WO2019056957A1 - Procédés et systèmes de traitement de données et d'authentification d'identité, et terminal - Google Patents

Procédés et systèmes de traitement de données et d'authentification d'identité, et terminal Download PDF

Info

Publication number
WO2019056957A1
WO2019056957A1 PCT/CN2018/104763 CN2018104763W WO2019056957A1 WO 2019056957 A1 WO2019056957 A1 WO 2019056957A1 CN 2018104763 W CN2018104763 W CN 2018104763W WO 2019056957 A1 WO2019056957 A1 WO 2019056957A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
key
sim card
management server
data
Prior art date
Application number
PCT/CN2018/104763
Other languages
English (en)
Chinese (zh)
Inventor
杨涛
姜金龙
董侃
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2019056957A1 publication Critical patent/WO2019056957A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier

Definitions

  • the present application relates to the field of authentication, and in particular, to a data processing, an identity authentication method and system, and a terminal.
  • the traditional Internet of Things (IoT) device security method is to store keys through a plug-in security carrier or directly using a Miro Controller Unit (MCU).
  • MCU Miro Controller Unit
  • the external security carrier requires the manufacturer to change the hardware design and increase the cost; the key is directly stored in the MCU, lacking the protection of the secure storage environment, and is easily stolen by the attacker.
  • the embodiment of the present application provides a data processing, an identity authentication method, a system, and a terminal, so as to solve at least the technical problem that the security authentication scheme in the related technology cannot meet the requirements of cost and high security.
  • a data processing system including: a terminal, configured with a Subscriber Identification Module (SIM) card, where the SIM card stores a first key, The terminal is configured to send the authentication ciphertext generated by the first key to the service server, the service server is configured to provide the sensitive data, and send the sensitive data to the management server, where the management server is configured to The authentication cipher text is authenticated, and after the authentication is passed, the second key corresponding to the first key encrypts the sensitive data; and the encrypted sensitive data is sent to the terminal via the service server, where And the terminal decrypts the encrypted sensitive data by using the first key stored in the SIM card.
  • SIM Subscriber Identification Module
  • a terminal including: a SIM card, configured to store a pre-written first key, where the first key is used to generate an authentication ciphertext; and a processor coupled To the SIM card for storing sensitive data.
  • another terminal including: a security module, configured to store a security key; and a processor coupled to the security module for storing sensitive data.
  • a data processing method including: a terminal generating authentication information according to a first key in a SIM card; the terminal applying to the service server for acquiring sensitive data, and The service server sends the authentication information to the management server; the terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is used by the management server to correspond to the first key
  • the second key is obtained by encrypting the sensitive data provided by the service server; the terminal decrypts the encrypted data according to the first key to obtain the sensitive data.
  • a storage medium includes a stored program, wherein, when the program is running, controlling a device where the storage medium is located to execute the data processing method described above .
  • a processor for running a program wherein the program is executed to execute the data processing method described above.
  • a method for manufacturing a SIM card including: starting an application on a SIM card of a user identity module; receiving, by the application, a security key delivered by a management server, and storing To the SIM card.
  • an identity authentication method including: a management server receiving an authentication ciphertext forwarded by a terminal via a service server, where the authentication ciphertext is based on a SIM card storage in the terminal The first key is generated; the management server authenticates the authentication ciphertext.
  • a data processing method includes: receiving, by a terminal, encrypted data sent by a management server via a service server, wherein the encrypted data is a second key used by the management server, The sensitive data provided by the service server is encrypted; the second key is a key corresponding to the first key stored in the SIM card of the user identity module in the terminal; A key decrypts the encrypted data and stores the decrypted sensitive data.
  • a data processing method including: a terminal generates authentication information according to a first key in a security module; and the terminal applies to the service server to acquire sensitive data, and The server sends the authentication information to the management server; the terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is used by the management server corresponding to the first key The second key is obtained by encrypting the sensitive data provided by the service server; the terminal decrypts the encrypted data according to the first key to obtain the sensitive data.
  • an identity authentication method including: a terminal generates authentication information according to a first key in a security module; and the terminal sends the authentication information to a management server via a service server; The management server authenticates the terminal according to the authentication information.
  • an identity authentication method including: a management server receiving authentication information forwarded by a terminal via a service server, where the authentication information is a terminal that is stored by the terminal based on a security module in the terminal. A key is generated; the management server authenticates the authentication information.
  • a data processing method includes: receiving, by a terminal, encrypted data sent by a management server via a service server, wherein the encrypted data is a second key used by the management server, The sensitive data provided by the service server is encrypted; the second key is a key corresponding to the first key stored in the security module in the terminal; and the terminal uses the first key pair The encrypted data is decrypted and the decrypted sensitive data is stored.
  • the SIM card and the management server pre-written with the first key are used to implement the legality authentication and the establishment of the secure channel. Since the first key in the SIM card is pre-written, For example, it is written in the production link of the SIM card, thus ensuring the security of the key in the storage link, and establishing a secure channel based on the authentication message, thereby further enhancing the security of the authentication, thereby solving the related technology.
  • the technical problem of the medium security certification scheme that cannot meet the requirements of cost and high security.
  • FIG. 1 is a schematic structural diagram of a data processing system according to an embodiment of the present application.
  • FIG. 2 is a schematic diagram of a SIM card application process according to an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of a terminal according to an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of another terminal according to an embodiment of the present application.
  • FIG. 5 is a schematic diagram of a process for establishing a secure channel according to an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a computer terminal according to an embodiment of the present application.
  • FIG. 7 is a schematic flowchart diagram of a data processing method according to an embodiment of the present application.
  • FIG. 8 is a schematic flowchart diagram of another identity authentication method according to an embodiment of the present application.
  • FIG. 9 is a schematic flowchart of an identity authentication method according to an embodiment of the present application.
  • FIG. 10 is a schematic flowchart diagram of another data processing method according to an embodiment of the present application.
  • FIG. 11 is a schematic flow chart of a method for manufacturing a SIM card according to an embodiment of the present application.
  • FIG. 12 is a schematic flowchart diagram of another data processing method according to an embodiment of the present application.
  • FIG. 13 is a schematic flowchart diagram of another identity authentication method according to an embodiment of the present application.
  • FIG. 14 is a schematic flowchart diagram of another identity authentication method according to an embodiment of the present application.
  • FIG. 15 is a schematic flowchart diagram of another data processing method according to an embodiment of the present application.
  • the trusted platform module is a device that can independently generate key, encrypt and decrypt. It has an independent processor and storage unit, which can store key and feature data, and provide encryption and security authentication services for the computer.
  • Security key Data encrypted with the public key can only be decrypted by the private key. Conversely, the data encrypted with the private key can only be decrypted by the public key.
  • Sensitive data refers to all information that is improperly used or unauthorized to be contacted or modified to be harmful to the public interest or to personal privacy enjoyed by individuals.
  • the key when the key is stored, it is often stored by a security carrier or by using an MCU.
  • the external security carrier needs to modify the design of the device, which increases the cost, and the key is stored in the MCU and is easily cracked.
  • the storage environment is not secure.
  • the embodiment of the present application combines the key with the SIM card, and implements the security pre-made key on the SIM card production line that meets the EAL4+ security standard.
  • the non-definable modified key is securely stored on the device side.
  • the management server securely stores keys on the cloud platform and provides online key usage services for the devices.
  • the embodiment of the present application provides a data processing system. As shown in FIG. 1, the system includes:
  • the terminal 10 is provided with a SIM card, and the SIM card stores a first key, and the terminal is configured to send the authentication ciphertext generated based on the first key to the service server;
  • the terminal 10 is structurally included, but not limited to: a SIM card slot, a SIM card is installed in the SIM card slot, and a processor is coupled to the SIM card for storing sensitive data.
  • the processor includes but is not limited to a micro control unit (MCU).
  • the first key may be written on the production line of the SIM card.
  • Step S202 installing an application in a SIM card, wherein the installation process can be performed by a SIM card manufacturer on a secure production line; and in step S204, key data is burned: docking with the cloud platform.
  • the secure writing of the key data is implemented; in step S206, the operator performs the burning of the SIM card number; in step S208, the integration of the SIM card and the terminal is performed: on the side of the terminal manufacturer, the SIM card that writes the key data is used.
  • Terminal docking management server The terminal can be established by using the SIM card integrated with the device by accessing the online server (ie, the management server 14) during use. A secure link from the cloud to the device.
  • the first key may also be written when the SIM card number is programmed (that is, the first key is written in the operator link); the first key may also be written in the terminal production link. That is, the writing of the first key is implemented in the process of integrating the SIM card into the terminal.
  • the timing at which the first key is written to the SIM card can be flexibly determined according to actual conditions, and is not limited to the above-mentioned writing timing.
  • the foregoing terminal includes, but is not limited to, a smart mobile terminal, a tablet computer, etc., but is not limited thereto.
  • the service server 12 is configured to provide sensitive data and send the sensitive data to the management server.
  • the service server is configured to provide specific service data, for example, sharing bicycle-related service data.
  • the service server will The service data is sent to the management server, and after being encrypted by the management server, the encrypted service data is sent to the terminal, and at this time, the secure transmission of the service data is realized.
  • the sensitive data may be the user's private information data: the user's communication number, communication record, picture, video, etc.; and may also be user rights information data: login password, payment password, etc., but Not limited to this, the above sensitive data may include: all information that is improperly or unauthorisedly contacted or modified by others, is not conducive to the public interest or is not conducive to the personal privacy rights of the individual according to law.
  • the management server 14 is configured to authenticate the encrypted ciphertext, and after the authentication is passed, the second key encrypts the sensitive data, wherein the second key corresponds to the first key;
  • the data is transmitted to the terminal via the service server, wherein the terminal decrypts the encrypted sensitive data using the first key stored in the SIM card.
  • the management server 14 may be a server on the network side or a server in the cloud network.
  • the one or more management servers 14 may be configured to provide a cloud platform, where the cloud platform is configured to provide the first key and the second key, where the first key and the second key may be the same secret The key, or a key with a corresponding relationship.
  • the processor in the terminal includes an MCU, but is not limited thereto.
  • the structure of the terminal 10 can be as shown in FIG. 3.
  • the terminal includes:
  • SIM card 30 configured to store a pre-written first key, where the first key is used to generate an authentication ciphertext
  • the SIM card is the Internet authentication carrier adopted by most devices.
  • the security key can be managed without the manufacturer modifying the existing product design or constructing the key system.
  • the online server using the key helps the device to perform legality authentication and secure channel establishment.
  • one or more legality judgment standards may be pre-stored on the online server, and the legality judgment standard may be: the accuracy and security of the device have been determined.
  • One or more keys specifically, one or more of the above-mentioned keys are set corresponding to the above-mentioned devices, and can be online managed and updated by the online server.
  • the key input by the device is consistent with the key for storing the device in the online server, it is determined that the legality authentication of the device is passed; otherwise, the legality authentication of the device is determined to be invalid. .
  • the processor 32 is coupled to the SIM card 30 for storing sensitive data, wherein the sensitive data is used to decrypt the service data.
  • the processor 32 is configured to send a request for acquiring the authentication ciphertext to the SIM card, where the SIM card is configured to generate an authentication ciphertext based on the first key, and feed back to the processor 32. .
  • the terminal may further include: a communication module 34, configured to send the authentication ciphertext to the management server via the service server; wherein the management server is configured to authenticate the foregoing The ciphertext is authenticated, and after the authentication is passed, the sensitive data is encrypted; and the second key corresponding to the first key and the encrypted sensitive data are sent to the terminal by using the service server, where the terminal is The second key is authenticated using the first key stored in the SIM card.
  • a communication module 34 configured to send the authentication ciphertext to the management server via the service server
  • the management server is configured to authenticate the foregoing
  • the ciphertext is authenticated, and after the authentication is passed, the sensitive data is encrypted
  • the second key corresponding to the first key and the encrypted sensitive data are sent to the terminal by using the service server, where the terminal is The second key is authenticated using the first key stored in the SIM card.
  • the first key previously written by the SIM card is sent by the management server to the SIM card in advance.
  • FIG. 4 is a schematic structural diagram of another terminal according to an embodiment of the present application. As shown in FIG. 4, the terminal includes:
  • the security module 40 is configured to store a security key.
  • the security module may be a security chip or a SIM card with a built-in key.
  • the processor 42 is coupled to the security module 42 for storing sensitive data, wherein the sensitive data is used to decrypt the service data.
  • the terminal may further include a communication module 44, configured to receive the foregoing security key delivered by the management server.
  • FIG. 5 is a schematic diagram of a process of establishing a secure channel according to an embodiment of the present application. As shown in Figure 5, the process includes the following processing steps:
  • Step S502 the service server sends an update request to the MCU in the terminal, where the update request is used to request to update the sensitive data in the MCU.
  • Step S504 the MCU enables the update function of the sensitive data
  • Step S506 the MCU sends a request for obtaining the authentication ciphertext to the SIM card;
  • Step S508 the SIM card returns the authentication ciphertext to the MCU;
  • Step S510 the MCU uploads the authentication ciphertext to the service server, and applies for updating the sensitive data.
  • Step S512 the service server generates new sensitive data, and sends the new sensitive data and the authentication ciphertext to the management server, where the new sensitive data and the authentication ciphertext can be sent through separate messages or through a message. Sending, when sending through a message, the above new sensitive data and the authenticated ciphertext can be sent as two parameters of the message. Wherein, when sending new sensitive data and authenticating ciphertext, it may be hashed to obtain a hash value for subsequent authentication;
  • Step S514 the management server authenticates the authentication ciphertext, and after the authentication is passed, encrypts the received sensitive data to obtain encrypted data.
  • Step S520 the MCU calls the first key in the SIM card to decrypt the SIM card
  • Step S522 the SIM card feeds back the decrypted sensitive data to the MCU;
  • Step S524 the MCU updates the sensitive data
  • Step S530 the service data uses the sensitive data to encrypt the service data.
  • Step S532 sending the encrypted service data to the MCU
  • Step S534 decrypting the service data.
  • the key is combined with the SIM card, and the key is securely pre-made on the SIM card production line where the security standard meets the requirements, and the key is not modified and the key is securely stored on the device side.
  • the management server securely stores keys on the cloud and provides online key usage services for the devices. Since the SIM card is originally the Internet authentication carrier used by most devices. The combination of the key and the SIM enables the management of the security key without the manufacturer modifying the existing product design or constructing the key system. At the same time, the online server storing the key can help the device to establish the legality authentication and secure channel.
  • FIG. 6 shows a hardware block diagram of a computer terminal (or mobile device) for implementing a data processing method.
  • computer terminal 60 may include one or more (shown in the figures 602a, 602b, ..., 602n) processor 602 (processor 602 may include, but is not limited to, a microprocessor MCU or programmable A processing device such as a logic device FPGA, a memory 604 for storing data, and a transmission module 606 for communication functions.
  • processor 602 may include, but is not limited to, a microprocessor MCU or programmable A processing device such as a logic device FPGA, a memory 604 for storing data, and a transmission module 606 for communication functions.
  • FIG. 6 can also include: display, input/output interface (I/O interface), universal serial bus (USB) port (which can be included as one of the ports of the I/O interface), network interface, power supply And / or camera.
  • I/O interface input/output interface
  • USB universal serial bus
  • FIG. 6 is merely illustrative and does not limit the structure of the above electronic device.
  • computer terminal 60 may also include more or fewer components than shown in FIG. 6, or have a different configuration than that shown in FIG.
  • processors 602 and/or other data processing circuits may be referred to herein generally as "data processing circuits.”
  • the data processing circuit may be embodied in whole or in part as software, hardware, firmware or any other combination.
  • the data processing circuitry can be a single, separate processing module, or incorporated in whole or in part into any of the other components in computer terminal 60 (or mobile device).
  • the data processing circuit is controlled as a processor (e.g., selection of a variable resistance terminal path connected to the interface).
  • the memory 604 can be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the methods in the embodiments of the present application, and the processor 602 executes various programs by running software programs and modules stored in the memory 604. Functional application and data processing, that is, the vulnerability detection method for implementing the above application.
  • Memory 604 can include high speed random access memory and can also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory.
  • memory 604 can further include memory remotely located relative to processor 602, which can be connected to computer terminal 60 over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
  • Transmission device 606 is for receiving or transmitting data via a network.
  • the network specific examples described above may include a wireless network provided by a communication provider of computer terminal 60.
  • transmission device 606 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet.
  • NIC Network Interface Controller
  • the transmission device 606 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
  • RF Radio Frequency
  • the display can be, for example, a touch screen liquid crystal display (LCD) that enables a user to interact with a user interface of computer terminal 60 (or mobile device).
  • LCD liquid crystal display
  • FIG. 7 is a schematic flowchart diagram of a data processing method according to an embodiment of the present application.
  • the computer terminal includes:
  • Step S702 the terminal generates authentication information according to the first key in the SIM card.
  • the first key is a random value generated by the management server and delivered to the terminal.
  • the foregoing authentication information may be: an authentication ciphertext and an authentication packet.
  • the timing of writing the first key to the SIM card can be flexibly determined according to actual conditions. For example, to ensure the security of the storage environment of the first key, the first key can be written on the production line of the SIM card.
  • the SIM card is installed with an application that communicates with the management server, and the application receives the first key delivered from the management server and stores it. In this way, the security of the SIM card in the production process is guaranteed.
  • the first key may also be written when the SIM card number is programmed (that is, the first key is written in the operator link); the first key may also be written in the terminal production link. That is, the writing of the first key is implemented in the process of integrating the SIM card into the terminal.
  • the terminal obtains the authentication information, which may be an active acquisition, for example, a timing acquisition, or may be passively obtained. For example, before the terminal obtains the authentication information, the terminal receives a trigger message from the service server, where the trigger message is used to trigger the terminal to obtain the authentication. information.
  • the above trigger message includes but is not limited to a key update message.
  • the MCU in the terminal receives the trigger message, and when the trigger message is a key update message, the key update function is started, and the obtaining the authentication information is triggered.
  • the terminal may obtain the authentication information by: the processor in the terminal sends a request for acquiring the authentication information to the SIM card; and the SIM card feeds back the authentication information to the processor according to the request.
  • Step S704 the terminal applies to the service server for acquiring sensitive data, and sends the authentication information to the management server via the service server.
  • the terminal when there is no sensitive data in the terminal, the terminal requests the service server to obtain the sensitive data. However, when sensitive data exists in the terminal, the terminal can apply for obtaining sensitive data from the service server. The terminal requests the service server to update the sensitive data.
  • Step S706 the terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is obtained by the management server encrypting the sensitive data provided by the service server by using a second key corresponding to the first key. of;
  • Step S708 the terminal decrypts the encrypted data according to the first key to obtain sensitive data.
  • the terminal after the terminal decrypts the encrypted data by using the first key stored in the SIM card, and stores the decrypted sensitive data, the terminal receives the service data sent by the service server, where The service data is service data encrypted by using the above sensitive data; the terminal decrypts the service data by using the stored sensitive data.
  • the terminal Before the terminal receives the service data sent by the service server, the following implementation process may be performed: the terminal sends a notification message to the service server, where the notification message is used to indicate that the terminal has completed the key update, that is, the service server receives the data. After the above notification message, the service data is sent.
  • the service server may also determine the timing of sending the service data according to the preset rule. For example, the service server periodically sends the service data according to a preset period.
  • an embodiment of a method for identity authentication is also provided.
  • the steps shown in the flowchart of the drawing may be in a computer such as a set of computer executable instructions. The steps are performed in the system, and although the logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
  • the embodiment of the present application provides a data processing method, as shown in FIG. 8, the method includes:
  • Step S802 the terminal generates authentication information according to the first key in the SIM card.
  • the first key is a random value generated by the management server and delivered to the terminal.
  • the foregoing authentication information may be: an authentication ciphertext and an authentication packet.
  • the SIM card may actively generate the foregoing authentication information authentication message, and send the information to the processor, or may be generated in a passive manner.
  • the method may be implemented by: The SIM card sends a request for acquiring the above-mentioned authentication ciphertext information; the SIM card feeds back the authentication information to the processor according to the request.
  • Step S804 the terminal sends the authentication information to the management server via the service server.
  • Step S806 the management server authenticates the terminal according to the authentication information.
  • the authentication of the terminal by the management server can be realized. Since the authentication is performed by using the authentication ciphertext generated by the first key in the terminal, the security of the authentication ciphertext transmission process can be ensured.
  • the embodiment of the present application further provides another data processing method, as shown in FIG. 9, the method includes:
  • Step S902 the management server receives the authentication information that the terminal forwards via the service server, where the authentication information is generated by the terminal based on the first key stored in the SIM card in the terminal;
  • the management server before the management server receives the authentication information forwarded by the terminal via the service server, the management server sends the first key to the SIM card of the terminal.
  • the first key may be written on the production line of the SIM card.
  • the SIM card manufacturer installs an application on the SIM on the security production line, receives the first key and stores it through the application; the first key can also be written when the SIM card number is burned (ie, at the operator)
  • the link completes the writing of the first key; the first key may also write the first key in the production process of the terminal, that is, the first key is written during the integration of the SIM card into the terminal.
  • the timing at which the first key is written to the SIM card can be flexibly determined according to actual conditions, and is not limited to the above-mentioned writing timing.
  • Step S904 the management server authenticates the above authentication information. Optionally, when the authentication is passed, it is confirmed that the terminal is legal.
  • the embodiment of the present application provides a data processing method, as shown in FIG. 10, the method includes:
  • Step S1002 The terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is obtained by using the second key by the management server to encrypt the sensitive data provided by the service server; the second key is the foregoing The key corresponding to the first key stored in the SIM card in the terminal.
  • the first key and the second key may be the same key or a corresponding key.
  • Step S1004 The terminal decrypts the encrypted data by using the first key, and stores the decrypted sensitive data.
  • This embodiment further provides a method for producing a SIM card. As shown in FIG. 11, the method includes:
  • Step S1102 starting an application on the SIM card of the user identity module
  • the first key may be written on the production line of the SIM card.
  • the SIM card manufacturer installs an application on the SIM on the security production line, receives the first key and stores it through the application; the first key can also be written when the SIM card number is burned (ie, at the operator)
  • the link completes the writing of the first key; the first key may also write the first key in the production process of the terminal, that is, the first key is written during the integration of the SIM card into the terminal.
  • the timing at which the first key is written to the SIM card can be flexibly determined according to actual conditions, and is not limited to the above-mentioned writing timing.
  • step S1104 the security key issued by the management server is received by the application and stored in the SIM card.
  • the foregoing management server may be a server on the network side or a server in the cloud network.
  • the one or more management servers may be configured to provide a cloud platform, where the cloud platform is configured to provide the first key and the second key, where the first key and the second key may be the same key Or a key with a corresponding relationship.
  • This embodiment further provides a data processing method. As shown in FIG. 12, the method includes:
  • Step S1202 The terminal generates authentication information according to the first key in the security module.
  • the security module may be, but not limited to, a SIM card, and the first key is a random value generated by the management server and delivered to the terminal.
  • Step S1204 The terminal applies to the service server for acquiring sensitive data, and sends the authentication information to the management server via the service server.
  • Step S1206 The terminal receives the encrypted data sent by the management server via the service server, where the encrypted data is obtained by the management server encrypting the sensitive data provided by the service server by using the second key corresponding to the first key;
  • Step S1208 The terminal decrypts the encrypted data according to the first key to obtain sensitive data.
  • This embodiment further provides an identity authentication method. As shown in FIG. 13, the method includes:
  • Step S1302 The terminal generates authentication information according to the first key in the security module.
  • the security module described above may be, but is not limited to, a SIM card.
  • the first key is a random value generated by the management server and delivered to the terminal.
  • the foregoing authentication information may be: an authentication ciphertext and an authentication packet.
  • the SIM card may actively generate the foregoing authentication information, and send the information to the processor, or may be generated in a passive manner.
  • the method may be implemented by: sending, by the processor in the terminal, the SIM card to the SIM card. a request for acquiring the above authentication information; the SIM card feeding back the authentication information to the processor according to the request.
  • Step S1304 the terminal sends the authentication information to the management server via the service server;
  • step S1306 the management server authenticates the terminal according to the authentication information.
  • the authentication of the terminal by the management server can be realized. Since the authentication is performed by using the authentication ciphertext generated by the first key in the terminal, the security of the authentication ciphertext transmission process can be ensured.
  • This embodiment further provides an identity authentication method. As shown in FIG. 14, the method includes:
  • step S1402 the management server receives the authentication information that the terminal forwards via the service server, where the authentication information is generated by the terminal based on the first key stored by the security module in the terminal;
  • the security module described above may be, but is not limited to, a SIM card.
  • the management server before the management server receives the authentication information forwarded by the terminal via the service server, the management server sends the first key to the SIM card of the terminal.
  • the first key may be written on the production line of the SIM card.
  • the SIM card manufacturer installs an application on the SIM on the security production line, receives the first key and stores it through the application; the first key can also be written when the SIM card number is burned (ie, at the operator)
  • the link completes the writing of the first key; the first key may also write the first key in the production process of the terminal, that is, the first key is written during the integration of the SIM card into the terminal.
  • the timing at which the first key is written to the SIM card can be flexibly determined according to actual conditions, and is not limited to the above-mentioned writing timing.
  • step S1404 the management server authenticates the authentication information. Optionally, where the authentication is passed, the terminal is confirmed to be legal.
  • This embodiment further provides a data processing method, as shown in FIG. 15, the method includes:
  • Step S1502 The terminal receives the encrypted data sent by the management server via the service server, where the encrypted data is obtained by the management server using the second key to encrypt the sensitive data provided by the service server; the second key is the security module in the terminal. a key corresponding to the first key stored therein;
  • the security module described above may be, but is not limited to, a SIM card.
  • the first key and the second key may be the same key or a corresponding key.
  • step S1504 the terminal decrypts the encrypted data by using the first key, and stores the decrypted sensitive data.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the present application which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods of various embodiments of the present application.
  • Embodiments of the present application also provide a storage medium.
  • the foregoing storage medium may be used to save the program code executed by the data processing method provided in Embodiment 2 above.
  • the foregoing storage medium may be located in any one of the computer terminal groups in the computer network, or in any one of the mobile terminal groups.
  • the storage medium is configured to store program code for performing the following steps: the terminal acquires the authentication ciphertext, wherein the authentication ciphertext is a ciphertext generated based on the first key stored by the SIM card in the terminal; The terminal applies for updating the sensitive data to the service server, and sends the encrypted ciphertext to the management server via the service server; the terminal receives the encrypted data sent by the management server via the service server, where the encrypted data is used by the management server.
  • the second key corresponding to the first key is obtained by encrypting the sensitive data provided by the service server; the terminal decrypts the encrypted data by using the first key stored in the SIM card, and stores the decrypted sensitive data. .
  • the storage medium is configured to store program code for performing the following steps: before the terminal acquires the authentication ciphertext, the terminal receives a trigger message from the service server, where the trigger message is used to trigger The terminal acquires the above authentication ciphertext.
  • the storage medium is configured to store program code for performing the following steps: the MCU in the terminal receives the trigger message, and when the trigger message is a key update message, the key update function is enabled. And triggering the acquisition of the above authentication ciphertext.
  • An embodiment of the present application also provides a processor.
  • the foregoing processor may be used to execute program code that implements the data processing method provided in Embodiment 2 above.
  • the processor may be located in any one of the computer terminal groups in the computer network, or in any one of the mobile terminal groups.
  • the processor is configured to execute the following steps: the terminal acquires the authentication ciphertext, wherein the authentication ciphertext is a ciphertext generated based on the first key stored in the SIM card in the terminal; The server applies for updating the sensitive data, and sends the encrypted ciphertext to the management server via the service server; the terminal receives the encrypted data sent by the management server via the service server, wherein the encrypted data is used by the management server and the first secret The second key corresponding to the key is obtained by encrypting the sensitive data provided by the service server; the terminal decrypts the encrypted data by using the first key stored in the SIM card, and stores the decrypted sensitive data.
  • the processor is configured to execute the following steps: before the terminal obtains the authentication ciphertext, the terminal receives a trigger message from the service server, where the trigger message is used to trigger the terminal to acquire The above authentication ciphertext.
  • the processor is configured to execute the following steps: the MCU in the terminal receives the trigger message, and when the trigger message is a key update message, the key update function is enabled, and the trigger is triggered. Obtain the above authentication ciphertext.
  • the disclosed technical contents may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, unit or module, and may be electrical or otherwise.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • a computer readable storage medium A number of instructions are included to cause a computer device (which may be a personal computer, server or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a U disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

La présente invention concerne des procédés et des systèmes de traitement de données et d'authentification d'identité, et un terminal. Le procédé de traitement de données comprend les étapes suivantes : un terminal acquiert un cryptogramme d'authentification qui est généré sur la base d'une première clé stockée dans la carte SIM d'un terminal ; le terminal demande des données sensibles mises à jour à un serveur de service, et envoie le cryptogramme d'authentification à un serveur de gestion par l'intermédiaire du serveur de service ; le terminal reçoit des données chiffrées envoyées par le serveur de gestion par l'intermédiaire du serveur de service, les données chiffrées étant obtenues via l'utilisation, par le serveur de gestion, d'une seconde clé correspondant à la première clé pour chiffrer des données sensibles fournies par le serveur de service ; et le terminal utilise la première clé stockée dans la carte SIM pour déchiffrer les données chiffrées et stocke les données sensibles déchiffrées.
PCT/CN2018/104763 2017-09-19 2018-09-10 Procédés et systèmes de traitement de données et d'authentification d'identité, et terminal WO2019056957A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710852631.X 2017-09-19
CN201710852631.XA CN109525989B (zh) 2017-09-19 2017-09-19 数据处理、身份认证方法及系统、终端

Publications (1)

Publication Number Publication Date
WO2019056957A1 true WO2019056957A1 (fr) 2019-03-28

Family

ID=65769614

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/104763 WO2019056957A1 (fr) 2017-09-19 2018-09-10 Procédés et systèmes de traitement de données et d'authentification d'identité, et terminal

Country Status (2)

Country Link
CN (1) CN109525989B (fr)
WO (1) WO2019056957A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112672333A (zh) * 2020-12-15 2021-04-16 浙江三维万易联科技有限公司 设备连接方法及装置
CN114143018A (zh) * 2020-09-04 2022-03-04 苏州然云信息科技有限公司 一种智慧经营平台信息加密方法及系统
CN114500093A (zh) * 2022-02-24 2022-05-13 中国工商银行股份有限公司 报文信息的安全交互方法及系统
CN115021895A (zh) * 2021-11-19 2022-09-06 荣耀终端有限公司 数据保护方法、系统及电子设备
CN115276963A (zh) * 2022-06-13 2022-11-01 云南电网有限责任公司 一种基于智能密钥的电网安全管理方法、系统及介质
CN115442090A (zh) * 2022-08-22 2022-12-06 中国银联股份有限公司 一种应用于脚本的敏感信息获取方法及装置

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113852957A (zh) * 2020-06-09 2021-12-28 中国移动通信有限公司研究院 安全服务器、sp服务器、终端、安全授权方法及系统
CN114363894B (zh) * 2020-09-27 2024-06-04 花瓣云科技有限公司 数据传输方法和装置
CN112702731B (zh) * 2020-12-18 2023-03-10 深圳市广和通无线股份有限公司 Sim卡信息的传输方法、装置、计算机设备和存储介质
CN112528311B (zh) * 2020-12-23 2024-02-20 杭州海康汽车软件有限公司 数据管理方法、装置及终端
CN112668032B (zh) * 2021-03-16 2021-06-04 四川微巨芯科技有限公司 加解密计算机的方法及系统、计算机、服务器和移动设备
CN116155497B (zh) * 2023-01-06 2023-09-29 南京通力峰达软件科技有限公司 一种车联网用户应用程序中的敏感数据加密和保存方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763631A (zh) * 2014-01-07 2014-04-30 青岛海信信芯科技有限公司 认证方法、服务器和电视机
CN106603234A (zh) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 一种设备身份认证的方法、装置和系统
CN106992956A (zh) * 2016-01-21 2017-07-28 阿里巴巴集团控股有限公司 一种实现设备间认证的方法、装置和系统
CN107026727A (zh) * 2016-02-02 2017-08-08 阿里巴巴集团控股有限公司 一种建立设备间通信的方法、装置和系统

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7644272B2 (en) * 2004-10-22 2010-01-05 Broadcom Corporation Systems and methods for providing security to different functions
CN100531365C (zh) * 2007-07-09 2009-08-19 中国联合网络通信集团有限公司 Iptv认证鉴权方法、服务器及系统
CN101170765B (zh) * 2007-11-23 2012-08-08 东信和平智能卡股份有限公司 电信智能卡生产及鉴权方法
CN101583124B (zh) * 2009-06-10 2011-06-15 大唐微电子技术有限公司 一种用户识别模块与终端进行认证的方法和系统
CN102378174A (zh) * 2010-08-25 2012-03-14 大唐移动通信设备有限公司 一种sim卡的用户终端的接入方法、装置及系统
US9350550B2 (en) * 2013-09-10 2016-05-24 M2M And Iot Technologies, Llc Power management and security for wireless modules in “machine-to-machine” communications
CN103747443B (zh) * 2013-11-29 2017-03-15 厦门盛华电子科技有限公司 一种基于手机用户识别卡多安全域装置及其鉴权方法
CN104683979B (zh) * 2013-12-02 2018-11-23 中国移动通信集团公司 一种认证方法及设备
CN104506481A (zh) * 2014-08-05 2015-04-08 深圳市财富之舟科技有限公司 一种移动通信网络认证方法
CN105704092A (zh) * 2014-11-25 2016-06-22 卓望数码技术(深圳)有限公司 用户身份认证方法、装置和系统
CN105245526B (zh) * 2015-10-19 2018-06-19 中国联合网络通信集团有限公司 调用sim卡应用的方法与装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763631A (zh) * 2014-01-07 2014-04-30 青岛海信信芯科技有限公司 认证方法、服务器和电视机
CN106603234A (zh) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 一种设备身份认证的方法、装置和系统
CN106992956A (zh) * 2016-01-21 2017-07-28 阿里巴巴集团控股有限公司 一种实现设备间认证的方法、装置和系统
CN107026727A (zh) * 2016-02-02 2017-08-08 阿里巴巴集团控股有限公司 一种建立设备间通信的方法、装置和系统

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143018A (zh) * 2020-09-04 2022-03-04 苏州然云信息科技有限公司 一种智慧经营平台信息加密方法及系统
CN114143018B (zh) * 2020-09-04 2023-09-22 苏州科知律信息科技有限公司 一种智慧经营平台信息加密方法及系统
CN112672333A (zh) * 2020-12-15 2021-04-16 浙江三维万易联科技有限公司 设备连接方法及装置
CN112672333B (zh) * 2020-12-15 2023-08-25 三维通信股份有限公司 设备连接方法及装置
CN115021895A (zh) * 2021-11-19 2022-09-06 荣耀终端有限公司 数据保护方法、系统及电子设备
CN114500093A (zh) * 2022-02-24 2022-05-13 中国工商银行股份有限公司 报文信息的安全交互方法及系统
CN114500093B (zh) * 2022-02-24 2024-06-11 中国工商银行股份有限公司 报文信息的安全交互方法及系统
CN115276963A (zh) * 2022-06-13 2022-11-01 云南电网有限责任公司 一种基于智能密钥的电网安全管理方法、系统及介质
CN115442090A (zh) * 2022-08-22 2022-12-06 中国银联股份有限公司 一种应用于脚本的敏感信息获取方法及装置

Also Published As

Publication number Publication date
CN109525989A (zh) 2019-03-26
CN109525989B (zh) 2022-09-02

Similar Documents

Publication Publication Date Title
WO2019056957A1 (fr) Procédés et systèmes de traitement de données et d'authentification d'identité, et terminal
JP6877524B2 (ja) ワイヤレス通信のための装置および方法
US10667131B2 (en) Method for connecting network access device to wireless network access point, network access device, and application server
TWI756439B (zh) 入網認證方法、裝置及系統
KR102160597B1 (ko) eUICC의 프로파일 설치 방법 및 장치
JP6641029B2 (ja) キー配信および認証方法およびシステム、ならびに装置
KR102013091B1 (ko) 보안 통신 채널을 설정하기 위한 방법들 및 장치
KR101941049B1 (ko) 암호화된 통신을 위한 방법 및 시스템
CN102595404B (zh) 用于存储和执行访问控制客户端的方法及装置
EP1982547B1 (fr) Procédé et système pour une authentification récurrente dans un réseau mobile
JP6033291B2 (ja) サービスアクセス認証方法およびシステム
US10503918B2 (en) Process to access a data storage device of a cloud computer system
US10009760B2 (en) Providing network credentials
CN105634737B (zh) 一种数据传输方法、终端及其系统
CN103314605A (zh) 用于认证通信设备的方法和装置
US10050944B2 (en) Process to access a data storage device of a cloud computer system with the help of a modified Domain Name System (DNS)
CN105993146A (zh) 不访问私钥而使用公钥密码的安全会话能力
ES2559617T3 (es) Procedimiento para la comunicación de datos entre un elemento seguro y un punto de acceso a la red y el elemento seguro correspondiente
CN113840266B (zh) 蓝牙配对方法、装置、系统、电子设备和存储介质
US9443069B1 (en) Verification platform having interface adapted for communication with verification agent
CN109565441B (zh) 一种用于通过使用第二通信设备来配置第一通信设备的方法
EP1811719A1 (fr) Partage de clé inter-réseau
KR101760718B1 (ko) 페어링 기반의 모바일 기기 관리 방법 및 시스템
CN108924136B (zh) 授权认证方法、装置及存储介质
WO2016161717A1 (fr) Procédé et terminal de traitement de données

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18859848

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18859848

Country of ref document: EP

Kind code of ref document: A1