WO2020057314A1 - 一种在线签发eSIM证书的方法、装置及系统 - Google Patents

一种在线签发eSIM证书的方法、装置及系统 Download PDF

Info

Publication number
WO2020057314A1
WO2020057314A1 PCT/CN2019/101847 CN2019101847W WO2020057314A1 WO 2020057314 A1 WO2020057314 A1 WO 2020057314A1 CN 2019101847 W CN2019101847 W CN 2019101847W WO 2020057314 A1 WO2020057314 A1 WO 2020057314A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
esim
user
ciphertext
request
Prior art date
Application number
PCT/CN2019/101847
Other languages
English (en)
French (fr)
Inventor
何碧波
陆道如
Original Assignee
恒宝股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 恒宝股份有限公司 filed Critical 恒宝股份有限公司
Publication of WO2020057314A1 publication Critical patent/WO2020057314A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present application relates to the technical field of digital certificates, and in particular, to a method, a device, and a system for issuing an Embedded Subscriber Identity Module (eSIM, Embedded Subscriber Identity Module) certificate online.
  • eSIM Embedded Subscriber Identity Module
  • the eSIM card embeds the SIM card directly into the chip of the electronic device. Therefore, there is no need to set a card slot for the eSIM card in the electronic device, which can avoid the problem of poor contact of the card slot caused by dust entering the card slot and severe vibration, which makes the use of eSIM.
  • the card's electronic equipment has the advantages of dustproof, waterproof and shockproof.
  • users can flexibly and autonomously choose an operator and use the operator's cellular network to meet the user's personalized network access requirements and are widely used in various types of Internet of Things.
  • the operator entrusts the code number data to a qualified card manufacturer for production, and the qualified card manufacturer presets the operator's code number data (profile) file to the SIM card during the production process
  • the eSIM card does not need to preset a profile during the production process. It only needs to preset the certificate for downloading the profile. In this way, it can be implemented after interactive authentication with the card manufacturer based on the preset certificate.
  • the purpose of self-selection of operators Specifically, during the eSIM card production process, the card manufacturer issues an eSIM certificate for the produced eSIM card, and issues a certificate issuer (CI, Certificate) certificate, an embedded universal integrated circuit card manufacturer (EUM, Embedded Universal Integrated Circuit).
  • CI Certificate
  • EUM embedded universal integrated circuit card manufacturer
  • the card manufacturer (referred to as the card manufacturer) certificate and the eSIM certificate issued are preset into the eSIM card.
  • the CI certificate (CI_CERT) is the root certificate of the certificate issuer
  • the EUM certificate (EUM_CERT) is the root certificate issued by the certificate issuer to the card manufacturer
  • the eSIM certificate (eSIM_CERT) is the certificate issued by the card manufacturer to the eSIM card.
  • a card manufacturer maintains its own EUM_CERT.
  • the IoT end user uses the certificate preset in the eSIM card to perform online authentication and authentication with the CI certificate server through the local code number data agent (LPA, Local Profile Assistant). After passing, securely download the required profile file from the CI certificate server.
  • the IoT terminal can log in to the operator's cellular network corresponding to the profile file, thereby achieving the goal of flexible and independent selection of the operator.
  • the method of presetting the eSIM certificate requires each card manufacturer to maintain its own EUM_CERT, and to maintain the issuance and management of eSIM certificates of the produced eSIM cards, which makes the card manufacturer's operation and maintenance costs higher, and the process of certificate issuance is embedded.
  • the production process of eSIM cards also increases the capacity burden of card manufacturers and increases the operation and maintenance costs of eSIM cards.
  • due to the need for intermediate links, that is, card manufacturers maintain EUM certificates and issue and manage eSIM certificates there are security risks.
  • eSIM cards that do not have a physical card such as a universal integrated circuit card (UICC, Universal Integrated Circuit Card), for example, a Trusted Execution Environment (TEE, Trusted Execution Environment) SIM card or an integrated universal integrated circuit card (iUICC (integrated Universal Integrated Circuit), card manufacturers do not preset any certificates before the products leave the factory, making it impossible for such products to log in to the operator's cellular network.
  • UICC Universal Integrated Circuit Card
  • TEE Trusted Execution Environment
  • iUICC integrated Universal Integrated Circuit
  • the purpose of this application is to provide a method, device and system for online issuance of an eSIM certificate, which are used to solve the problem of high operation and maintenance cost of the eSIM card in the prior art.
  • an embodiment of the present application provides a method for issuing an eSIM certificate online, which is applied to an IoT terminal.
  • the method includes:
  • obtaining an eSIM certificate ciphertext request for a file to be signed Based on the received user certificate and CI certificate, obtaining an eSIM certificate ciphertext request for a file to be signed, signing the eSIM certificate ciphertext request for a file to be signed, and obtaining an eSIM certificate ciphertext request for signature;
  • the CI certificate server requesting the file to be signed according to the eSIM certificate ciphertext, the eSIM certificate ciphertext requesting the signature, and the eSIM certificate ciphertext to be signed file and the eSIM certificate ciphertext signature returned by the user certificate, and analyzing the eSIM certificate ciphertext
  • the file to be signed is signed with the ciphertext of the eSIM certificate, the eSIM certificate is obtained and stored.
  • an embodiment of the present application provides a method for online issuing an embedded user identification module eSIM certificate, which is characterized in that it is applied to a certificate issuer's CI certificate server, and the method includes:
  • Encrypting the signed eSIM certificate and sending the encrypted eSIM certificate to the IoT terminal.
  • an embodiment of the present application provides a device for issuing an eSIM certificate online.
  • the device includes:
  • a certificate online signing request module configured to initiate a certificate online signing request to a certificate issuer's CI certificate server, where the certificate online signing request carries user information;
  • a user certificate receiving module configured to receive a user certificate and a CI certificate issued by the CI certificate server for the authenticated user information
  • a signature file generating module configured to obtain an eSIM certificate ciphertext request to be signed based on the received user certificate and CI certificate, sign the eSIM certificate ciphertext request to be signed, and obtain an eSIM certificate ciphertext request for signature;
  • a signature file transmission module configured to transmit the eSIM certificate ciphertext request to-be-signed file and the eSIM certificate ciphertext request signature to the CI certificate server;
  • an eSIM certificate parsing module configured to receive the CI certificate server requesting a file to be signed according to the eSIM certificate cipher text, the eSIM certificate cipher text request signature, and the eSIM certificate cipher text to be signed file and eSIM certificate cipher text signature returned by the user certificate, Parse the eSIM certificate ciphertext to-be-signed file and eSIM certificate ciphertext signature to obtain an eSIM certificate and store it.
  • an embodiment of the present application provides a device for issuing an eSIM certificate online.
  • the device includes:
  • An authentication module configured to receive an online signing request for a certificate carrying user information sent by an IoT terminal, and authenticate the user information
  • the user certificate issuing module if the authentication is successful, extracts the CI certificate private key contained in the pre-stored certificate issuer's CI certificate, uses the extracted CI certificate private key to issue a user certificate, and sends the user certificate and the CI certificate to The IoT terminal;
  • a signature file receiving module configured to receive the eSIM certificate ciphertext request returned by the IoT terminal according to the user certificate and the CI certificate, and the eSIM certificate ciphertext request signature;
  • an eSIM certificate signing module configured to request a file to be signed based on the user certificate, the eSIM certificate cipher text, and the eSIM certificate cipher text to request a file to be signed, and issue an eSIM certificate;
  • the eSIM certificate encryption processing module is configured to perform encryption processing on the eSIM certificate issued, and send the encrypted eSIM certificate to the IoT terminal.
  • an embodiment of the present application provides a system for issuing an eSIM certificate online.
  • the system includes an Internet of Things terminal and a certificate issuer CI certificate server.
  • the IoT terminal is configured to initiate a certificate online signing request to the certificate server, and the certificate online signing request carries user information;
  • obtaining an eSIM certificate ciphertext request for a file to be signed Based on the received user certificate and CI certificate, obtaining an eSIM certificate ciphertext request for a file to be signed, signing the eSIM certificate ciphertext request for a file to be signed, and obtaining an eSIM certificate ciphertext request for signature;
  • the CI certificate server is configured to receive a certificate online signing request carrying user information sent by the IoT terminal, and authenticate the user information;
  • Encrypting the signed eSIM certificate and sending the encrypted eSIM certificate ciphertext signature to the IoT terminal.
  • an embodiment of the present application provides a computer device including a memory, a processor, and a computer program stored on the memory and executable on the processor.
  • the processor executes the computer program, Steps to implement the above method.
  • an embodiment of the present application provides a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program, and the computer program executes the steps of the foregoing method when the computer program is run by a processor.
  • An embodiment of the present application provides a method, a device, and a system for issuing an eSIM certificate online.
  • An IoT terminal initiates a certificate online signing request that carries user information to a CI certificate server.
  • the CI certificate server maintains the user certificate of each user and issues a certificate for the user.
  • eSIM certificate which issues a user certificate and a CI certificate for the user.
  • the IoT terminal Based on the received user certificate and CI certificate, the IoT terminal generates an eSIM certificate ciphertext request for a file to be signed and an eSIM certificate ciphertext request for signature, and sends it to the CI certificate server to enable CI.
  • an eSIM certificate is issued for the user. In this way, the purpose of obtaining the certificate online can be achieved without pre-setting the certificate in the eSIM card, so that the eSIM card can obtain the ability to download the profile, which effectively reduces the operation and maintenance cost of the eSIM card
  • FIG. 1 is a schematic flowchart of a method for issuing an eSIM certificate online according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of step 103 based on FIG. 1 according to an embodiment of the present application; FIG.
  • FIG. 3 is another schematic flowchart of a method for issuing an eSIM certificate online according to an embodiment of the present application
  • FIG. 4 is a schematic flowchart of step 304 based on FIG. 3 according to an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of a specific method for issuing an eSIM certificate online according to an embodiment of the present application
  • FIG. 6 is a schematic structural diagram of an apparatus for issuing an eSIM certificate online according to an embodiment of the present application
  • FIG. 7 is another schematic structural diagram of an apparatus for issuing an eSIM certificate online according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of a system for issuing an eSIM certificate online according to an embodiment of the present application
  • FIG. 9 is a schematic structural diagram of a computer device 400 according to an embodiment of the present application.
  • FIG. 1 is a schematic flowchart of a method for issuing an eSIM certificate online according to an embodiment of the present application. As shown in FIG. 1, when applied to an IoT terminal, the method includes:
  • Step 101 Initiate a certificate online signing request to a CI certificate server, where the certificate online signing request carries user information;
  • the IoT terminal may initiate an CI certificate server through LPA.
  • the certificate issues a request online to obtain the corresponding certificate from the CI certificate server.
  • the eSIM card of the IoT terminal uses the obtained certificate to securely download the profile file to be obtained from the CI certificate server for installation.
  • no certificate is preset in the eSIM card during the production of the eSIM card.
  • IoT terminal such as a smart watch, PAD, etc.
  • IoT terminal such as a smart watch, PAD, etc.
  • WIFI Wireless Fidelity
  • Bluetooth Etc. an eSIM certificate online to obtain a service for downloading a profile.
  • the user information includes, but is not limited to, a user identification (USER_ID) and / or a mobile phone number, wherein the user identification includes, but is not limited to, ID information, passport information, Any of fingerprint information, social security card number information, or a combination thereof.
  • the user information includes: ID information and mobile phone number information.
  • Step 102 Receive a user certificate and a CI certificate issued by the CI certificate server for the authenticated user information
  • the LPA in the IoT terminal sends a certificate online signing request to the CI certificate server to authenticate the IoT terminal user at the CI certificate server and After passing, the CI certificate server issues a user certificate (USER_CERT) for the IoT terminal user, and issues USER_CERT and CI_CERT to the eSIM card of the IoT terminal.
  • USER_CERT user certificate
  • the CI certificate server no longer issues EUM_CERT for the card manufacturer, but instead issues a USER_CERT for the user.
  • the issued USER_CERT issues the eSIM_CERT for the eSIM card, that is, the CI certificate server
  • the IoT end user or enterprise user issues a secondary certificate (USER_CERT), and then uses USER_CERT to issue eSIM_CERT for the eSIM card in each IoT terminal. All certificates are issued by the CI certificate server.
  • the card manufacturer does not need to maintain its own EUM_CERT, nor does it need to maintain the issuance and management of the eSIM certificate of the produced eSIM card, so that the certificate issuance process is no longer embedded in the eSIM card production process, but is unified by the CI certificate server Maintaining and managing the USER_CERT of each user can effectively release the capacity of the card manufacturer and reduce the operation and maintenance costs of the eSIM card. Further, the unified maintenance of the issuing of USER_CERT and the issuing of eSIM_CERT by the CI certificate server can effectively reduce the intermediate links, thereby avoiding the security risks caused by the intermediate links.
  • Step 103 Based on the received user certificate and CI certificate, obtain an eSIM certificate ciphertext request for a file to be signed, sign the eSIM certificate ciphertext request for a file to be signed, and obtain an eSIM certificate ciphertext request for signature.
  • the CI_CERT public key is extracted from the received CI_CERT, and the signature of the USER_CERT is verified by using the extracted CI_CERT public key; if the signature verification is passed, a public issuing key (PK_USER) and a private key for issuing eSIM_CERT are generated (SK_USER) and use PK_USER to generate an eSIM certificate request (CSR_USER, Certificate Signing Request_USER) file.
  • PK_USER public issuing key
  • SK_USER private key for issuing eSIM_CERT
  • CSR_USER Certificate Signing Request_USER
  • SK_USER is used to sign the SIGN_CSR_USER file, and the eSIM certificate ciphertext is requested to be signed.
  • Step 104 transmitting the eSIM certificate ciphertext request to-be-signed file and the eSIM certificate ciphertext request signature to the CI certificate server;
  • the eSIM card of the IoT terminal sends the SIGN_CSR_USER file and SIGNATURE_CSR_USER to the CI certificate server through the LPA in the IoT terminal.
  • Step 105 Receive the CI certificate server to request a file to be signed according to the eSIM certificate cipher text, the eSIM certificate cipher text request signature, and the eSIM certificate cipher text to be signed file and eSIM certificate cipher text signature returned by the user certificate, and parse the eSIM.
  • the ciphertext of the certificate to be signed is signed with the ciphertext of the eSIM certificate, and the eSIM certificate is obtained and stored.
  • the eSIM card receives the eSIM certificate ciphertext to be signed (SIGN_eSIM_CERT) file and eSIM certificate ciphertext signature (SIGNATURE_eSIM_CERT) returned by the CI certificate server, wherein the SIGN_eSIM_CERT file and SIGNATURE_eSIM_CERT are received by the CI certificate server according to the received SIGN_CSR_USER file and SIGNATURE_CSR_USER and the user certificate issued for that user.
  • the eSIM card of the IoT terminal obtains the eSIM_CERT based on the SIGN_eSIM_CERT file and SIGNATURE_eSIM_CERT.
  • the IoT terminal initiates a certificate online signing request carrying user information to the CI certificate server.
  • the CI certificate server maintains the user certificate of each user. After authenticating the user ID, the user corresponding to the user ID is authenticated. Issue a user certificate and a CI certificate. Based on the received user certificate and CI certificate, the IoT terminal generates an eSIM certificate ciphertext request for a file to be signed and an eSIM certificate ciphertext request for signature, and sends it to the CI certificate server so that the CI certificate server can verify the signature. , Issue an eSIM certificate for the user.
  • the card manufacturer does not need to maintain the eSIM certificate issuance and management of the eSIM card produced by itself, which can effectively release the capacity of the card manufacturer; moreover, it is unified by the CI certificate server Maintaining the issuance of user certificates and eSIM certificates for each user only involves certificate management of the eSIM card and the CI certificate server, which reduces the intermediate link of card manufacturers and reduces the security risks and resource overhead caused by the intermediate link.
  • a certificate can be obtained directly by using the method in the embodiment of the present application, so that this type of product can autonomously log in to the operator's cellular network.
  • FIG. 2 is a schematic flowchart of step 103 based on FIG. 1 according to an embodiment of the present application. As shown in Figure 2, the process includes:
  • Step 201 extract the CI certificate public key contained in the CI certificate, and use the extracted CI certificate public key to verify the signature of the user certificate;
  • the CI_CERT contains a CI_CERT public key.
  • Step 202 if the signature verification is passed, generate an issuing public key and an issuing private key for issuing the eSIM certificate, and use the issued public key to generate an eSIM certificate request file;
  • the eSIM card receives the USER_CERT, extracts the signature of the USER_CERT, verifies the signature of the USER_CERT by using the CI_CERT public key, and after the signature verification of the USER_CERT passes, the eSIM card generates a signature for issuing the eSIM_CERT according to a preset algorithm. Issue the public key (PK_USER) and issue the private key (SK_USER).
  • PK_USER public key
  • SB_USER private key
  • the eSIM certificate request file includes a public key issue, CI server information, extensions, certificate validity period, and the like.
  • Step 203 Extract the user certificate public key included in the user certificate, and use the user certificate public key to encrypt the eSIM certificate request file to obtain the eSIM certificate ciphertext request for a file to be signed;
  • the eSIM certificate ciphertext request file to be signed is a SIGN_CSR_USER file.
  • Step 204 Use the signed private key to sign the eSIM certificate ciphertext request to be signed, and obtain the eSIM certificate ciphertext request for signature.
  • the eSIM certificate ciphertext request signature is SIGNATURE_CSR_USER.
  • SIGNATURE_CSR_USER is the signature of the SIGN_CSR_USER file.
  • parsing the eSIM certificate ciphertext to-be-signed file and eSIM certificate ciphertext signature to obtain an eSIM certificate includes:
  • the eSIM card uses the USER_CERT public key for verification.
  • A12 If the verification is successful, use the signed private key to decrypt the eSIM certificate ciphertext file to be signed to obtain an eSIM certificate.
  • FIG. 3 is another schematic flowchart of a method for issuing an eSIM certificate online according to an embodiment of the present application. As shown in FIG. 3, when applied to a CI certificate server, the method includes:
  • Step 301 Receive an online signing request for a certificate carrying user information sent by an IoT terminal, and authenticate the user information;
  • the CI certificate server transmits user information (USER_ID and user mobile phone number) to the real-name authentication system, and verifies the user information that initiates the online certificate signing request.
  • user information (USER_ID and user mobile phone number)
  • Step 302 If the authentication is successful, extract the CI certificate private key included in the pre-stored CI certificate, use the extracted CI certificate private key to issue a user certificate, and send the user certificate and the CI certificate to the IoT terminal ;
  • the method before the CI certificate private key included in the pre-stored CI certificate is extracted after the authentication is passed, the method further includes:
  • the user certificate is uniformly managed by the CI certificate server, and each user corresponds to a user certificate account for maintaining the USER_CERT issued for the user.
  • a user certificate account contains one or more USER_CERT.
  • Step 303 Receive the eSIM certificate ciphertext request for the signature file and the eSIM certificate ciphertext request for signature returned by the IoT terminal according to the user certificate and the CI certificate.
  • Step 304 Sign the eSIM certificate based on the user certificate, the eSIM certificate ciphertext, and request the signature of the file to be signed and the eSIM certificate ciphertext.
  • Step 305 Perform encryption processing on the signed eSIM certificate, and send the encrypted eSIM certificate to the IoT terminal.
  • the encrypting the issued eSIM certificate includes:
  • the eSIM certificate ciphertext file to be signed and the eSIM certificate ciphertext signature are sent to the Internet of Things terminal.
  • the IoT terminal can parse the eSIM certificate ciphertext file to be signed and the eSIM certificate ciphertext signature, obtain an eSIM certificate, and store it.
  • the CI certificate server after receiving the online certificate signing request, issues a user certificate for the user who initiated the online certificate signing request, and returns the signed user certificate and the CI certificate to the user who initiated the online certificate signing request, and then Through interactive authentication with the user, an eSIM certificate is issued for the user. Thereby, it is possible to issue an eSIM certificate online, and there is no need to preset an eSIM certificate in the eSIM card.
  • FIG. 4 is a schematic flowchart of step 304 based on FIG. 3 according to an embodiment of the present application. As shown in Figure 4, the process includes:
  • Step 401 Use the user certificate private key in the user certificate to decrypt the eSIM certificate ciphertext request to-be-signed file to obtain an eSIM certificate request file;
  • Step 402 extract a public key for issuing from the eSIM certificate request file, and use the public key for issuing to verify the signature of the eSIM certificate cipher text request;
  • Step 403 If the signature verification is successful, use the user certificate private key to sign the eSIM certificate request file to obtain the eSIM certificate.
  • encrypting the issued eSIM certificate includes:
  • B11 Encrypt the eSIM certificate by using a public key to obtain the eSIM certificate ciphertext file to be signed.
  • B12 Use the user certificate private key in the user certificate to sign the eSIM certificate ciphertext file to be signed to obtain the eSIM certificate ciphertext signature.
  • FIG. 5 is a schematic flowchart of a specific method for issuing an eSIM certificate online according to an embodiment of the present application. As shown in Figure 5, the method includes:
  • Step 501 Initiate a certificate online signing request to a CI certificate server through LPA, where the certificate online signing request carries user information;
  • an end user of the Internet of Things (including individual users and enterprise users) initiates an online certificate application to the CI certificate server through LPA.
  • the online certificate issuing request includes user information, where the user information includes a user ID (USER_ID) and a user cellphone number.
  • Step 502 The CI certificate server transmits the user information carried in the online certificate issuance request to the real-name authentication system to perform real-name authentication on the user information.
  • the CI certificate server transmits user information (USER_ID and user mobile phone number) to the real-name authentication system, and verifies the user information that initiates the online certificate signing request.
  • user information (USER_ID and user mobile phone number)
  • Step 503 Receive the real-name authentication result returned by the real-name authentication system.
  • the real-name authentication system performs authentication according to the user information, and returns the real-name authentication result to the CI certificate server.
  • Step 504 if the real-name authentication result is passed, extract the CI_CERT private key included in the CI_CERT, and use the extracted CI_CERT private key to issue a USER_CERT;
  • the CI certificate server rejects the online certificate signing request initiated by the user; if the real-name authentication result is passed, query whether the user certificate account corresponding to the user information is stored in the CI certificate server If not, construct a user certificate account based on the user information, extract the CI_CERT private key contained in CI_CERT, and use the extracted CI_CERT private key to issue a USER_CERT; if so, directly extract the CI_CERT private key contained in CI_CERT and use the extracted The CI_CERT private key is issued to USER_CERT.
  • the USER_ID and the user's mobile phone number are used together as the unique identifier of the user certificate account, and one user certificate account contains one or more USER_CERTs.
  • Step 505 The CI certificate server returns CI_CERT and the issued USER_CERT to the LPA.
  • Step 506 The LPA returns CI_CERT and USER_CERT to the eSIM card.
  • Step 507 Extract the CI_CERT public key contained in the CI_CERT, and use the extracted CI_CERT public key to verify the signature of the USER_CERT;
  • Step 508 if the signature verification is passed, generate PK_USER and SK_USER for issuing eSIM_CERT, and use PK_USER to generate a CSR_USER file;
  • Step 509 Extract the USER_CERT public key included in the USER_CERT, and encrypt the CSR_USER file with the USER_CERT public key to obtain a SIGN_CSR_USER file;
  • Step 510 Use SK_USER to sign the SIGN_CSR_USER file to obtain SIGNATURE_CSR_USER;
  • Step 511 Send the SIGN_CSR_USER file and SIGNATURE_CSR_USER to the LPA;
  • Step 512 the LPA sends the SIGN_CSR_USER file and the SIGNATURE_CSR_USER to the CI certificate server;
  • Step 513 The CI certificate server uses the USER_CERT private key to decrypt the SIGN_CSR_USER file to obtain a CSR_USER file.
  • Step 514 Extract PK_USER from the CSR_USER file, and use PK_USER to verify SIGNATURE_CSR_USER;
  • Step 515 if the signature verification is successful, use the USER_CERT private key to sign the CSR_USER file to obtain eSIM_CERT;
  • Step 516 Use PK_USER to encrypt the eSIM_CERT to obtain the eSIM certificate ciphertext file to be signed (SIGN_eSIM_CERT) file.
  • Step 517 Use the USER_CERT private key to sign the SIGN_eSIM_CERT file to obtain the eSIM certificate ciphertext signature (SIGNATURE_eSIM_CERT);
  • Step 518 Send the SIGN_eSIM_CERT file and the SIGNATURE_eSIM_CERT to the LPA;
  • the CI certificate server sends the SIGN_eSIM_CERT and SIGNATURE_eSIM_CERT together to the LPA to complete the online certificate issuance.
  • Step 519 Deliver the SIGN_eSIM_CERT file and SIGNATURE_eSIM_CERT to the eSIM card.
  • Step 520 The eSIM card uses the USER_CERT public key to verify the SIGN_eSIM_CERT file and the SIGNATURE_eSIM_CERT.
  • Step 521 if the signature verification is successful, use SK_USER to decrypt the SIGN_eSIM_CERT file to obtain eSIM_CERT and store it;
  • the process is terminated.
  • Step 522 Return the successful writing result to the LPA.
  • Step 523 The LPA notifies the user that the profile download service has been activated according to the successful result of writing the card.
  • the LPA prompts the user to apply for the profile download service online successfully.
  • FIG. 6 is a schematic structural diagram of an apparatus for issuing an eSIM certificate online according to an embodiment of the present application. As shown in Figure 6, the device includes:
  • the certificate online signing request module 601 is configured to initiate a certificate online signing request to a CI certificate server, where the certificate online signing request carries user information;
  • a user certificate receiving module 602 configured to receive a user certificate and a CI certificate issued by the CI certificate server for the authenticated user information
  • a signature file generating module 603 is configured to obtain an eSIM certificate ciphertext request for a file to be signed based on the received user certificate and CI certificate, sign the eSIM certificate ciphertext request for a file to be signed, and obtain an eSIM certificate ciphertext request for signature ;
  • a signature file transmission module 604 configured to transmit the eSIM certificate ciphertext request to be signed file and the eSIM certificate ciphertext request signature to the CI certificate server;
  • An eSIM certificate parsing module 605 configured to receive the CI certificate server requesting a file to be signed according to the eSIM certificate cipher text, the eSIM certificate cipher text request signature, and the eSIM certificate cipher text to be signed file and eSIM certificate cipher text signature To parse the eSIM certificate ciphertext to-be-signed file and the eSIM certificate ciphertext signature to obtain an eSIM certificate and store it.
  • the signature file generating module 603 is specifically configured to:
  • the parsing the eSIM certificate ciphertext to be signed file and the eSIM certificate ciphertext signature to obtain an eSIM certificate includes:
  • the signed private key is used to decrypt the eSIM certificate ciphertext file to be signed to obtain an eSIM certificate.
  • FIG. 7 is another schematic structural diagram of an apparatus for issuing an eSIM certificate online according to an embodiment of the present application. As shown in Figure 7, the device includes:
  • An authentication module 701 configured to receive an online signing request for a certificate carrying user information sent by an IoT terminal, and authenticate the user information;
  • the user certificate issuing module 702 if the authentication is successful, extracts the CI certificate private key contained in the pre-stored CI certificate, uses the extracted CI certificate private key to sign a user certificate, and sends the user certificate and the CI certificate to the IoT terminal;
  • a signature file receiving module 703, configured to receive the eSIM certificate ciphertext request returned by the IoT terminal according to the user certificate and the CI certificate, and the eSIM certificate ciphertext request signature;
  • an eSIM certificate signing module 704 configured to sign an eSIM certificate based on the user certificate, the eSIM certificate ciphertext request for a file to be signed, and the eSIM certificate ciphertext request for signature;
  • the eSIM certificate encryption processing module 705 is configured to perform encryption processing on the eSIM certificate that is issued, and send the encrypted eSIM certificate ciphertext signature to the IoT terminal.
  • the user certificate issuance module 702 extracts the CI certificate private key included in the pre-stored CI certificate after the authentication is passed, it is further configured to:
  • the eSIM certificate issuing module 702 is specifically configured to:
  • the eSIM certificate encryption processing module 705 is specifically configured to:
  • FIG. 8 is a schematic structural diagram of a system for issuing an eSIM certificate online according to an embodiment of the present application. As shown in FIG. 8, the system includes: an IoT terminal 801 and a CI certificate server 802, where:
  • the Internet of Things terminal 801 is configured to initiate a certificate online signing request to the certificate server 802, where the certificate online signing request carries user information;
  • obtaining an eSIM certificate ciphertext request for a file to be signed Based on the received user certificate and CI certificate, obtaining an eSIM certificate ciphertext request for a file to be signed, signing the eSIM certificate ciphertext request for a file to be signed, and obtaining an eSIM certificate ciphertext request for signature;
  • a CI certificate server 802 configured to receive a certificate online signing request carrying user information sent by the IoT terminal 801, and authenticate the user information;
  • an embodiment of the present application provides a computer device 900 for executing the method for online issuing of an eSIM certificate in FIGS. 1 to 5.
  • the device includes a memory 901, a processor 902, and a memory stored in the memory.
  • a computer program on 901 that can run on the processor 902, wherein when the processor 902 executes the computer program, the steps of the method for online issuing an eSIM certificate are implemented.
  • the foregoing memory 901 and the processor 902 can be general-purpose memories and processors, which are not specifically limited herein.
  • the processor 902 runs a computer program stored in the memory 901, the foregoing method for issuing an eSIM certificate online can be executed.
  • an embodiment of the present application further provides a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program, and the computer program is run by a processor. Perform the steps of the above-mentioned method for issuing an eSIM certificate online at any time.
  • the storage medium can be a general-purpose storage medium, such as a removable disk, a hard disk, and the like.
  • the method for online e-certificate issuance can be performed.
  • the disclosed apparatus and method may be implemented in other ways.
  • the device embodiments described above are only schematic.
  • the division of the unit is only a logical function division.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some communication interfaces, devices or units, which may be electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objective of the solution of this embodiment.
  • the functional units in the embodiments provided in this application may be integrated into one processing unit, or each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of this application is essentially a part that contributes to the existing technology or a part of the technical solution can be embodied in the form of a software product.
  • the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present application.
  • the foregoing storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks and other media that can store program codes .

Abstract

本申请提供了一种在线签发eSIM证书的方法、装置及系统,该方法包括:向CI证书服务器发起携带用户信息的证书在线签发请求;接收CI证书服务器为通过认证的用户信息签发的用户证书和CI证书;基于接收的用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名;将eSIM证书密文请求待签名文件和eSIM证书密文请求签名传输至CI证书服务器;接收CI证书服务器依据eSIM证书密文请求待签名文件、eSIM证书密文请求签名和用户证书返回的eSIM证书密文待签名文件和eSIM证书密文签名,解析eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储。可以有效降低eSIM卡的运营维护成本。

Description

一种在线签发eSIM证书的方法、装置及系统 技术领域
本申请涉及数字证书技术领域,具体而言,涉及一种在线签发嵌入式用户识别模块(eSIM,Embedded Subscriber Identity Module)证书的方法、装置及系统。
背景技术
eSIM卡是将SIM卡直接嵌入到电子设备芯片中,因而,无需在电子设备中为eSIM卡设置卡槽,从而能够避免灰尘进入卡槽、剧烈震动等导致的卡槽接触不良问题,使得使用eSIM卡的电子设备具有防尘、防水、防震等优势。而且,利用eSIM卡,用户可以灵活自主选择运营商并使用该运营商的蜂窝网络,满足用户个性化的入网需求,广泛应用于各类物联网领域。
与SIM卡发行,由运营商将码号数据委托给有资质的卡片生产厂商生产,该有资质的卡片生产厂商在生产过程中,将运营商的码号数据(profile)文件预置到SIM卡内不同的是,eSIM卡在生产过程中不需要预置profile文件,只需要预置用于下载profile文件的证书即可,这样,可以依据预置的证书,与卡片生产厂商交互认证后,实现自主选择运营商的目的。具体地,卡片生产厂商在eSIM卡生产过程中,为生产的eSIM卡签发eSIM证书,并将证书发行方(CI,Certificate Issuer)证书、嵌入式通用集成电路卡生产厂商(EUM,Embedded Universal Integrated Circuit Card Manufacturer,简称卡片生产厂商)证书以及签发的eSIM证书预置到eSIM卡中。其中,CI证书(CI_CERT)为证书发行方的根证书,EUM证书(EUM_CERT) 为证书发行方签发给卡片生产厂商的根证书,eSIM证书(eSIM_CERT)为卡片生产厂商签发给eSIM卡的证书,每一卡片生产厂商维护自身的EUM_CERT。这样,在需要获取某一运营商的profile文件时,物联网终端用户使用预置在eSIM卡内的证书,通过本地码号数据代理(LPA,Local Profile Assistant)与CI证书服务器进行在线认证,认证通过后,从CI证书服务器安全下载需要获取的profile文件,安装profile文件后,该物联网终端可以登录该profile文件对应的运营商蜂窝网络,从而实现灵活自主选择运营商的目的。
但该预置eSIM证书的方法,需要每一卡片生产厂商维护自身的EUM_CERT,并维护生产的eSIM卡的eSIM证书签发和管理,使得卡片生产厂商的运营维护成本较高,且证书签发的流程嵌入eSIM卡的生产流程,也增加了卡片生产厂商的产能负担,提高了eSIM卡的运营维护成本,同时,由于需要中间环节,即卡片生产厂商维护EUM证书签发和管理eSIM证书,存在的安全风险会增加;进一步地,对于没有通用集成电路卡(UICC,Universal Integrated Circuit Card)等实体卡存在的eSIM卡,例如,可信执行环境(TEE,Trusted Execution Environment)SIM卡或集成式通用集成电路卡(iUICC,integrated Universal Integrated Circuit Card),卡片生产厂商在该类产品出厂前不预置任何证书,使得该类产品还不能实现自主登录运营商蜂窝网络。
发明内容
有鉴于此,本申请的目的在于提供一种在线签发eSIM证书的方法、装置及系统,用于解决现有技术中eSIM卡的运营维护成本较高的问题。
第一方面,本申请实施例提供了一种在线签发eSIM证书的方法,应用于物联网终端,该方法包括:
向证书发行方CI证书服务器发起证书在线签发请求,所述证书在线签发请求中携带用户信息;
接收所述CI证书服务器为通过认证的所述用户信息签发的用户证书和CI证书;
基于接收的所述用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名;
将所述eSIM证书密文请求待签名文件和eSIM证书密文请求签名传输至所述CI证书服务器;
接收所述CI证书服务器依据所述eSIM证书密文请求待签名文件、eSIM证书密文请求签名和用户证书返回的eSIM证书密文待签名文件和eSIM证书密文签名,解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储。
第二方面,本申请实施例提供了一种在线签发嵌入式用户识别模块eSIM证书的方法,其特征在于,应用于证书发行方CI证书服务器,该方法包括:
接收物联网终端发送的携带有用户信息的证书在线签发请求,对所述用户信息进行认证;
若认证通过,提取预存储的CI证书中包含的CI证书私钥,利用提取的所述CI证书私钥签发用户证书,并将所述用户证书和CI证书发送至所述物联网终端;
接收所述物联网终端依据所述用户证书和CI证书返回的eSIM证书密文请求待签名文件和eSIM证书密文请求签名;
基于所述用户证书、eSIM证书密文请求待签名文件和eSIM证书密文请求待签名文件,签发eSIM证书;
对签发的所述eSIM证书进行加密处理,将加密处理的eSIM证书发送至所述物联网终端。
第三方面,本申请实施例提供了一种在线签发eSIM证书的装置,该装置包括:
证书在线签发请求模块,用于向证书发行方CI证书服务器发起证书在线签发请求,所述证书在线签发请求中携带用户信息;
用户证书接收模块,用于接收所述CI证书服务器为通过认证的所述用户信息签发的用户证书和CI证书;
签名文件生成模块,用于基于接收的所述用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名;
签名文件传输模块,用于将所述eSIM证书密文请求待签名文件和eSIM证书密文请求签名传输至所述CI证书服务器;
eSIM证书解析模块,用于接收所述CI证书服务器依据所述eSIM证书密文请求待签名文件、eSIM证书密文请求签名和用户证书返回的eSIM证书密文待签名文件和eSIM证书密文签名,解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储。
第四方面,本申请实施例提供了一种在线签发eSIM证书的装置,该装置包括:
认证模块,用于接收物联网终端发送的携带有用户信息的证书在线签发请求,对所述用户信息进行认证;
用户证书签发模块,若认证通过,提取预存储的证书发行方CI证书中包含的CI证书私钥,利用提取的所述CI证书私钥签发用户证书,并将所述用户证书和CI证书发送至所述物联网终端;
签名文件接收模块,用于接收所述物联网终端依据所述用户证书和CI证书返回的eSIM证书密文请求待签名文件和eSIM证书密文请求签名;
eSIM证书签发模块,用于基于所述用户证书、eSIM证书密文请求待 签名文件和eSIM证书密文请求待签名文件,签发eSIM证书;
eSIM证书加密处理模块,用于对签发的所述eSIM证书进行加密处理,将加密处理的eSIM证书发送至所述物联网终端。
第五方面,本申请实施例提供了一种在线签发eSIM证书的系统,该系统包括:物联网终端以及证书发行方CI证书服务器,其中,
所述物联网终端,用于向所述证书服务器发起证书在线签发请求,所述证书在线签发请求中携带用户信息;
接收所述CI证书服务器签发的用户证书和CI证书;
基于接收的所述用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名;
将所述eSIM证书密文请求待签名文件和eSIM证书密文请求签名传输至所述CI证书服务器;
接收所述CI证书服务器返回的eSIM证书密文待签名文件和eSIM证书密文签名,解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储;
所述CI证书服务器,用于接收所述物联网终端发送的携带有用户信息的证书在线签发请求,对所述用户信息进行认证;
若认证通过,提取预存储的CI证书中包含的CI证书私钥,利用提取的所述CI证书私钥签发用户证书,并将所述用户证书和CI证书发送至所述物联网终端;
接收所述物联网终端返回的eSIM证书密文请求待签名文件和eSIM证书密文请求签名;
基于所述用户证书、eSIM证书密文请求待签名文件和eSIM证书密文请求待签名文件,签发eSIM证书;
对签发的所述eSIM证书进行加密处理,将加密处理的eSIM证书密文签名发送至所述物联网终端。
第六方面,本申请实施例提供了一种计算机设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现上述方法的步骤。
第七方面,本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器运行时执行上述的方法的步骤。
本申请实施例提供的一种在线签发eSIM证书的方法、装置及系统,物联网终端通过向CI证书服务器发起携带用户信息的证书在线签发请求,CI证书服务器维护各用户的用户证书以及为用户签发eSIM证书,为用户签发用户证书和CI证书,物联网终端基于接收的用户证书和CI证书,生成eSIM证书密文请求待签名文件以及eSIM证书密文请求签名,发送至CI证书服务器,以使CI证书服务器验签后,为该用户签发eSIM证书。这样,实现无需在eSIM卡中预置证书,即可达到在线获取证书的目的,使得eSIM卡能够获得profile下载的能力,有效降低了eSIM卡的运营维护成本。
为使本申请的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。
附图说明
为了更清楚地说明本申请实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本申请的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。
图1为本申请实施例提供的在线签发eSIM证书的方法流程示意图;
图2为本申请实施例提供的基于图1的步骤103的流程示意图;
图3为本申请实施例提供的在线签发eSIM证书的方法另一流程示意图;
图4为本申请实施例提供的基于图3的步骤304的流程示意图;
图5为本申请实施例提供的在线签发eSIM证书的方法具体流程示意图;
图6为本申请实施例提供的在线签发eSIM证书的装置结构示意图;
图7为本申请实施例提供的在线签发eSIM证书的装置另一结构示意图;
图8为本申请实施例提供的在线签发eSIM证书的系统结构示意图
图9为本申请实施例提供的一种计算机设备400的结构示意图。
具体实施方式
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。通常在此处附图中描述和示出的本申请实施例的组件可以以各种不同的配置来布置和设计。因此,以下对在附图中提供的本申请的实施例的详细描述并非旨在限制要求保护的本申请的范围,而是仅仅表示本申请的选定实施例。基于本申请的实施例,本领域技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本申请保护的范围。
图1为本申请实施例提供的在线签发eSIM证书的方法流程示意图。如图1所示,应用于物联网终端,该方法包括:
步骤101,向CI证书服务器发起证书在线签发请求,所述证书在线签发请求中携带用户信息;
本申请实施例中,对于没有UICC实体卡形态的eSIM卡,例如,TEE  SIM卡或iUICC等,由于没有内置证书,因而,作为一可选实施例,物联网终端可以通过LPA向CI证书服务器发起证书在线签发请求,以从CI证书服务器获取相应的证书。并在后续中,物联网终端的eSIM卡利用获取的证书再从CI证书服务器安全下载需要获取的profile文件进行安装。
本申请实施例中,在eSIM卡生产时,不会在eSIM卡中预置任何证书,用户在使用装置了eSIM卡的物联网终端(如智能手表、PAD等)时,需要联网(WIFI、蓝牙等)在线申请eSIM证书以获取下载profile的服务。
本申请实施例中,作为一可选实施例,用户信息包括但不限于:用户标识(USER_ID)、和/或,移动电话号码,其中,用户标识包括但不限于:身份证信息、护照信息、指纹信息、社会保障卡号信息中的任意一种或其组合。例如,用户信息包括:身份证信息和移动电话号码信息。
步骤102,接收所述CI证书服务器为通过认证的所述用户信息签发的用户证书和CI证书;
本申请实施例中,物联网终端用户在需要为eSIM卡内置证书时,通过物联网终端中的LPA向CI证书服务器发送证书在线签发请求,以在CI证书服务器对该物联网终端用户进行认证并通过后,CI证书服务器为该物联网终端用户签发用户证书(USER_CERT),并将USER_CERT以及CI_CERT下发至该物联网终端的eSIM卡。
本申请实施例中,CI证书服务器不再为卡片生产厂商签发EUM_CERT,而是为用户签发USER_CERT,并在CI证书服务器中,由签发的USER_CERT对eSIM卡进行eSIM_CERT签发,即CI证书服务器为每一物联网终端用户或者企业用户签发一个二级证书(USER_CERT),再利用USER_CERT为每个物联网终端中的eSIM卡签发eSIM_CERT,所有证书都由CI证书服务器签发。这样,卡片生产厂商就无需维护自身的EUM_CERT,也无需对生产的eSIM卡的eSIM证书的签发和管理进行维护,使得证书签发的流程不再嵌入eSIM卡的生产流程,而是由CI证 书服务器统一对各用户的USER_CERT进行维护和管理,能够有效释放卡片生产厂商的产能,降低eSIM卡的运营维护成本。进一步地,通过CI证书服务器统一维护USER_CERT的签发以及eSIM_CERT的签发,可有效减少中间环节,从而避免中间环节导致的安全风险。
步骤103,基于接收的所述用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名;
本申请实施例中,首先,从接收的CI_CERT中提取CI_CERT公钥,利用提取的CI_CERT公钥验证USER_CERT的签名;若签名验证通过,生成用于签发eSIM_CERT的签发公钥(PK_USER)和签发私钥(SK_USER),并利用PK_USER生成eSIM证书请求(CSR_USER,Cerificate Signing Request_USER)文件。
其次,从接收的USER_CERT中提取USER_CERT公钥,利用提取的USER_CERT公钥加密CSR_USER文件,得到eSIM证书密文请求待签名(SIGN_CSR_USER)文件。
最后,利用SK_USER对SIGN_CSR_USER文件进行签名,得到eSIM证书密文请求签名。
步骤104,将所述eSIM证书密文请求待签名文件和eSIM证书密文请求签名传输至所述CI证书服务器;
本申请实施例中,物联网终端的eSIM卡,通过物联网终端中的LPA,将SIGN_CSR_USER文件和SIGNATURE_CSR_USER发送至CI证书服务器。
步骤105,接收所述CI证书服务器依据所述eSIM证书密文请求待签名文件、eSIM证书密文请求签名和用户证书返回的eSIM证书密文待签名文件和eSIM证书密文签名,解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储。
本申请实施例中,eSIM卡接收CI证书服务器返回的eSIM证书密文待签名(SIGN_eSIM_CERT)文件和eSIM证书密文签名(SIGNATURE_eSIM_CERT),其中,SIGN_eSIM_CERT文件和SIGNATURE_eSIM_CERT由CI证书服务器依据接收的SIGN_CSR_USER文件和SIGNATURE_CSR_USER以及为该用户签发的用户证书生成。物联网终端的eSIM卡基于该SIGN_eSIM_CERT文件和SIGNATURE_eSIM_CERT获取eSIM_CERT。
本申请实施例中,物联网终端通过向CI证书服务器发起携带用户信息的证书在线签发请求,CI证书服务器维护各用户的用户证书,在对该用户标识进行认证后,为该用户标识对应的用户签发用户证书和CI证书,物联网终端基于接收的用户证书和CI证书,生成eSIM证书密文请求待签名文件以及eSIM证书密文请求签名,发送至CI证书服务器,以使CI证书服务器验签后,为该用户签发eSIM证书。这样,无需由卡片生产厂商维护自身的EUM_CERT,并维护生产的eSIM卡的eSIM证书签发和管理,实现无需在eSIM卡中预置证书,即可获取证书的目的,使得eSIM卡能够获得profile下载的能力,有效降低了eSIM卡的运营维护成本。同时,通过在线签发证书的方法,可以有效避免因预置证书导致的资源闲置,以及,预置证书被泄露导致的经济损失。进一步地,将证书签发的流程与eSIM卡的生产流程相隔离,卡片生产厂商无需维护自身生产的eSIM卡的eSIM证书签发和管理,可以有效释放卡片生产厂商的产能;而且,由CI证书服务器统一维护各用户的用户证书签发以及用户的eSIM证书签发,只涉及到eSIM卡与CI证书服务器的证书管理,减少了卡片生产厂商这一中间环节,降低了中间环节导致的安全风险以及资源开销。此外,对于没有UICC等实体卡存在的eSIM卡,可以直接通过本申请实施例的方法获取证书,从而能够实现该类产品自主登录运营商蜂窝网络。
图2为本申请实施例提供的基于图1的步骤103的流程示意图。如图2所示,该流程包括:
步骤201,提取所述CI证书中包含的CI证书公钥,利用提取的所述CI证书公钥验证所述用户证书的签名;
本申请实施例中,CI_CERT中包含有CI_CERT公钥。
步骤202,若签名验证通过,生成用于签发所述eSIM证书的签发公钥和签发私钥,利用所述签发公钥生成eSIM证书请求文件;
本申请实施例中,eSIM卡接收到USER_CERT,提取USER_CERT的签名,利用CI_CERT公钥对USER_CERT的签名进行验证,对USER_CERT的签名验证通过后,eSIM卡依据预先设置的算法,生成用于签发eSIM_CERT的签发公钥(PK_USER)和签发私钥(SK_USER)。
本申请实施例中,作为一可选实施例,eSIM证书请求文件包括:签发公钥、CI服务器信息、扩展项、证书有效期等。
步骤203,提取所述用户证书中包含的用户证书公钥,利用所述用户证书公钥加密所述eSIM证书请求文件,得到eSIM证书密文请求待签名文件;
本申请实施例中,eSIM证书密文请求待签名文件为SIGN_CSR_USER文件。
步骤204,利用所述签发私钥对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名。
本申请实施例中,eSIM证书密文请求签名为SIGNATURE_CSR_USER。SIGNATURE_CSR_USER为SIGN_CSR_USER文件的签名。
本申请实施例中,作为一可选实施例,解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书,包括:
A11,利用所述用户证书公钥,对所述eSIM证书密文签名进行验证;
本申请实施例中,eSIM卡利用USER_CERT公钥进行验证。
A12,如果验证成功,利用所述签发私钥对所述eSIM证书密文待签名文件进行解密,得到eSIM证书。
图3为本申请实施例提供的在线签发eSIM证书的方法另一流程示意图。如图3所示,应用于CI证书服务器,该方法包括:
步骤301,接收物联网终端发送的携带有用户信息的证书在线签发请求,对所述用户信息进行认证;
本申请实施例中,CI证书服务器将用户信息(USER_ID和用户手机号码)传输至实名认证系统,验证发起证书在线签发请求的用户信息。
步骤302,若认证通过,提取预存储的CI证书中包含的CI证书私钥,利用提取的所述CI证书私钥签发用户证书,并将所述用户证书和CI证书发送至所述物联网终端;
本申请实施例中,作为一可选实施例,在若认证通过之后,提取预存储的CI证书中包含的CI证书私钥之前,该方法还包括:
查询是否存储有所述用户信息对应的用户证书账号,若没有,依据所述用户信息构建用户证书账号。
本申请实施例中,由CI证书服务器对用户证书进行统一管理,每一用户对应有一用户证书账号,用以对为该用户签发的USER_CERT进行维护。一个用户证书账号中包含有一个或多个USER_CERT。
步骤303,接收所述物联网终端依据所述用户证书和CI证书返回的eSIM证书密文请求待签名文件和eSIM证书密文请求签名;
步骤304,基于所述用户证书、eSIM证书密文请求待签名文件和eSIM证书密文签名,签发eSIM证书;
步骤305,对签发的所述eSIM证书进行加密处理,将加密处理的eSIM证书发送至所述物联网终端。
本申请实施例中,所述对签发的所述eSIM证书进行加密处理,包括:
利用签发公钥对所述eSIM证书进行加密,得到eSIM证书密文待签名文件;
利用所述用户证书中的用户证书私钥,对所述eSIM证书密文待签名文件进行签名,得到所述eSIM证书密文签名。
本申请实施例中,将eSIM证书密文待签名文件和eSIM证书密文签名发送至物联网终端。这样,物联网终端能够解析eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储。
本申请实施例中,CI证书服务器在接收到证书在线签发请求后,为发起证书在线签发请求的用户签发用户证书,并将签发的用户证书以及CI证书返回给发起证书在线签发请求的用户,再通过与用户的交互认证,为该用户签发eSIM证书。从而实现在线签发eSIM证书,无需在eSIM卡中预置eSIM证书。
图4为本申请实施例提供的基于图3的步骤304的流程示意图。如图4所示,该流程包括:
步骤401,利用所述用户证书中的用户证书私钥,解密所述eSIM证书密文请求待签名文件,得到eSIM证书请求文件;
步骤402,从所述eSIM证书请求文件中提取签发公钥,利用所述签发公钥验证所述eSIM证书密文请求签名;
步骤403,如果签名验证成功,利用用户证书私钥签发所述eSIM证书请求文件,得到所述eSIM证书。
本申请实施例中,作为一可选实施例,对签发的所述eSIM证书进行加密处理,包括:
B11,利用签发公钥对所述eSIM证书进行加密,得到eSIM证书密文待签名文件;
B12,利用所述用户证书中的用户证书私钥,对所述eSIM证书密文 待签名文件进行签名,得到所述eSIM证书密文签名。
图5为本申请实施例提供的在线签发eSIM证书的方法具体流程示意图。如图5所示,该方法包括:
步骤501,通过LPA向CI证书服务器发起证书在线签发请求,所述证书在线签发请求中携带用户信息;
本申请实施例中,物联网终端用户(包含个人用户和企业用户)通过LPA向CI证书服务器发起证书在线申请,证书在线签发请求中包含用户信息,其中,用户信息包括用户标识(USER_ID)和用户手机号码。
步骤502,CI证书服务器将证书在线签发请求中携带的用户信息传输至实名认证系统,以对用户信息进行实名认证;
本申请实施例中,CI证书服务器将用户信息(USER_ID和用户手机号码)传输至实名认证系统,验证发起证书在线签发请求的用户信息。
本申请实施例中,由于一个USER_ID允许有多个用户手机号码,因而,在用户每次发起证书在线签发请求时,都需要对用户信息进行实名认证。
步骤503,接收实名认证系统返回的实名认证结果;
本申请实施例中,实名认证系统依据用户信息进行认证,将实名认证结果返回给CI证书服务器。
步骤504,若实名认证结果为通过,提取CI_CERT中包含的CI_CERT私钥,利用提取的所述CI_CERT私钥签发USER_CERT;
本申请实施例中,若实名认证结果为未通过,CI证书服务器则拒绝用户发起的证书在线签发请求;若实名认证结果为通过,查询CI证书服务器中是否存储有该用户信息对应的用户证书账号,若没有,依据用户信息构建用户证书账号,提取CI_CERT中包含的CI_CERT私钥,利用提取的所述CI_CERT私钥签发USER_CERT;若有,则直接提取CI_CERT中 包含的CI_CERT私钥,利用提取的所述CI_CERT私钥签发USER_CERT。
本申请实施例中,利用USER_ID和用户手机号码共同作为用户证书账号的唯一标识,一个用户证书账号中包含有一个或多个USER_CERT。
步骤505,CI证书服务器将CI_CERT和签发的USER_CERT返回给LPA;
步骤506,LPA将CI_CERT和USER_CERT返回给eSIM卡。
步骤507,提取CI_CERT中包含的CI_CERT公钥,利用提取的所述CI_CERT公钥验证USER_CERT的签名;
步骤508,若签名验证通过,生成用于签发eSIM_CERT的PK_USER和SK_USER,利用PK_USER生成CSR_USER文件;
步骤509,提取USER_CERT中包含的USER_CERT公钥,利用USER_CERT公钥加密CSR_USER文件,得到SIGN_CSR_USER文件;
步骤510,利用SK_USER对SIGN_CSR_USER文件进行签名,得到SIGNATURE_CSR_USER;
步骤511,将SIGN_CSR_USER文件和SIGNATURE_CSR_USER发送给LPA;
步骤512,LPA将SIGN_CSR_USER文件和SIGNATURE_CSR_USER发送给CI证书服务器;
步骤513,CI证书服务器利用USER_CERT私钥解密SIGN_CSR_USER文件,得到CSR_USER文件;
步骤514,从CSR_USER文件中提取PK_USER,利用PK_USER验证SIGNATURE_CSR_USER;
步骤515,如果签名验证成功,利用USER_CERT私钥签发CSR_USER文件,得到eSIM_CERT;
步骤516,利用PK_USER对eSIM_CERT进行加密,得到eSIM证书密文待签名(SIGN_eSIM_CERT)文件;
步骤517,利用USER_CERT私钥对SIGN_eSIM_CERT文件进行签名,得到eSIM证书密文签名(SIGNATURE_eSIM_CERT);
步骤518,将SIGN_eSIM_CERT文件和SIGNATURE_eSIM_CERT下发至LPA;
本申请实施例中,CI证书服务器将SIGN_eSIM_CERT和SIGNATURE_eSIM_CERT一并下发给LPA,完成在线签发证书。
步骤519,将SIGN_eSIM_CERT文件和SIGNATURE_eSIM_CERT下发至eSIM卡;
步骤520,eSIM卡利用USER_CERT公钥,对SIGN_eSIM_CERT文件和SIGNATURE_eSIM_CERT进行验签;
步骤521,如果签名验证成功,利用SK_USER对SIGN_eSIM_CERT文件进行解密,得到eSIM_CERT并存储;
本申请实施例中,如果签名验证失败,则流程终止。
步骤522,向LPA返回写卡成功结果;
步骤523,LPA依据写卡成功结果,通知用户已开通profile下载服务。
本申请实施例中,LPA提示用户在线申请profile下载服务开通成功。
图6为本申请实施例提供的在线签发eSIM证书的装置结构示意图。如图6所示,该装置包括:
证书在线签发请求模块601,用于向CI证书服务器发起证书在线签发请求,所述证书在线签发请求中携带用户信息;
用户证书接收模块602,用于接收所述CI证书服务器为通过认证的所述用户信息签发的用户证书和CI证书;
签名文件生成模块603,用于基于接收的所述用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名;
签名文件传输模块604,用于将所述eSIM证书密文请求待签名文件和eSIM证书密文请求签名传输至所述CI证书服务器;
eSIM证书解析模块605,用于接收所述CI证书服务器依据所述eSIM证书密文请求待签名文件、eSIM证书密文请求签名和用户证书返回的eSIM证书密文待签名文件和eSIM证书密文签名,解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储。
本申请实施例中,作为一可选实施例,签名文件生成模块603具体用于:
提取所述CI证书中包含的CI证书公钥,利用提取的所述CI证书公钥验证所述用户证书的签名;
若签名验证通过,生成用于签发所述eSIM证书的签发公钥和签发私钥,利用所述签发公钥生成eSIM证书请求文件;
提取所述用户证书中包含的用户证书公钥,利用所述用户证书公钥加密所述eSIM证书请求文件,得到eSIM证书密文请求待签名文件;
利用所述签发私钥对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名。
本申请实施例中,作为一可选实施例,所述解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书,包括:
利用所述用户证书公钥,对所述eSIM证书密文签名进行验证;
如果验证成功,利用所述签发私钥对所述eSIM证书密文待签名文件进行解密,得到eSIM证书。
图7为本申请实施例提供的在线签发eSIM证书的装置另一结构示意 图。如图7所示,该装置包括:
认证模块701,用于接收物联网终端发送的携带有用户信息的证书在线签发请求,对所述用户信息进行认证;
用户证书签发模块702,若认证通过,提取预存储的CI证书中包含的CI证书私钥,利用提取的所述CI证书私钥签发用户证书,并将所述用户证书和CI证书发送至所述物联网终端;
签名文件接收模块703,用于接收所述物联网终端依据所述用户证书和CI证书返回的eSIM证书密文请求待签名文件和eSIM证书密文请求签名;
eSIM证书签发模块704,用于基于所述用户证书、eSIM证书密文请求待签名文件和eSIM证书密文请求签名,签发eSIM证书;
eSIM证书加密处理模块705,用于对签发的所述eSIM证书进行加密处理,将加密处理的eSIM证书密文签名发送至所述物联网终端。
本申请实施例中,作为一可选实施例,用户证书签发模块702在若认证通过之后,提取预存储的CI证书中包含的CI证书私钥之前,还用于:
查询是否存储有所述用户信息对应的用户证书账号,若没有,依据所述用户信息构建用户证书账号。
本申请实施例中,作为一可选实施例,eSIM证书签发模块702具体用于:
利用所述用户证书中的用户证书私钥,解密所述eSIM证书密文请求待签名文件,得到eSIM证书请求文件;
从所述eSIM证书请求文件中提取签发公钥,利用所述签发公钥验证所述eSIM证书密文请求签名;
如果签名验证成功,利用用户证书私钥签发所述eSIM证书请求文件,得到所述eSIM证书。
本申请实施例中,作为一可选实施例,eSIM证书加密处理模块705具体用于:
利用签发公钥对所述eSIM证书进行加密,得到eSIM证书密文待签名文件;
利用所述用户证书中的用户证书私钥,对所述eSIM证书密文待签名文件进行签名,得到所述eSIM证书密文签名。
图8为本申请实施例提供的在线签发eSIM证书的系统结构示意图。如图8所示,该系统包括:物联网终端801以及CI证书服务器802,其中,
物联网终端801,用于向证书服务器802发起证书在线签发请求,所述证书在线签发请求中携带用户信息;
接收CI证书服务器802签发的用户证书和CI证书;
基于接收的所述用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名;
将所述eSIM证书密文请求待签名文件和eSIM证书密文请求签名传输至CI证书服务器802;
接收CI证书服务器802返回的eSIM证书密文待签名文件和eSIM证书密文签名,解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储;
CI证书服务器802,用于接收物联网终端801发送的携带有用户信息的证书在线签发请求,对所述用户信息进行认证;
若认证通过,提取预存储的CI证书中包含的CI证书私钥,利用提取的所述CI证书私钥签发用户证书,并将所述用户证书和CI证书发送至物联网终端801;
接收物联网终端801返回的eSIM证书密文请求待签名文件和eSIM证书密文请求签名;
基于所述用户证书、eSIM证书密文请求待签名文件和eSIM证书密文请求签名,签发eSIM证书;
对签发的所述eSIM证书进行加密处理,将加密处理的eSIM证书密文签名发送至物联网终端801。
本申请实施例中,关于物联网终端以及CI证书服务器的具体结构,具体可参见图6和图7的描述,在此不再赘述。
如图9所示,本申请一实施例提供了一种计算机设备900,用于执行图1至图5中的在线签发eSIM证书的方法,该设备包括存储器901、处理器902及存储在该存储器901上并可在该处理器902上运行的计算机程序,其中,上述处理器902执行上述计算机程序时实现上述在线签发eSIM证书的方法的步骤。
具体地,上述存储器901和处理器902能够为通用的存储器和处理器,这里不做具体限定,当处理器902运行存储器901存储的计算机程序时,能够执行上述在线签发eSIM证书的方法。
对应于图1至图5中的在线签发eSIM证书的方法,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质上存储有计算机程序,该计算机程序被处理器运行时执行上述在线签发eSIM证书的方法的步骤。
具体地,该存储介质能够为通用的存储介质,如移动磁盘、硬盘等,该存储介质上的计算机程序被运行时,能够执行上述在线签发eSIM证书的方法。
在本申请所提供的实施例中,应该理解到,所揭露装置和方法,可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划 分方式,又例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些通信接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请提供的实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。
应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步定义和解释,此外,术语“第一”、“第二”、“第三”等仅用于区分描述,而不能理解为指示或暗示相对重要性。
最后应说明的是:以上所述实施例,仅为本申请的具体实施方式,用以说明本申请的技术方案,而非对其限制,本申请的保护范围并不局限于此,尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术 人员应当理解:任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,其依然可以对前述实施例所记载的技术方案进行修改或可轻易想到变化,或者对其中部分技术特征进行等同替换;而这些修改、变化或者替换,并不使相应技术方案的本质脱离本申请实施例技术方案的精神和范围。都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应所述以权利要求的保护范围为准。

Claims (10)

  1. 一种在线签发嵌入式用户识别模块eSIM证书的方法,其特征在于,应用于物联网终端,该方法包括:
    向证书发行方CI证书服务器发起证书在线签发请求,所述证书在线签发请求中携带用户信息;
    接收所述CI证书服务器为通过认证的所述用户信息签发的用户证书和CI证书;
    基于接收的所述用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名;
    将所述eSIM证书密文请求待签名文件和eSIM证书密文请求签名传输至所述CI证书服务器;
    接收所述CI证书服务器依据所述eSIM证书密文请求待签名文件、eSIM证书密文请求签名和用户证书返回的eSIM证书密文待签名文件和eSIM证书密文签名,解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储。
  2. 如权利要求1所述的方法,其特征在于,所述基于接收的所述用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名,包括:
    提取所述CI证书中包含的CI证书公钥,利用提取的所述CI证书公钥验证所述用户证书的签名;
    若签名验证通过,生成用于签发所述eSIM证书的签发公钥和签发私钥,利用所述签发公钥生成eSIM证书请求文件;
    提取所述用户证书中包含的用户证书公钥,利用所述用户证书公钥加密所述eSIM证书请求文件,得到eSIM证书密文请求待签名文件;
    利用所述签发私钥对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名。
  3. 如权利要求2所述的方法,其特征在于,所述解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书,包括:
    利用所述用户证书公钥,对所述eSIM证书密文签名进行验证;
    如果验证成功,利用所述签发私钥对所述eSIM证书密文待签名文件进行解密,得到eSIM证书。
  4. 一种在线签发嵌入式用户识别模块eSIM证书的方法,其特征在于,应用于证书发行方CI证书服务器,该方法包括:
    接收物联网终端发送的携带有用户信息的证书在线签发请求,对所述用户信息进行认证;
    若认证通过,提取预存储的CI证书中包含的CI证书私钥,利用提取的所述CI证书私钥签发用户证书,并将所述用户证书和CI证书发送至所述物联网终端;
    接收所述物联网终端依据所述用户证书和CI证书返回的eSIM证书密文请求待签名文件和eSIM证书密文请求签名;
    基于所述用户证书、eSIM证书密文请求待签名文件和eSIM证书密文请求签名,签发eSIM证书;
    对签发的所述eSIM证书进行加密处理,将加密处理的eSIM证书发送至所述物联网终端。
  5. 如权利要求4所述的方法,其特征在于,在若认证通过之后,提取预存储的CI证书中包含的CI证书私钥之前,所述方法还包括:
    查询是否存储有所述用户信息对应的用户证书账号,若没有,依据所述用户信息构建用户证书账号。
  6. 如权利要求4所述的方法,其特征在于,所述基于所述用户证书、 eSIM证书密文请求待签名文件和eSIM证书密文请求签名,签发eSIM证书,包括:
    利用所述用户证书中的用户证书私钥,解密所述eSIM证书密文请求待签名文件,得到eSIM证书请求文件;
    从所述eSIM证书请求文件中提取签发公钥,利用所述签发公钥验证所述eSIM证书密文请求签名;
    如果签名验证成功,利用用户证书私钥签发所述eSIM证书请求文件,得到所述eSIM证书。
  7. 如权利要求6所述的方法,其特征在于,所述对签发的所述eSIM证书进行加密处理,包括:
    利用签发公钥对所述eSIM证书进行加密,得到eSIM证书密文待签名文件;
    利用所述用户证书中的用户证书私钥,对所述eSIM证书密文待签名文件进行签名,得到所述eSIM证书密文签名。
  8. 一种在线签发嵌入式用户识别模块eSIM证书的装置,其特征在于,该装置包括:
    证书在线签发请求模块,用于向证书发行方CI证书服务器发起证书在线签发请求,所述证书在线签发请求中携带用户信息;
    用户证书接收模块,用于接收所述CI证书服务器为通过认证的所述用户信息签发的用户证书和CI证书;
    签名文件生成模块,用于基于接收的所述用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名;
    签名文件传输模块,用于将所述eSIM证书密文请求待签名文件和eSIM证书密文请求签名传输至所述CI证书服务器;
    eSIM证书解析模块,用于接收所述CI证书服务器依据所述eSIM证书密文请求待签名文件、eSIM证书密文请求签名和用户证书返回的eSIM证书密文待签名文件和eSIM证书密文签名,解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储。
  9. 一种在线签发嵌入式用户识别模块eSIM证书的装置,其特征在于,该装置包括:
    认证模块,用于接收物联网终端发送的携带有用户信息的证书在线签发请求,对所述用户信息进行认证;
    用户证书签发模块,若认证通过,提取预存储的证书发行方CI证书中包含的CI证书私钥,利用提取的所述CI证书私钥签发用户证书,并将所述用户证书和CI证书发送至所述物联网终端;
    签名文件接收模块,用于接收所述物联网终端依据所述用户证书和CI证书返回的eSIM证书密文请求待签名文件和eSIM证书密文请求签名;
    eSIM证书签发模块,用于基于所述用户证书、eSIM证书密文请求待签名文件和eSIM证书密文请求待签名文件,签发eSIM证书;
    eSIM证书加密处理模块,用于对签发的所述eSIM证书进行加密处理,将加密处理的eSIM证书发送至所述物联网终端。
  10. 一种在线签发嵌入式用户识别模块eSIM证书的系统,其特征在于,该系统包括:物联网终端以及证书发行方CI证书服务器,其中,
    所述物联网终端,用于向所述证书服务器发起证书在线签发请求,所述证书在线签发请求中携带用户信息;
    接收所述CI证书服务器签发的用户证书和CI证书;
    基于接收的所述用户证书以及CI证书,得到eSIM证书密文请求待签名文件,对所述eSIM证书密文请求待签名文件进行签名,得到eSIM证书密文请求签名;
    将所述eSIM证书密文请求待签名文件和eSIM证书密文请求签名传输至所述CI证书服务器;
    接收所述CI证书服务器返回的eSIM证书密文待签名文件和eSIM证书密文签名,解析所述eSIM证书密文待签名文件和eSIM证书密文签名,得到eSIM证书并存储;
    所述CI证书服务器,用于接收所述物联网终端发送的携带有用户信息的证书在线签发请求,对所述用户信息进行认证;
    若认证通过,提取预存储的CI证书中包含的CI证书私钥,利用提取的所述CI证书私钥签发用户证书,并将所述用户证书和CI证书发送至所述物联网终端;
    接收所述物联网终端返回的eSIM证书密文请求待签名文件和eSIM证书密文请求签名;
    基于所述用户证书、eSIM证书密文请求待签名文件和eSIM证书密文请求待签名文件,签发eSIM证书;
    对签发的所述eSIM证书进行加密处理,将加密处理的eSIM证书密文签名发送至所述物联网终端。
PCT/CN2019/101847 2018-09-19 2019-08-21 一种在线签发eSIM证书的方法、装置及系统 WO2020057314A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811095998.2 2018-09-19
CN201811095998.2A CN109218028B (zh) 2018-09-19 2018-09-19 一种在线签发eSIM证书的方法、装置及系统

Publications (1)

Publication Number Publication Date
WO2020057314A1 true WO2020057314A1 (zh) 2020-03-26

Family

ID=64985087

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/101847 WO2020057314A1 (zh) 2018-09-19 2019-08-21 一种在线签发eSIM证书的方法、装置及系统

Country Status (2)

Country Link
CN (1) CN109218028B (zh)
WO (1) WO2020057314A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115333793A (zh) * 2022-07-22 2022-11-11 中国第一汽车股份有限公司 一种基于可联网诊断设备的obd接口认证方法、车辆

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677263B (zh) * 2019-09-30 2022-08-02 恒宝股份有限公司 一种eSIM卡在线签发新CI体系下证书的方法及系统
CN113015159B (zh) * 2019-12-03 2023-05-09 中国移动通信有限公司研究院 初始安全配置方法、安全模块及终端
CN111404678B (zh) * 2020-03-10 2022-09-13 中国联合网络通信集团有限公司 证书的重写方法、装置、存储介质、设备及系统
CN113824566B (zh) * 2021-10-19 2022-12-02 恒宝股份有限公司 证书认证方法、码号下载方法、装置、服务器及存储介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107613487A (zh) * 2017-11-07 2018-01-19 恒宝股份有限公司 一种eSIM卡及其工作方法
CN107911224A (zh) * 2017-11-28 2018-04-13 恒宝股份有限公司 嵌入式通用集成电路卡的续证方法和系统
CN108040044A (zh) * 2017-12-07 2018-05-15 恒宝股份有限公司 一种实现eSIM卡安全认证的管理方法及系统
WO2018137889A1 (de) * 2017-01-27 2018-08-02 Giesecke+Devrient Mobile Security Gmbh Verfahren zum durchführen einer zweifaktorauthentifizierung
CN108848496A (zh) * 2018-06-12 2018-11-20 中国联合网络通信集团有限公司 基于TEE的虚拟eSIM卡的认证方法、TEE终端和管理平台

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102032857B1 (ko) * 2015-03-22 2019-10-16 애플 인크. 모바일 디바이스에서의 사용자 인증 및 인간 의도 검증을 위한 방법 및 장치
US9860750B2 (en) * 2015-11-11 2018-01-02 Qualcomm Incorporated Systems and methods of remote subscriber identity module (SIM) authentication
CN107547573B (zh) * 2017-10-23 2019-12-10 中国联合网络通信集团有限公司 应用于eSIM的认证方法、RSP终端及管理平台
CN108449710B (zh) * 2018-03-19 2020-09-18 千寻位置网络有限公司 基于eSIM的定位和通信服务一体化认证系统及方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018137889A1 (de) * 2017-01-27 2018-08-02 Giesecke+Devrient Mobile Security Gmbh Verfahren zum durchführen einer zweifaktorauthentifizierung
CN107613487A (zh) * 2017-11-07 2018-01-19 恒宝股份有限公司 一种eSIM卡及其工作方法
CN107911224A (zh) * 2017-11-28 2018-04-13 恒宝股份有限公司 嵌入式通用集成电路卡的续证方法和系统
CN108040044A (zh) * 2017-12-07 2018-05-15 恒宝股份有限公司 一种实现eSIM卡安全认证的管理方法及系统
CN108848496A (zh) * 2018-06-12 2018-11-20 中国联合网络通信集团有限公司 基于TEE的虚拟eSIM卡的认证方法、TEE终端和管理平台

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115333793A (zh) * 2022-07-22 2022-11-11 中国第一汽车股份有限公司 一种基于可联网诊断设备的obd接口认证方法、车辆

Also Published As

Publication number Publication date
CN109218028A (zh) 2019-01-15
CN109218028B (zh) 2019-08-09

Similar Documents

Publication Publication Date Title
US11258777B2 (en) Method for carrying out a two-factor authentication
WO2020057314A1 (zh) 一种在线签发eSIM证书的方法、装置及系统
KR102242218B1 (ko) 사용자 인증 방법 및 장치, 및 웨어러블 디바이스 등록 방법 및 장치
US20190087814A1 (en) Method for securing a payment token
US10050791B2 (en) Method for verifying the identity of a user of a communicating terminal and associated system
CN107547573B (zh) 应用于eSIM的认证方法、RSP终端及管理平台
US20200196143A1 (en) Public key-based service authentication method and system
US9445269B2 (en) Terminal identity verification and service authentication method, system and terminal
CN105556892A (zh) 用于安全通信的系统和方法
KR101210260B1 (ko) 통합센터를 이용한 유심칩기반 모바일 오티피 인증장치 및 인증방법
CN103546289A (zh) 一种基于USBKey的安全传输数据的方法及系统
CN111131416A (zh) 业务服务的提供方法和装置、存储介质、电子装置
US20200067904A1 (en) Method for authenticating a user and corresponding device, first and second servers and system
KR102012262B1 (ko) 키 관리 방법 및 fido 소프트웨어 인증장치
WO2020102974A1 (zh) 一种数据访问方法、数据访问装置及移动终端
CN105376059A (zh) 基于电子钥匙进行应用签名的方法和系统
CN113613227A (zh) 蓝牙设备的数据传输方法和装置、存储介质及电子装置
WO2017076257A1 (zh) 一种app认证的系统和方法
JP6240102B2 (ja) 認証システム、認証鍵管理装置、認証鍵管理方法および認証鍵管理プログラム
KR102053993B1 (ko) 인증서를 이용한 사용자 인증 방법
TWI675579B (zh) 網路身份驗證系統與方法
CN108574658B (zh) 一种应用登录方法及其设备
KR20110005615A (ko) 사용자 매체를 이용한 무선 오티피 운영 방법 및 시스템과 이를 위한 무선단말 및 기록매체
KR101664471B1 (ko) 네트워크 기반 모바일 오티피 처리 방법
JP2020532799A (ja) カード発給及び決済システム並びに方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19863587

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19863587

Country of ref document: EP

Kind code of ref document: A1