征在于,包括:An identity authentication method, comprising:
    终端根据SIM卡中的第一密钥生成认证信息;The terminal generates authentication information according to the first key in the SIM card;
    所述终端经由业务服务器将所述认证信息发送至管理服务器;Transmitting, by the terminal, the authentication information to a management server via a service server;
    所述管理服务器根据所述认证信息对所述终端进行认证。The management server authenticates the terminal according to the authentication information.
  17. 根据权利要求16所述的方法,其特征在于,所述第一密钥为所述管理服务器生成并下发至所述终端的随机值。The method according to claim 16, wherein the first key is a random value generated by the management server and delivered to the terminal.
  18. 根据权利要求16所述的方法,其特征在于,终端根据SIM卡中的第一密钥生成认证信息,包括:The method according to claim 16, wherein the terminal generates the authentication information according to the first key in the SIM card, including:
    所述终端中的处理器向所述SIM卡发送用于获取所述认证信息的请求;The processor in the terminal sends a request for acquiring the authentication information to the SIM card;
    所述SIM卡依据所述请求向所述处理器反馈所述认证信息。The SIM card feeds back the authentication information to the processor according to the request.
  19. 一种身份认证方法,其特征在于,包括:An identity authentication method, comprising:
    管理服务器接收终端经由业务服务器转发的认证密文,其中,所述认证信息为所述终端基于终端中SIM卡存储的第一密钥生成的;The management server receives the authentication ciphertext forwarded by the terminal via the service server, where the authentication information is generated by the terminal based on the first key stored in the SIM card in the terminal;
    所述管理服务器对所述认证信息进行认证。The management server authenticates the authentication information.
  20. 根据权利要求19所述的方法,其特征在于,管理服务器接收终端经由业务服务器转发的认证信息之前,所述方法还包括:The method according to claim 19, wherein before the management server receives the authentication information that is forwarded by the terminal via the service server, the method further includes:
    所述管理服务器向所述终端的SIM卡发送所述第一密钥。The management server sends the first key to a SIM card of the terminal.
  21. 一种数据处理方法,其特征在于,包括:A data processing method, comprising:
    终端接收管理服务器经由业务服务器发送的加密数据,其中,所述加密数据为所述管理服务器使用第二密钥,对所述业务服务器提供的敏感数据进行加密得到的;所述第二密钥为所述终端中的用户身份识别模块SIM卡中存储的第一密钥对应的密钥;The terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is obtained by using the second key by the management server to encrypt the sensitive data provided by the service server; the second key is a key corresponding to the first key stored in the SIM card of the user identity module in the terminal;
    所述终端使用所述第一密钥对所述加密数据进行解密,并存储解密得到的所述敏感数据。The terminal decrypts the encrypted data using the first key, and stores the decrypted sensitive data.
  22. 一种数据处理方法,其特征在于,包括:A data processing method, comprising:
    终端根据安全模块中的第一密钥生成认证信息;The terminal generates the authentication information according to the first key in the security module;
    所述终端向业务服务器申请获取敏感数据,并经由所述业务服务器将所述认证信息发送至管理服务器;The terminal applies for acquiring sensitive data to the service server, and sends the authentication information to the management server via the service server;
    所述终端接收所述管理服务器经由所述业务服务器发送的加密数据,其中,所述加密数据为所述管理服务器使用与所述第一密钥对应的第二密钥对所述业务服务器提供 的敏感数据进行加密得到的;Receiving, by the terminal, the encrypted data sent by the management server via the service server, wherein the encrypted data is provided by the management server to the service server by using a second key corresponding to the first key Sensitive data is encrypted;
    所述终端根据所述第一密钥对所述加密数据进行解密,得到所述敏感数据。The terminal decrypts the encrypted data according to the first key to obtain the sensitive data.
  23. 一种身份认证方法,其特征在于,包括:An identity authentication method, comprising:
    终端根据安全模块中的第一密钥生成认证信息;The terminal generates the authentication information according to the first key in the security module;
    所述终端经由业务服务器将所述认证信息发送至管理服务器;Transmitting, by the terminal, the authentication information to a management server via a service server;
    所述管理服务器根据所述认证信息对所述终端进行认证。The management server authenticates the terminal according to the authentication information.
  24. 一种身份认证方法,其特征在于,包括:An identity authentication method, comprising:
    管理服务器接收终端经由业务服务器转发的认证信息,其中,所述认证信息为所述终端基于终端中安全模块存储的第一密钥生成的;The management server receives the authentication information that is forwarded by the terminal via the service server, where the authentication information is generated by the terminal based on the first key stored by the security module in the terminal;
    所述管理服务器对所述认证信息进行认证。The management server authenticates the authentication information.
  25. 一种数据处理方法,其特征在于,包括:A data processing method, comprising:
    终端接收管理服务器经由业务服务器发送的加密数据,其中,所述加密数据为所述管理服务器使用第二密钥,对所述业务服务器提供的敏感数据进行加密得到的;所述第二密钥为所述终端中的安全模块中存储的第一密钥对应的密钥;The terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is obtained by using the second key by the management server to encrypt the sensitive data provided by the service server; the second key is a key corresponding to the first key stored in the security module in the terminal;
    所述终端使用所述第一密钥对所述加密数据进行解密,并存储解密得到的所述敏感数据。The terminal decrypts the encrypted data using the first key, and stores the decrypted sensitive data.
PCT/CN2018/104763 2017-09-19 2018-09-10 Data processing and identity authentication methods and systems, and terminal WO2019056957A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201710852631.X 2017-09-19
CN201710852631.XA CN109525989B (en) 2017-09-19 2017-09-19 Data processing and identity authentication method and system, and terminal

Publications (1)

Publication Number Publication Date
WO2019056957A1 true WO2019056957A1 (en) 2019-03-28

Family

ID=65769614

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/104763 WO2019056957A1 (en) 2017-09-19 2018-09-10 Data processing and identity authentication methods and systems, and terminal

Country Status (2)

Country Link
CN (1) CN109525989B (en)
WO (1) WO2019056957A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112668032B (en) * 2021-03-16 2021-06-04 四川微巨芯科技有限公司 Method and system for encrypting and decrypting computer, server and mobile equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763631A (en) * 2014-01-07 2014-04-30 青岛海信信芯科技有限公司 Authentication method, server and television
CN106603234A (en) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 Method, device and system for device identity authentication
CN106992956A (en) * 2016-01-21 2017-07-28 阿里巴巴集团控股有限公司 A kind of methods, devices and systems for realizing inter-device authentication
CN107026727A (en) * 2016-02-02 2017-08-08 阿里巴巴集团控股有限公司 A kind of methods, devices and systems for setting up communication between devices

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7644272B2 (en) * 2004-10-22 2010-01-05 Broadcom Corporation Systems and methods for providing security to different functions
CN100531365C (en) * 2007-07-09 2009-08-19 中国联合网络通信集团有限公司 IPTV authentication and authorization method, server and system
CN101170765B (en) * 2007-11-23 2012-08-08 东信和平智能卡股份有限公司 Generation and authentication method for telecommunication intelligent card
CN101583124B (en) * 2009-06-10 2011-06-15 大唐微电子技术有限公司 Authentication method and system of subscriber identity module and terminal
CN102378174A (en) * 2010-08-25 2012-03-14 大唐移动通信设备有限公司 Access method, device and system of user terminal of SIM (Subscriber Identity Module) card
US9350550B2 (en) * 2013-09-10 2016-05-24 M2M And Iot Technologies, Llc Power management and security for wireless modules in “machine-to-machine” communications
CN103747443B (en) * 2013-11-29 2017-03-15 厦门盛华电子科技有限公司 One kind is based on cellphone subscriber's identification card Multi-security domain device and its method for authenticating
CN104683979B (en) * 2013-12-02 2018-11-23 中国移动通信集团公司 A kind of authentication method and equipment
CN104506481A (en) * 2014-08-05 2015-04-08 深圳市财富之舟科技有限公司 Authentication method of mobile communication network
CN105704092A (en) * 2014-11-25 2016-06-22 卓望数码技术(深圳)有限公司 User identity authentication method, device and system
CN105245526B (en) * 2015-10-19 2018-06-19 中国联合网络通信集团有限公司 Call the method and apparatus of SIM card application

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763631A (en) * 2014-01-07 2014-04-30 青岛海信信芯科技有限公司 Authentication method, server and television
CN106603234A (en) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 Method, device and system for device identity authentication
CN106992956A (en) * 2016-01-21 2017-07-28 阿里巴巴集团控股有限公司 A kind of methods, devices and systems for realizing inter-device authentication
CN107026727A (en) * 2016-02-02 2017-08-08 阿里巴巴集团控股有限公司 A kind of methods, devices and systems for setting up communication between devices

Also Published As

Publication number Publication date
CN109525989B (en) 2022-09-02
CN109525989A (en) 2019-03-26

Similar Documents

Publication Publication Date Title
US10667131B2 (en) Method for connecting network access device to wireless network access point, network access device, and application server
KR102013091B1 (en) Methods and apparatus for establishing a secure communication channel
US10476671B2 (en) Method and device for installing profile of eUICC
KR101941049B1 (en) Method and system for encrypted communications
CN102595404B (en) For storing and executing the method and device of access control clients
US8165565B2 (en) Method and system for recursive authentication in a mobile network
US10503918B2 (en) Process to access a data storage device of a cloud computer system
CN105993146A (en) Secure session capability using public-key cryptography without access to the private key
TWI756439B (en) Network access authentication method, device and system
CN105634737B (en) Data transmission method, terminal and system
US10050944B2 (en) Process to access a data storage device of a cloud computer system with the help of a modified Domain Name System (DNS)
CN103314605A (en) Method and apparatus for authenticating a communication device
ES2559617T3 (en) Procedure for data communication between a secure element and a network access point and the corresponding secure element
KR20190038632A (en) Method for provisioning a first communication device using a second communication device
US9443069B1 (en) Verification platform having interface adapted for communication with verification agent
WO2019056957A1 (en) Data processing and identity authentication methods and systems, and terminal
EP1811719A1 (en) Internetwork key sharing
CN108924136B (en) Authorization authentication method, device and storage medium
EP3844929B1 (en) Non-3gpp device access to core network
US20210258787A1 (en) Non-3gpp device access to core network
WO2016161717A1 (en) Data processing method and terminal
CN106416120A (en) Management of cryptographic keys
TW201828761A (en) Method and device for establishing near field communication capable of increasing the security of the near field communication by switching off the connection if an authentication between two communication equipment fails

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18859848

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18859848

Country of ref document: EP

Kind code of ref document: A1