WO2021062945A1 - 一种扩展嵌入式通用集成电路卡应用的方法及装置 - Google Patents

一种扩展嵌入式通用集成电路卡应用的方法及装置 Download PDF

Info

Publication number
WO2021062945A1
WO2021062945A1 PCT/CN2019/124622 CN2019124622W WO2021062945A1 WO 2021062945 A1 WO2021062945 A1 WO 2021062945A1 CN 2019124622 W CN2019124622 W CN 2019124622W WO 2021062945 A1 WO2021062945 A1 WO 2021062945A1
Authority
WO
WIPO (PCT)
Prior art keywords
eid
certificate
euicc
certificates
service
Prior art date
Application number
PCT/CN2019/124622
Other languages
English (en)
French (fr)
Inventor
何碧波
尤洪松
Original Assignee
恒宝股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 恒宝股份有限公司 filed Critical 恒宝股份有限公司
Publication of WO2021062945A1 publication Critical patent/WO2021062945A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • H04W8/205Transfer to or from user equipment or user record carrier

Definitions

  • the present invention relates to the technical field of digital certificates, in particular to a method and device for expanding the application of an embedded universal integrated circuit card.
  • Embedded Universal Integrated Circuit Card (eUICC, embedded Universal Integrated Circuit Card) is abbreviated as embedded smart card, which is a new type of security chip built in the terminal.
  • the eUICC identification (eUICC-ID, eID) is the only one of eUICC.
  • the identity identifier is pre-embedded in the hardware device of the eUICC by the operator.
  • An eUICC has and only one eID, and the eID cannot be changed.
  • applications such as secure connection, data encryption, and communication can be provided for IoT devices, such as machine-card binding, eUICC certificate issuance, session key negotiation, etc.
  • the uniqueness of the eID can ensure the security of personal information and asset management, and it can also uniquely identify the user or eUICC that uses the eUICC, so that the corresponding server can manage the application executed by the eID.
  • the eID is pre-allocated by the operator and written into the eUICC by the embedded smart card manufacturer during the production phase.
  • the eID allocation is different. Under the application of, it is often not allocated by one operator, but is allocated by the operator that issued the eUICC.
  • the allocated eID can only be used in the communication system of the operator, so that the eID allocated by different operators , EUICC can only run in the communication system constructed by the respective operators, and eUICC cannot realize interconnection and intercommunication among multiple operators, which results in limited applications of eUICC and low application efficiency of eUICC.
  • the purpose of the present invention is to provide a method and device for expanding the application of an embedded universal integrated circuit card, so as to expand the application of eUICC and improve the application efficiency of eUICC.
  • an embodiment of the present invention provides a method for expanding the application of an embedded universal integrated circuit card, including:
  • the eUICC in the terminal obtains the code number configuration file from the server through LPA;
  • the subscription information is transmitted to the server, so that the server manages the target application corresponding to the effective eID after the switch.
  • an embodiment of the present invention provides a first possible implementation manner of the first aspect, wherein the target application obtains the publisher identification of the target application from a server corresponding to the target application Symbols, including:
  • the LPA of the terminal receives the target application request initiated by the user, and sends it to the server corresponding to the target application;
  • an embodiment of the present invention provides a second possible implementation manner of the first aspect, in which the stored embedded universal integrated circuit card identifier eID is collected and obtained and The eID that matches the publisher identifier obtains a valid eID, including:
  • the LPA initiates an eID acquisition request to the eUICC
  • the eID containing the issuer identifier is searched to obtain a valid eID.
  • an embodiment of the present invention provides a third possible implementation manner of the first aspect, wherein one or more sets of service certificates are pre-stored in the eUICC, and Business certificates include: certificate issuer CI certificate, embedded universal integrated circuit card manufacturer EUM certificate and eUICC certificate.
  • the number of CI certificates and EUM certificates is 1, and the number of eUICC certificates is one or more One, each eUICC certificate contains an eID, and the eID in each eUICC certificate is unique.
  • an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, wherein the multiple sets of service certificates are stored in a chain structure.
  • an embodiment of the present invention provides a fifth possible implementation manner of the first aspect, and the method further includes:
  • the CI certificate public key identifier returned when obtaining the mutual authentication from the server;
  • an embodiment of the present invention also provides a method for expanding the application of an embedded universal integrated circuit card, including:
  • the service certificate set contains one or more sets of service certificates.
  • the service certificates include: certificate issuer CI certificate, embedded universal integrated circuit card Manufacturer’s EUM certificate and eUICC certificate.
  • the number of CI certificates and EUM certificates is 1, the number of eUICC certificates is one or more, and each eUICC certificate contains an eID;
  • an embodiment of the present invention provides a first possible implementation manner of the second aspect, wherein the method further includes:
  • an embodiment of the present invention also provides a device for expanding the application of an embedded universal integrated circuit card, including:
  • the issuer identifier obtaining module is used to obtain the issuer identifier of the target application from the server corresponding to the target application according to the target application when downloading or switching the current application to the target application is required;
  • the eID update module is used to obtain the eID matching the issuer identifier from the eID set stored in the embedded universal integrated circuit card identification to obtain a valid eID, activate the valid eID or update the current eID to the valid eID eID;
  • the code number configuration file downloading module is configured to enable the eUICC in the terminal to obtain the code number configuration file from the server through the LPA according to the effective eID;
  • a subscription information matching module configured to receive the subscription information corresponding to the valid eID obtained by the eUICC from the code number configuration file;
  • the subscription information transmission module is configured to transmit the subscription information to the server, so that the server manages the target application corresponding to the effective eID after the switch.
  • an embodiment of the present invention also provides an embedded universal integrated circuit card, including:
  • the business certificate set storage module is used to store a set of business certificates.
  • the set of business certificates includes one or more sets of business certificates.
  • the business certificates include: certificate issuer CI certificate, embedded universal integrated circuit card manufacturer EUM certificate, and eUICC certificate, in which, in a set of business certificates, the number of CI certificates and EUM certificates is 1, the number of eUICC certificates is one or more, and each eUICC certificate contains an eID;
  • the eID acquisition request processing module is used to receive the eID acquisition request initiated by the local configuration assistant LPA, query the stored service certificate set, obtain the eID contained in each eUICC certificate in the service certificate set, form an eID set, and return it to the LPA .
  • an embodiment of the present invention provides a first possible implementation manner of the fourth aspect, which further includes:
  • the valid certificate setting module is used to receive the CI certificate public key identification
  • an embodiment of the present invention provides a computer device, including a memory, a processor, and a computer program stored on the memory and running on the processor.
  • the processor executes the computer program, Steps to implement the above method.
  • an embodiment of the present invention provides a computer-readable storage medium with a computer program stored on the computer-readable storage medium, and the computer program executes the steps of the above method when the computer program is run by a processor.
  • the target application when the current application needs to be downloaded or switched to the target application, the target application is obtained from the server corresponding to the target application according to the target application.
  • the issuer identifier of the application from the stored embedded universal integrated circuit card identification eID set, obtain the eID that matches the issuer identifier, obtain the effective eID, and activate the effective eID or update the current eID to all
  • the effective eID according to the effective eID, so that the eUICC in the terminal obtains the code number configuration file from the server through LPA; receives the code number configuration file obtained by the eUICC from the server, and obtains the effective eID therefrom Corresponding subscription information; transmitting the subscription information to the server, so that the server manages the target application corresponding to the effective eID after the switch.
  • the eID to be used is determined according to the application process to be run, so that the eID corresponding to the application can be used to complete the application process, so that one eUICC can interact with different operators.
  • service providers such as servers or servers to perform application interactions, thereby realizing the interconnection and intercommunication of eUICC among multiple operators or servers, effectively expanding the application scope of eUICC and the application efficiency of eUICC.
  • Fig. 1 shows a schematic flow chart of a method for expanding the application of an embedded universal integrated circuit card provided by an embodiment of the present invention
  • FIG. 2 shows a schematic diagram of service certificate storage provided by an embodiment of the present invention
  • FIG. 3 shows a specific flow diagram of a method for expanding the application of an embedded universal integrated circuit card provided by an embodiment of the present invention
  • FIG. 4 shows a schematic structural diagram of a device for expanding the application of an embedded universal integrated circuit card provided by an embodiment of the present invention
  • FIG. 5 shows a schematic flow chart of another method for expanding the application of an embedded universal integrated circuit card provided by an embodiment of the present invention
  • Figure 6 shows a schematic structural diagram of an embedded universal integrated circuit card provided by an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a computer device 700 provided by an embodiment of this application.
  • an eUICC that supports multiple eIDs is proposed, which can be downloaded or switched from the current application to the target application (operating When the service supported by a certain server of the supplier), from multiple eIDs, activate the effective eID corresponding to the target application or replace the eID in the current application, and obtain the contract information related to the effective eID, such as profile information, certificate information, etc. , So that the eUICC can use different eID identities to communicate with the server of the operator corresponding to the eID identity.
  • Fig. 1 shows a schematic flow chart of a method for expanding the application of an embedded universal integrated circuit card provided by an embodiment of the present invention. As shown in Figure 1, the process includes:
  • Step 101 When the target application needs to be switched, obtain the publisher identifier of the target application from the server corresponding to the target application according to the target application;
  • the publisher identifier of the target application is obtained from the server corresponding to the target application according to the target application to be downloaded.
  • obtaining the issuer identifier of the target application from the server corresponding to the target application includes:
  • A11 the target application request initiated by the user through the Local Profile Assistant (LPA, Local Profile Assistant) is sent to the server corresponding to the target application;
  • LPA Local Profile Assistant
  • the target application when the user needs to change (switch) the current application, using LPA, the target application can be initiated to the server by scanning the QR code, hyperlink, online palm business hall, etc. of the server corresponding to the target application. request.
  • the target application request is a code number profile download request. For example, taking the target application as an example, using the second mobile number to make a call, scan the QR code containing the mobile server corresponding to the second mobile number, mobile server super connection, mobile server online palm business hall, etc., to move The server initiates a mobile number download request.
  • the server responds to the received target application request and returns its own identification to the LPA.
  • Step 102 Obtain an eID that matches the publisher identifier from the stored eID set, obtain a valid eID, and update the current eID to the valid eID;
  • a valid eID is activated.
  • obtaining an eID matching the issuer identifier from the stored eID set to obtain a valid eID includes:
  • A21 The LPA in the terminal initiates an eID acquisition request to the eUICC in the terminal;
  • the LPA initiates an eID acquisition request to acquire all eIDs (eID sets) written in the eUICC.
  • the operator configures multiple eIDs for the eUICC in advance, and each eID is unique.
  • the embedded smart card manufacturer writes the configured multiple eIDs into the eUICC during the production stage, and the multiple eIDs form an eID set.
  • one or more sets of service certificates are pre-stored, and the eID is used as a component of the eUICC certificate to participate in the issuance of the service certificate.
  • the service certificate includes: a certificate issuer (CI, Certificate Issuer) certificate, an embedded universal integrated circuit card manufacturer (EUM, Embedded Universal Integrated Circuit Card Manufacturer) certificate, and an eUICC certificate.
  • CI Certificate Issuer
  • EUM embedded universal integrated circuit card manufacturer
  • eUICC Embedded Universal Integrated Circuit Card Manufacturer
  • the number of CI certificates and EUM certificates in a set of business certificates is 1, the number of eUICC certificates is one or more, and each eUICC certificate includes an eID.
  • the eID in each eUICC certificate is unique.
  • Each set of service certificates corresponds to a server of an operator, and each eID is used to identify different identities of users in the server. Different service certificates can belong to the same operator or different operators.
  • the embedded smart card manufacturer sets the corresponding eID according to the requirements of each operator for the eUICC.
  • the service certificate is stored in a chain structure.
  • Fig. 2 shows a schematic diagram of service certificate storage provided by an embodiment of the present invention.
  • the three service certificates are stored in sequence in a chain structure.
  • the first service certificate includes: the first CI certificate (CI_CERT1), the first EUM certificate (EUM_CERT1), the first service eUICC certificate 1 (eID11, eUICC, CERT11), the first service eUICC certificate 2 (eID12, eUICC, CERT12) ),..., the first service eUICC certificate n (eID1n, eUICC, CERT1n), where n is a natural number;
  • the second service certificate includes: the second CI certificate (CI_CERT2), the second EUM certificate (EUM_CERT2), the second service eUICC certificate 1 (eID21, eUICC, CERT21), the second service eUICC certificate 2 (eID22, eUICC, CERT22),..., the second service eUICC certificate n (eID2n, eUI
  • the receiving eUICC obtains the stored eID set returned by the request according to the received eID;
  • the input command data is sent to the eUICC, and the command data is used to obtain the eID set stored in the eUICC.
  • the input command data that is, the eID acquisition request is:
  • each eID stored will include a corresponding issuer identifier.
  • updating the current eID to the effective eID or activating the effective eID includes:
  • the current eID is empty.
  • the effective eID is set by inputting another command data (Command Data).
  • the input command data is:
  • eidValue is the effective eID set.
  • the set effective eID is the eID used in the subsequent target application process, and at the same time, the certificates related to the eID (CI certificate, EUM certificate, and eUICC certificate) are also set as valid certificates.
  • eID set in the string eidValue is not found in the eUICC set, follow the preset eID related instructions: MoreEIDOperateResult INTEGER ⁇ ok(0), eidNotFound(1), The undefinedError(127) ⁇ structure returns eidNotFound(1).
  • A32 receive the setting result of eUICC according to the notification.
  • the eUICC is set according to the notification, and the setting result is returned to the LPA.
  • Step 103 According to the effective eID, the eUICC in the terminal obtains the code number configuration file from the server through LPA;
  • the LPA uses the effective eID to perform two-way authentication with the server according to the target application download process, and completes the download of the code number configuration file corresponding to the target application by the eUICC.
  • the target application is a profile business application
  • the eUICC can complete the profile business application download.
  • the code number configuration file contains the user's subscription information provided by the server.
  • each set of service certificates includes a CI certificate, an EUM certificate, and multiple eUICC certificates.
  • Each eUICC certificate includes an eID. Therefore, the two-way authentication is performed with the server. During the process, it is necessary to determine the certificate currently used by the eUICC.
  • the method further includes:
  • the CI certificate public key identifier returned when obtaining the mutual authentication from the server;
  • the eUICC card supporting multiple eIDs is used in the business process.
  • each eUICC certificate in each set of business certificates in the eUICC can be traversed, and the valid eID can be found. Match the eUICC certificate, and set the eUICC certificate to the header of the chain structure.
  • eUICC checks whether the CI certificate public key identity of the found business certificate is consistent with the CI certificate public key identity of the business certificate corresponding to the eUICC certificate in the header, and the header Whether the eID corresponding to the eUICC certificate is a valid eID, if so, it is determined that the eUICC certificate in the header of the chain structure is the current certificate.
  • Step 104 Receive the code number configuration file obtained by the eUICC from the server, and obtain the subscription information corresponding to the effective eID therefrom;
  • the eUICC after the code number configuration file is successfully downloaded to the eUICC, the eUICC obtains the contract information matching the valid eID from the downloaded code number configuration file through the valid eID, and returns the obtained contract information to the LPA.
  • the LPA obtains the subscription information by sending command data to the eUICC.
  • the command data is:
  • profileAid is the AID of the code number profile, that is, the contract information corresponding to the AID of the code number profile is obtained. If the profileAid is empty, all the contract information corresponding to the current eID are obtained.
  • the data format of the contract information is in accordance with the preset eID Related command: profileListInfo SEQUENCE OF ProfileInfo return.
  • program code segments corresponding to the eID-related instructions are as follows:
  • Step 105 Transmit the subscription information to the server, so that the server manages the target application corresponding to the effective eID after the handover.
  • the LPA forwards the subscription information corresponding to the effective eID to the server.
  • the server can manage the effective eID according to the received contract information, and the user can use the effective eID to execute the target application, for example, use the code number downloaded by the effective eID to log in to the network to make a call, and the server uses the effective eID to make a call Management of billing and other services for the business.
  • the target application when it is necessary to download or switch the current application to the target application, according to the target application, obtain the publisher identifier of the target application from the server corresponding to the target application; from the stored eID set, Obtain the eID that matches the publisher identifier to obtain a valid eID, and activate the valid eID or update the current eID to the valid eID; according to the valid eID, the eUICC in the terminal is sent from the server Obtain the code number configuration file; receive the code number configuration file obtained by the eUICC from the server, and obtain the contract information corresponding to the valid eID from it; transmit the contract information to the server so that the server can The effective eID is managed.
  • multiple eIDs can enable eUICC to have identities (eIDs) assigned by different service providers (operators or servers), so that in each application process, the application process to be run is used to determine the use
  • the identity of the eUICC can be used to complete various application processes with the identity corresponding to the service provider, and achieve the ability of an eUICC to interact with service providers such as different operators or servers, so that eUICC can be used in different applications according to different applications.
  • Operators or servers switch, so as to realize the interconnection and intercommunication of eUICC among multiple operators or servers, which greatly expands the application scope of eUICC, and effectively improves the application efficiency of eUICC.
  • Fig. 3 shows a specific flow diagram of a method for expanding the application of an embedded universal integrated circuit card provided by an embodiment of the present invention. As shown in Figure 3, taking the target application request as a profile download request as an example, the process includes:
  • Step 301 The LPA receives the user request and initiates a profile download application to the server;
  • the way for the user to request to initiate a profile download application can be realized by scanning a code, a super connection, an online palm business hall, and the like.
  • Step 302 the server returns the issuer identifier to the LPA;
  • the issuer identifier is the identifier of the server.
  • Step 303 LPA initiates an eID acquisition request to eUICC
  • the LPA initiates an eID acquisition request to acquire all eIDs in the eUICC.
  • Step 304 the eUICC returns all eIDs stored in the eUICC
  • Step 305 LPA searches for the eID containing the issuer identifier among all the received eIDs, and obtains a valid eID (eID');
  • Step 306 LPA notifies eUICC to set eID' to the current effective eID
  • the effective eID is the eID to be used, that is, the eID used to replace the current eID.
  • step 307 the eUICC returns the successful setting result to the LPA
  • Step 308 LPA performs two-way authentication according to the profile download process, and completes the profile download;
  • two-way authentication is performed between LPA, eUICC, and the server, so that the eUICC completes the profile download from the server.
  • Step 309 After confirming that the profile download is successful, LPA requests eUICC to obtain all profile information related to eID’ through eID’;
  • Step 310 eUICC returns profile information related to eID' to LPA;
  • Step 311 LPA forwards the profile information related to eID' to the server.
  • Fig. 4 shows a schematic structural diagram of an apparatus for expanding the application of an embedded universal integrated circuit card provided by an embodiment of the present invention.
  • the device is a terminal and includes:
  • the issuer identifier obtaining module 401 is configured to obtain the issuer identifier of the target application from the server corresponding to the target application according to the target application when downloading or switching the current application to the target application is required;
  • the eID update module 402 is used to obtain the eID that matches the issuer identifier from the stored embedded universal integrated circuit card identification eID, obtain a valid eID, and activate the valid eID or update the current eID to the current eID.
  • the effective eID is used to obtain the eID that matches the issuer identifier from the stored embedded universal integrated circuit card identification eID, obtain a valid eID, and activate the valid eID or update the current eID to the current eID.
  • the effective eID is used to obtain the eID that matches the issuer identifier from the stored embedded universal integrated circuit card identification eID, obtain a valid eID, and activate the valid eID or update the current eID to the current eID.
  • the effective eID is used to obtain the eID that matches the issuer identifier from the stored embedded universal integrated circuit card identification eID, obtain a valid eID, and activate the valid eID or update the current eID
  • the effective eID is set (updated) using command data.
  • the command data is: eidValue[APPLICATION 26] Octet16--tag'5A'", where eidValue is the setting The effective eID.
  • the file download module 403 is configured to enable the eUICC in the terminal to obtain the code number configuration file from the server according to the effective eID;
  • the contract information matching module 404 is configured to receive the code number configuration file obtained by the eUICC from the server, and obtain the contract information corresponding to the valid eID therefrom;
  • the subscription information is obtained by sending command data to the eUICC.
  • the command data is:
  • profileAid is the AID of the code number profile.
  • the subscription information transmission module 405 is configured to transmit the subscription information to the server, so that the server manages the target application corresponding to the effective eID after the switch.
  • the issuer identifier obtaining module 401 includes:
  • the target application request unit (not shown in the figure) is used to receive the target application request initiated by the user and send it to the server corresponding to the target application;
  • the issuer identifier obtaining unit is configured to receive the issuer identifier containing the server returned by the server.
  • LPA is used to initiate a target application request to the server by scanning the QR code of the server corresponding to the target application, super connection, online palm business hall, etc. .
  • the eID acquisition request is command data: ListAllEID[0]NULL.
  • the eID update module 402 includes:
  • the eID acquisition request unit is configured to initiate an eID acquisition request to the eUICC;
  • the eID set receiving unit is configured to receive the stored eID set returned by the eUICC according to the received eID obtaining request;
  • the query unit is used to search for the eID containing the issuer identifier according to the received eID set to obtain a valid eID.
  • one or more sets of service certificates are pre-stored in the eUICC, and the service certificates include: certificate issuer CI certificate, embedded universal integrated circuit card manufacturer EUM certificate And eUICC certificates, where the number of CI certificates and EUM certificates are both 1, the number of eUICC certificates is one or more, each eUICC certificate includes an eID, and the eID in each eUICC certificate is unique.
  • the multiple sets of service certificates are stored in a chain structure.
  • FIG. 5 shows a schematic flow chart of another method for expanding the application of an embedded universal integrated circuit card provided by an embodiment of the present invention. As shown in Figure 5, the method includes:
  • Step 501 Receive an eID acquisition request initiated by the local configuration assistant LPA, and query the stored service certificate set.
  • the service certificate set includes one or more sets of service certificates.
  • the service certificates include: certificate issuer CI certificate, embedded general EUM certificates and eUICC certificates of integrated circuit card manufacturers. Among them, in a set of business certificates, the number of CI certificates and EUM certificates is 1, the number of eUICC certificates is one or more, and each eUICC certificate contains an eID;
  • the terminal when the terminal needs to switch the target application, it obtains the publisher identifier of the target application from the server corresponding to the target application according to the target application, and initiates an eID obtaining request through the local configuration assistant LPA to obtain the eID set.
  • multiple sets of service certificates are stored in a chain structure.
  • Step 502 Obtain the eID contained in each eUICC certificate in the service certificate set, form an eID set, and return to the LPA.
  • the terminal after obtaining the eID set, the terminal searches for the eID that matches the issuer identifier to obtain the effective eID, and updates the current eID to the effective eID to download or switch the current application to the target application .
  • the method further includes:
  • Fig. 6 shows a schematic structural diagram of an embedded universal integrated circuit card provided by an embodiment of the present invention.
  • the embedded universal integrated circuit card includes:
  • the business certificate set storage module 601 is used to store a set of business certificates, the set of business certificates includes one or more sets of business certificates, the business certificates include: certificate issuer CI certificate, embedded universal integrated circuit card manufacturer EUM certificate And eUICC certificates, where in a set of business certificates, the number of CI certificates and EUM certificates is 1, the number of eUICC certificates is one or more, and each eUICC certificate contains an eID;
  • the eID acquisition request processing module 602 is configured to receive the eID acquisition request initiated by the local configuration assistant LPA, query the stored service certificate set, obtain the eID contained in each eUICC certificate in the service certificate set, form an eID set, and return it to the LPA.
  • a valid certificate setting module (not shown in the figure), used to receive the CI certificate public key identifier
  • an embodiment of the present application provides a computer device 700 for executing the method for expanding an embedded universal integrated circuit card application in FIG. 1 or FIG. 5.
  • the device includes a memory 701, a processor 702, and A computer program stored on the memory 701 and running on the processor 702, wherein the processor 702 executes the computer program to implement the steps of the method for expanding the application of an embedded universal integrated circuit card.
  • the aforementioned memory 701 and processor 702 can be general-purpose memories and processors, which are not specifically limited here.
  • the processor 702 runs the computer program stored in the memory 701, it can execute the aforementioned extended embedded universal integrated circuit card application. method.
  • an embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored.
  • the steps of the method for expanding the application of the embedded universal integrated circuit card are executed when the processor is running.
  • the storage medium can be a general storage medium, such as a mobile disk, a hard disk, etc., and when the computer program on the storage medium is run, it can execute the above-mentioned method for expanding the application of an embedded general integrated circuit card.
  • the disclosed system and method may be implemented in other ways.
  • the system embodiments described above are merely illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation.
  • multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be through some communication interfaces, indirect coupling or communication connection of the system or unit, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the embodiments provided in this application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Stored Programmes (AREA)

Abstract

一种扩展嵌入式通用集成电路卡应用的方法及装置,包括:在需要进行目标应用切换时,依据目标应用,从目标应用对应的服务器中,获取目标应用的发行商标识符(101);从存储的嵌入式通用集成电路卡标识eID集中,获取与发行商标识符相匹配的eID,得到有效eID(102),并将当前eID更新为有效eID;依据有效eID,以使终端中的eUICC通过LPA从服务器获取码号配置文件(103);接收所述eUICC从所述服务器获取的码号配置文件,并从中获取所述有效eID对应的签约信息(104);将所述签约信息传输至所述服务器,以使所述服务器对切换后的所述有效eID对应的所述目标应用进行管理(105)。可以扩展eUICC的应用,提高eUICC的应用效率。

Description

一种扩展嵌入式通用集成电路卡应用的方法及装置 技术领域
本发明涉及数字证书技术领域,具体而言,涉及一种扩展嵌入式通用集成电路卡应用的方法及装置。
背景技术
嵌入式通用集成电路卡(eUICC,embedded Universal Integrated Circuit Card)简称为嵌入式智能卡,是内置在终端中的一种新型的安全芯片,其中,eUICC标识(eUICC-ID,简称eID)是eUICC的唯一身份标识,由运营商预先植入在eUICC的硬件设备中,一eUICC有且只有一个eID,该eID不可被更改。利用eID,可以为物联网设备提供安全连接、数据加密、通信等应用,例如:机卡绑定、eUICC证书签发、会话密钥协商等。这样,利用eID的唯一性,可以保证个人信息和资产的管理安全,同时也能够将使用eUICC的用户或eUICC进行唯一标识,以便于相应的服务器对eID执行的应用进行管理。
目前,eID由运营商预先分配并由嵌入式智能卡生产厂商在生产阶段写入eUICC,但由于不同国家和地区的通信发展策略和安全策略不同,即使是在同一国家和地区,eID的分配在不同的应用下,往往不会由一家运营商来进行分配,而是采用由发行eUICC的运营商自行分配,分配的eID只能用于该运营商的通信体系,从而使得不同的运营商分配的eID,只能在各自运营商构建的通信体系内运行,eUICC并不能在多个运营商之间实现互联互 通,导致eUICC的应用受限,eUICC的应用效率较低。
发明内容
有鉴于此,本发明的目的在于提供一种扩展嵌入式通用集成电路卡应用的方法及装置,以扩展eUICC的应用,提高eUICC的应用效率。
第一方面,本发明实施例提供了一种扩展嵌入式通用集成电路卡应用的方法,包括:
在需要下载或将当前应用切换至目标应用时,依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符;
从存储的嵌入式通用集成电路卡标识eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,并激活所述有效eID或将当前eID更新为所述有效eID;
依据所述有效eID,以使终端中的eUICC通过LPA从所述服务器获取码号配置文件;
接收所述eUICC从所述服务器获取的码号配置文件,并从中获取所述有效eID对应的签约信息;
将所述签约信息传输至所述服务器,以使所述服务器对切换后的所述有效eID对应的所述目标应用进行管理。
结合第一方面,本发明实施例提供了第一方面的第一种可能的实施方式,其中,所述依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符,包括:
终端的LPA接收用户发起的目标应用请求,向所述目标应用对应的服务器发送;
接收所述服务器返回的包含所述服务器的发行商标识符。
结合第一方面的第一种可能的实施方式,本发明实施例提供了第一方面的第二种可能的实施方式,其中,所述从存储的嵌入式通用集成电路卡标识eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,包括:
所述LPA向所述eUICC发起eID获取请求;
接收所述eUICC依据接收的eID获取请求返回的存储的eID集;
依据接收的eID集,查找包含所述发行商标识符的eID,得到有效eID。
结合第一方面的第二种可能的实施方式,本发明实施例提供了第一方面的第三种可能的实施方式,其中,所述eUICC中,预先存储有一套或多套业务证书,所述业务证书包括:证书发行方CI证书、嵌入式通用集成电路卡生产厂商EUM证书以及eUICC证书,其中,一套业务证书中,CI证书以及EUM证书的数量为1,eUICC证书的数量为一个或多个,每一eUICC证书中包含一eID,各eUICC证书中的eID具有唯一性。
结合第一方面的第三种可能的实施方式,本发明实施例提供了第一方面的第四种可能的实施方式,其中,所述多套业务证书按链式结构进行存储。
结合第一方面的第三种可能的实施方式,本发明实施例提供了第一方面的第五种可能的实施方式,所述方法还包括:
从所述服务器获取双向认证时返回的CI证书公钥标识;
在eUICC卡预存的多套业务证书中,查找与所述CI证书公钥标识相匹配的业务证书;
在所述相匹配的业务证书中,查找与所述有效eID相匹配的eUICC证书。
第二方面,本发明实施例还提供了一种扩展嵌入式通用集成电路卡应 用的方法,包括:
接收本地配置助手LPA发起的eID获取请求,查询存储的业务证书集,所述业务证书集包含一套或多套业务证书,所述业务证书包括:证书发行方CI证书、嵌入式通用集成电路卡生产厂商EUM证书以及eUICC证书,其中,一套业务证书中,CI证书以及EUM证书的数量为1,eUICC证书的数量为一个或多个,每一eUICC证书中包含一eID;
获取所述业务证书集中的各eUICC证书中包含的eID,形成eID集,返回至所述LPA。
结合第二方面,本发明实施例提供了第二方面的第一种可能的实施方式,其中,所述方法还包括:
接收CI证书公钥标识;
在所述业务证书集中,查找与所述CI证书公钥标识相匹配的业务证书,获取所述相匹配的业务证书中的CI证书、EUM证书;
在所述相匹配的业务证书中,查找与当前设置的有效eID相匹配的eUICC证书,将所述CI证书、EUM证书以及eUICC证书设置为有效证书。
第三方面,本发明实施例还提供了一种扩展嵌入式通用集成电路卡应用的装置,包括:
发行商标识符获取模块,用于在需要下载或将当前应用切换至目标应用时,依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符;
eID更新模块,用于从存储在嵌入式通用集成电路卡标识eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,激活所述有效eID或将当前eID更新为所述有效eID;
码号配置文件下载模块,用于依据所述有效eID,以使终端中的eUICC通过LPA从所述服务器获取码号配置文件;
签约信息匹配模块,用于接收所述eUICC从所述码号配置文件中获取的所述有效eID对应的签约信息;
签约信息传输模块,用于将所述签约信息传输至所述服务器,以使所述服务器对切换后的所述有效eID对应的所述目标应用进行管理。
第四方面,本发明实施例还提供了一种嵌入式通用集成电路卡,包括:
业务证书集存储模块,用于存储业务证书集,所述业务证书集包含一套或多套业务证书,所述业务证书包括:证书发行方CI证书、嵌入式通用集成电路卡生产厂商EUM证书以及eUICC证书,其中,一套业务证书中,CI证书以及EUM证书的数量为1,eUICC证书的数量为一个或多个,每一eUICC证书中包含一eID;
eID获取请求处理模块,用于接收本地配置助手LPA发起的eID获取请求,查询存储的业务证书集,获取所述业务证书集中的各eUICC证书中包含的eID,形成eID集,返回至所述LPA。
结合第四方面,本发明实施例提供了第四方面的第一种可能的实施方式,其中,还包括:
有效证书设置模块,用于接收CI证书公钥标识;
在所述业务证书集中,查找与所述CI证书公钥标识相匹配的业务证书,获取所述相匹配的业务证书中的CI证书、EUM证书;
在所述相匹配的业务证书中,查找与当前设置的有效eID相匹配的eUICC证书,将所述CI证书、EUM证书以及eUICC证书设置为有效证书。
第五方面,本发明实施例提供了一种计算机设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现上述方法的步骤。
第六方面,本发明实施例提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器运行时执 行上述的方法的步骤。
本发明实施例提供的扩展嵌入式通用集成电路卡应用的方法及装置,在需要下载或将当前应用切换至目标应用时,依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符;从存储的嵌入式通用集成电路卡标识eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,并激活所述有效eID或将当前eID更新为所述有效eID;依据所述有效eID,以使终端中的eUICC通过LPA从所述服务器获取码号配置文件;接收所述eUICC从所述服务器获取的码号配置文件,并从中获取所述有效eID对应的签约信息;将所述签约信息传输至所述服务器,以使所述服务器对切换后的所述有效eID对应的所述目标应用进行管理。这样,通过在eUICC设置多个eID,从而在各应用流程中,根据待运行的应用流程来确定使用的eID,使得能够用与应用对应的eID完成该应用流程,达到一个eUICC能与不同运营商或服务器等服务提供方进行应用交互的能力,从而实现eUICC在多个运营商或服务器之间的互联互通,有效扩展了eUICC的应用范围以及eUICC的应用效率。
为使本发明的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。
附图说明
为了更清楚地说明本发明实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本发明的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。
图1示出了本发明实施例所提供的扩展嵌入式通用集成电路卡应用的方法流程示意图;
图2示出了本发明实施例所提供的业务证书存储示意图;
图3示出了本发明实施例所提供的扩展嵌入式通用集成电路卡应用的方法具体流程示意图;
图4示出了本发明实施例所提供的扩展嵌入式通用集成电路卡应用的装置结构示意图;
图5示出了本发明实施例所提供的扩展嵌入式通用集成电路卡应用的另一方法流程示意图;
图6示出了本发明实施例所提供的嵌入式通用集成电路卡的结构示意图;
图7为本申请实施例提供的一种计算机设备700的结构示意图。
具体实施方式
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。通常在此处附图中描述和示出的本发明实施例的组件可以以各种不同的配置来布置和设计。因此,以下对在附图中提供的本发明的实施例的详细描述并非旨在限制要求保护的本发明的范围,而是仅仅表示本发明的选定实施例。基于本发明的实施例,本领域技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。
本发明实施例中,为了使内置在eUICC中的eID在应用中不再因运营商的分配成为限制,提出一种支持多个eID的eUICC,在需要下载或从当前应用切换至目标应用(运营商的某一服务器支持的业务)时,从多个eID中,激活目标应用对应的有效eID或替换当前应用中的eID,并获取与该有 效eID相关的签约信息,如profile信息、证书信息等,使得eUICC能以不同的eID身份与该eID身份对应的运营商的服务器进行互联互通。
下面实施例中,以申请下载某个运营商码号资源为例,阐述持有多个eID以及与eID配套证书的eUICC卡,在码号资源下载过程中的流程。
图1示出了本发明实施例所提供的扩展嵌入式通用集成电路卡应用的方法流程示意图。如图1所示,该流程包括:
步骤101,在需要进行目标应用切换时,依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符;
本发明实施例中,对于需要初次下载目标应用的情形,依据需下载的目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符。
本发明实施例中,作为一可选实施例,依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符(issuer identifier),包括:
A11,用户通过本地配置助手(LPA,Local Profile Assistant)发起的目标应用请求,向所述目标应用对应的服务器发送;
本发明实施例中,用户在需要变更(切换)当前应用时,利用LPA,可以通过扫码包含有目标应用对应的服务器的二维码、超级链接、在线掌上营业厅等,向服务器发起目标应用请求。作为一可选实施例,目标应用请求为码号配置文件(profile)下载请求。例如,以目标应用为例,用第二移动号码进行通话,则通过扫码包含有第二移动号码对应的移动服务器的二维码、移动服务器超级连接、移动服务器在线掌上营业厅等,向移动服务器发起移动号码下载请求。
A12,接收所述服务器返回的包含所述服务器的发行商标识符。
本发明实施例中,服务器对接收的目标应用请求进行响应,将自身的标识返回给LPA。
步骤102,从存储的eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,并将当前eID更新为所述有效eID;
本发明实施例中,对于初次下载目标应用,激活有效eID。
本发明实施例中,作为一可选实施例,从存储的eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,包括:
A21,终端中的LPA向该终端中的eUICC发起eID获取请求;
本发明实施例中,LPA发起eID获取请求,以获取写入在eUICC中的所有eID(eID集)。
本发明实施例中,运营商预先为eUICC配置多个eID,每一个eID均唯一,嵌入式智能卡生产厂商在生产阶段,将配置的多个eID写入eUICC,多个eID组成eID集。
在eUICC中,预先存储有一套或多套业务证书,且eID作为eUICC证书的组成部分参与业务证书签发。
本发明实施例中,业务证书包括:证书发行方(CI,Certificate Issuer)证书、嵌入式通用集成电路卡生产厂商(EUM,Embedded Universal Integrated Circuit Card Manufacturer)证书以及eUICC证书。其中,一套业务证书中有CI证书以及EUM证书的数量为1,eUICC证书的数量为一个或多个,每一eUICC证书中包含一eID。
本发明实施例中,各eUICC证书中的eID具有唯一性。每一套业务证书对应一运营商的一服务器,每一个eID用以标识用户在服务器中的不同身份。不同的业务证书,可以属于同一运营商,也可以属于不同运营商,嵌入式智能卡生产厂商在生产eUICC的阶段,依据各运营商对该eUICC的 需求设置对应的eID。
本发明实施例中,为了方便查找证书,作为一可选实施例,将业务证书按链式结构进行存储。
图2示出了本发明实施例所提供的业务证书存储示意图。如图2所示,三个业务证书按照链式结构依次存储。其中,第一业务证书包括:第一CI证书(CI_CERT1)、第一EUM证书(EUM_CERT1)、第一业务eUICC证书1(eID11、eUICC、CERT11)、第一业务eUICC证书2(eID12、eUICC、CERT12)、…、第一业务eUICC证书n(eID1n、eUICC、CERT1n),n为自然数;第二业务证书包括:第二CI证书(CI_CERT2)、第二EUM证书(EUM_CERT2)、第二业务eUICC证书1(eID21、eUICC、CERT21)、第二业务eUICC证书2(eID22、eUICC、CERT22)、…、第二业务eUICC证书n(eID2n、eUICC、CERT2n);第三业务证书包括:第三CI证书(CI_CERT3)、第三EUM证书(EUM_CERT3)、第三业务eUICC证书1(eID31、eUICC、CERT31)、第三业务eUICC证书2(eID32、eUICC、CERT32)、…、第三业务eUICC证书n(eID3n、eUICC、CERT3n)。
A22,接收eUICC依据接收的eID获取请求返回的存储的eID集;
本发明实施例中,作为一可选实施例,通过输入命令数据(Command Data),将输入的命令数据发送至eUICC,利用命令数据来获取eUICC存储的eID集。其中,输入的命令数据,即eID获取请求为:
ListAllEID[0]NULL
通过该命令数据,可以获取eUICC内的所有eID(eID集),eUICC按照预设的eID相关指令:MoreEIDOperateResponse中的“eidListInfo SEQUENCE OF EIDInfo”结构,返回eUICC内的所有eID。
A23,依据接收的eID集,查找包含所述发行商标识符的eID,得到有效eID。
本发明实施例中,存储的每一eID中,均会包含相应的发行商标识符。
本发明实施例中,作为一可选实施例,将当前eID更新为所述有效eID,或者,激活所述有效eID,包括:
A31,依据得到的有效eID通知eUICC,以使eUICC将当前eID设置成所述有效eID;
本发明实施例中,对于初次下载目标应用,当前eID为空。作为一可选实施例,通过输入另一命令数据(Command Data)来设置有效eID。其中,输入的命令数据为:
eidValue[APPLICATION 26]Octet16--tag'5A'”
其中,eidValue为设置的有效eID。
本发明实施例中,设置的有效eID为后续目标应用流程中被使用的eID,同时,与该eID相关的证书(CI证书、EUM证书以及eUICC证书)也被设置成有效证书。
本发明实施例中,作为一可选实施例,如果字符串eidValue中设置的eID在eUICC集内没有找到,则按照预设的eID相关指令:MoreEIDOperateResult INTEGER{ok(0),eidNotFound(1),undefinedError(127)}结构返回eidNotFound(1)。
A32,接收eUICC依据通知进行设置的设置结果。
本发明实施例中,eUICC依据通知进行设置,并将设置结果返回给LPA。
步骤103,依据所述有效eID,以使终端中的eUICC通过LPA从所述服务器获取码号配置文件;
本发明实施例中,LPA根据目标应用下载流程,利用有效eID与服务器进行双向认证,并完成eUICC对目标应用对应的码号配置文件下载。例如,目标应用为profile业务应用,则根据profile业务应用下载流程,与服 务器进行双向认证后,以使eUICC完成profile业务应用下载。
本发明实施例中,码号配置文件中,包含有服务器提供的该用户的签约信息。
本发明实施例中,由于eUICC支持多个eID,使得每套业务证书中包含有一CI证书、一EUM证书、多个eUICC证书,每一eUICC证书中包含一eID,因而,在与服务器进行双向认证的过程中,需要确定eUICC当前使用的证书。作为一可选实施例,该方法还包括:
从所述服务器获取双向认证时返回的CI证书公钥标识;
在eUICC卡预存的多套业务证书中,查找与所述CI证书公钥标识相匹配的业务证书;
在所述相匹配的业务证书中,查找与所述有效eID相匹配的eUICC证书。
本发明实施例中,支持多个eID的eUICC卡在业务流程中,作为一可选实施例,可以基于有效eID,遍历eUICC中每一套业务证书中的每一个eUICC证书,查找到与有效eID相匹配的eUICC证书,并将该eUICC证书设置到链式结构的表头,然后,profile下载业务流程中进行双向认证时,通过服务端给定的CI证书公钥标识,在链式结构中查找到与该CI证书公钥标识相匹配的业务证书,eUICC检查查找到的业务证书的CI证书公钥标识是否与表头的eUICC证书对应的业务证书的CI证书公钥标识相一致,且表头的eUICC证书对应的eID是否为有效eID,若是,则确定链式结构的表头的eUICC证书为当前证书。
步骤104,接收所述eUICC从所述服务器获取的码号配置文件,并从中获取所述有效eID对应的签约信息;
本发明实施例中,码号配置文件下载到eUICC成功后,eUICC通过有效eID,从下载的码号配置文件中,获取与有效eID相匹配的签约信息,将获 取的签约信息返回给LPA。
本发明实施例中,作为一可选实施例,LPA通过向eUICC发送命令数据来获取签约信息。其中,命令数据为:
profileAid[APPLICATION 15]Octet16--tag'4F'
其中,profileAid为码号配置文件的AID,即获取该码号配置文件的AID对应的签约信息,如果profileAid为空,则获取当前eID对应的所有签约信息,签约信息的数据格式按照预设的eID相关指令:profileListInfo SEQUENCE OF ProfileInfo返回。
本发明实施例中,eID相关指令对应的程序代码段如下:
Figure PCTCN2019124622-appb-000001
Figure PCTCN2019124622-appb-000002
步骤105,将所述签约信息传输至所述服务器,以使所述服务器对切换后的所述有效eID对应的所述目标应用进行管理。
本发明实施例中,LPA转发与有效eID对应的签约信息至服务器。这样,服务器可以依据接收的签约信息对该有效eID进行管理,用户可以利用该有效eID执行目标应用,例如,利用该有效eID下载的码号登录网络拨打电话,服务器对用户利用该有效eID拨打电话的业务进行计费等管理。
本发明实施例中,在需要下载或将当前应用切换至目标应用时,依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符;从存储的eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,并激活所述有效eID或将当前eID更新为所述有效eID;依据所述有效eID,以使终端中的eUICC从所述服务器获取码号配置文件;接收所述eUICC从所述服务器获取的码号配置文件,并从中获取所述有效eID对应的签约信息;将所述签约信息传输至所述服务器,以使所述服务器对所述有效eID进行管理。这样,通过在eUICC设置多个eID,多个eID能使得eUICC拥有不同服务提供方(运营商或服务器)赋予的身份(eID),从而在各应用流程中,根据待运行的应用流程来确定使用的身份,使得能够用与 服务提供方对应的身份完成各种应用流程,达到一个eUICC能与不同运营商或服务器等服务提供方进行应用交互的能力,使得eUICC可以依据应用的不同,在不同的运营商或服务器进行切换,从而实现eUICC在多个运营商或服务器之间的互联互通,大大扩展了eUICC的应用范围,进而有效提升了eUICC的应用效率。
图3示出了本发明实施例所提供的扩展嵌入式通用集成电路卡应用的方法具体流程示意图。如图3所示,以目标应用请求为profile下载请求为例,该流程包括:
步骤301,LPA接收用户请求,向服务器发起profile下载申请;
本发明实施例中,用户请求发起profile下载申请的途径可以通过扫码、超级连接、在线掌上营业厅等实现。
步骤302,服务器将发行商标识符返回给LPA;
本发明实施例中,发行商标识符为服务器的标识。
步骤303,LPA向eUICC发起eID获取请求;
本发明实施例中,LPA发起eID获取请求以获取eUICC中的所有eID。
步骤304,eUICC返回eUICC中存储的所有eID;
步骤305,LPA在接收到的所有的eID中,查找包含发行商标识符的eID,得到有效eID(eID’);
步骤306,LPA通知eUICC,将eID’设置成当前的有效eID;
本发明实施例中,有效eID是即将使用的eID,即用于替换当前eID的eID。
步骤307,eUICC将设置成功结果返回给LPA;
步骤308,LPA根据profile下载流程,进行双向认证,并完成profile 下载;
本发明实施例中,LPA、eUICC、服务器之间进行双向认证,以使eUICC从服务器完成profile下载。
步骤309,确认Profile下载成功后,LPA通过eID’,向eUICC请求获取与eID’相关的所有profile信息;
步骤310,eUICC将与eID’相关的profile信息返回给LPA;
步骤311,LPA转发与eID’相关的profile信息给服务器。
图4示出了本发明实施例所提供的扩展嵌入式通用集成电路卡应用的装置结构示意图。如图4所示,该装置为终端,包括:
发行商标识符获取模块401,用于在需要下载或将当前应用切换至目标应用时,依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符;
eID更新模块402,用于从存储的嵌入式通用集成电路卡标识eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,并激活所述有效eID或将当前eID更新为所述有效eID;
本发明实施例中,作为一可选实施例,利用命令数据设置(更新)所述有效eID,所述命令数据为:eidValue[APPLICATION 26]Octet16--tag'5A'”,其中,eidValue为设置的有效eID。
文件下载模块403,用于依据所述有效eID,以使终端中的eUICC从所述服务器获取码号配置文件;
签约信息匹配模块404,用于接收所述eUICC从所述服务器获取的码号配置文件,并从中获取所述有效eID对应的签约信息;
本发明实施例中,作为一可选实施例,通过向eUICC发送命令数据来获取签约信息。其中,命令数据为:
profileAid[APPLICATION 15]Octet16--tag'4F'
其中,profileAid为码号配置文件的AID。
签约信息传输模块405,用于将所述签约信息传输至所述服务器,以使所述服务器对切换后的所述有效eID对应的所述目标应用进行管理。
本发明实施例中,作为一可选实施例,发行商标识符获取模块401,包括:
目标应用请求单元(图中未示出),用于接收用户发起的目标应用请求,向所述目标应用对应的服务器发送;
发行商标识符获取单元,用于接收所述服务器返回的包含所述服务器的发行商标识符。
本发明实施例中,用户在需要变更(切换)当前应用时,利用LPA,通过扫码包含有目标应用对应的服务器的二维码、超级连接、在线掌上营业厅等,向服务器发起目标应用请求。
本发明实施例中,作为一可选实施例,所述eID获取请求为命令数据:ListAllEID[0]NULL。
本发明实施例中,作为一可选实施例,eID更新模块402,包括:
eID获取请求单元,用于向所述eUICC发起eID获取请求;
eID集接收单元,用于接收所述eUICC依据接收的eID获取请求返回的存储的eID集;
查询单元,用于依据接收的eID集,查找包含所述发行商标识符的eID,得到有效eID。
本发明实施例中,作为一可选实施例,所述eUICC中,预先存储有一套或多套业务证书,所述业务证书包括:证书发行方CI证书、嵌入式通用集成电路卡生产厂商EUM证书以及eUICC证书,其中,CI证书以及EUM证 书的数量均为1,eUICC证书的数量为一个或多个,每一eUICC证书中包含一eID,各eUICC证书中的eID具有唯一性。
本发明实施例中,作为一可选实施例,所述多套业务证书按链式结构进行存储。
图5示出了本发明实施例所提供的扩展嵌入式通用集成电路卡应用的另一方法流程示意图。如图5所示,该方法包括:
步骤501,接收本地配置助手LPA发起的eID获取请求,查询存储的业务证书集,所述业务证书集包含一套或多套业务证书,所述业务证书包括:证书发行方CI证书、嵌入式通用集成电路卡生产厂商EUM证书以及eUICC证书,其中,一套业务证书中,CI证书以及EUM证书的数量为1,eUICC证书的数量为一个或多个,每一eUICC证书中包含一eID;
本发明实施例中,终端在需要进行目标应用切换时,依据目标应用,从目标应用对应的服务器中,获取目标应用的发行商标识符,并通过本地配置助手LPA发起eID获取请求,以获取eID集。
本发明实施例中,作为一可选实施例,多套业务证书按链式结构进行存储。
步骤502,获取所述业务证书集中的各eUICC证书中包含的eID,形成eID集,返回至所述LPA。
本发明实施例中,终端在获取eID集后,从中查找与发行商标识符相匹配的eID,得到有效eID,并将当前eID更新为所述有效eID以实现下载或将当前应用切换至目标应用。
本发明实施例中,作为一可选实施例,该方法还包括:
接收CI证书公钥标识;
在所述业务证书集中,查找与所述CI证书公钥标识相匹配的业务证书, 获取所述相匹配的业务证书中的CI证书、EUM证书;
在所述相匹配的业务证书中,查找与当前设置的有效eID相匹配的eUICC证书,将所述CI证书、EUM证书以及eUICC证书设置为有效证书。
本发明实施例中,由于具有多套业务证书,在与服务器进行双向认证的过程中,需要确定当前使用的有效证书,通过与服务器进行双向认证,获取服务器返回的CI证书公钥标识,依据CI证书公钥标识以及当前有效eID确定当前使用的有效证书。
图6示出了本发明实施例所提供的嵌入式通用集成电路卡的结构示意图。如图6所示,该嵌入式通用集成电路卡包括:
业务证书集存储模块601,用于存储业务证书集,所述业务证书集包含一套或多套业务证书,所述业务证书包括:证书发行方CI证书、嵌入式通用集成电路卡生产厂商EUM证书以及eUICC证书,其中,一套业务证书中,CI证书以及EUM证书的数量为1,eUICC证书的数量为一个或多个,每一eUICC证书中包含一eID;
eID获取请求处理模块602,用于接收本地配置助手LPA发起的eID获取请求,查询存储的业务证书集,获取所述业务证书集中的各eUICC证书中包含的eID,形成eID集,返回至所述LPA。
本发明实施例中,作为一可选实施例,还包括:
有效证书设置模块(图中未示出),用于接收CI证书公钥标识;
在所述业务证书集中,查找与所述CI证书公钥标识相匹配的业务证书,获取所述相匹配的业务证书中的CI证书、EUM证书;
在所述相匹配的业务证书中,查找与当前设置的有效eID相匹配的eUICC证书,将所述CI证书、EUM证书以及eUICC证书设置为有效证书。
如图7所示,本申请一实施例提供了一种计算机设备700,用于执行图 1或图5中的扩展嵌入式通用集成电路卡应用的方法,该设备包括存储器701、处理器702及存储在该存储器701上并可在该处理器702上运行的计算机程序,其中,上述处理器702执行上述计算机程序时实现上述扩展嵌入式通用集成电路卡应用的方法的步骤。
具体地,上述存储器701和处理器702能够为通用的存储器和处理器,这里不做具体限定,当处理器702运行存储器701存储的计算机程序时,能够执行上述扩展嵌入式通用集成电路卡应用的方法。
对应于图1或图5中的扩展嵌入式通用集成电路卡应用的方法,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质上存储有计算机程序,该计算机程序被处理器运行时执行上述扩展嵌入式通用集成电路卡应用的方法的步骤。
具体地,该存储介质能够为通用的存储介质,如移动磁盘、硬盘等,该存储介质上的计算机程序被运行时,能够执行上述扩展嵌入式通用集成电路卡应用的方法。
在本申请所提供的实施例中,应该理解到,所揭露系统和方法,可以通过其它的方式实现。以上所描述的系统实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,又例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些通信接口,系统或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请提供的实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步定义和解释,此外,术语“第一”、“第二”、“第三”等仅用于区分描述,而不能理解为指示或暗示相对重要性。
最后应说明的是:以上所述实施例,仅为本申请的具体实施方式,用以说明本申请的技术方案,而非对其限制,本申请的保护范围并不局限于此,尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,其依然可以对前述实施例所记载的技术方案进行修改或可轻易想到变化,或者对其中部分技术特征进行等同替换;而这些修改、变化或者替换,并不使相应技术方案的本质脱离本申请实施例技术方案的精神和范围。都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应所述以权利要求的保护范围为准。

Claims (13)

  1. 一种扩展嵌入式通用集成电路卡eUICC应用的方法,其特征在于,包括:
    在需要下载或将当前应用切换至目标应用时,依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符;
    从存储的嵌入式通用集成电路卡标识eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,并激活所述有效eID或激活所述有效eID或将当前eID更新为所述有效eID;
    依据所述有效eID,以使终端中的eUICC通过本地配置助手LPA从所述服务器获取码号配置文件;
    接收所述eUICC从所述服务器获取的码号配置文件,并从中获取所述有效eID对应的签约信息;
    将所述签约信息传输至所述服务器,以使所述服务器对切换后的所述有效eID对应的所述目标应用进行管理。
  2. 根据权利要求1所述的方法,其特征在于,所述依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符,包括:
    终端的本地配置助手LPA接收用户发起的目标应用请求,向所述目标应用对应的服务器发送;
    接收所述服务器返回的包含所述服务器的发行商标识符。
  3. 根据权利要求2所述的方法,其特征在于,所述从存储的嵌入式通用集成电路卡标识eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,包括:
    所述LPA向所述eUICC发起eID获取请求;
    接收所述eUICC依据接收的eID获取请求返回的存储的eID集;
    依据接收的eID集,查找包含所述发行商标识符的eID,得到有效eID。
  4. 根据权利要求3所述的方法,其特征在于,所述eUICC中,预先存储有一套或多套业务证书,所述业务证书包括:证书发行方CI证书、嵌入式通用集成电路卡生产厂商EUM证书以及eUICC证书,其中,一套业务证书中,CI证书以及EUM证书的数量为1,eUICC证书的数量为一个或多个,每一eUICC证书中包含一eID,各eUICC证书中的eID具有唯一性。
  5. 根据权利要求4所述的方法,其特征在于,所述多套业务证书按链式结构进行存储。
  6. 根据权利要求4所述的方法,其特征在于,所述方法还包括:
    从所述服务器获取双向认证时返回的CI证书公钥标识;
    在eUICC卡预存的多套业务证书中,查找与所述CI证书公钥标识相匹配的业务证书;
    在所述相匹配的业务证书中,查找与所述有效eID相匹配的eUICC证书。
  7. 一种扩展嵌入式通用集成电路卡应用的方法,其特征在于,包括:
    接收本地配置助手LPA发起的eID获取请求,查询存储的业务证书集,所述业务证书集包含一套或多套业务证书,所述业务证书包括:证书发行方CI证书、嵌入式通用集成电路卡生产厂商EUM证书以及eUICC证书,其中,一套业务证书中,CI证书以及EUM证书的数量为1,eUICC证书的数量为一个或多个,每一eUICC证书中包含一eID;
    获取所述业务证书集中的各eUICC证书中包含的eID,形成eID集,返回至所述LPA。
  8. 根据权利要求7所述的方法,其特征在于,所述方法还包括:
    接收CI证书公钥标识;
    在所述业务证书集中,查找与所述CI证书公钥标识相匹配的业务证书,获取所述相匹配的业务证书中的CI证书、EUM证书;
    在所述相匹配的业务证书中,查找与当前设置的有效eID相匹配的eUICC证书,将所述CI证书、EUM证书以及eUICC证书设置为有效证书。
  9. 一种扩展嵌入式通用集成电路卡应用的装置,其特征在于,包括:
    发行商标识符获取模块,用于在需要下载或将当前应用切换至目标应用时,依据目标应用,从所述目标应用对应的服务器中,获取所述目标应用的发行商标识符;
    eID更新模块,用于从存储在嵌入式通用集成电路卡标识eID集中,获取与所述发行商标识符相匹配的eID,得到有效eID,并激活所述有效eID或将当前eID更新为所述有效eID;
    码号配置文件下载模块,用于依据所述有效eID,以使终端中的eUICC通过本地配置助手LPA从所述服务器获取码号配置文件;
    签约信息匹配模块,用于接收所述eUICC从所述服务器获取的码号配置文件,并从中获取所述有效eID对应的签约信息;
    签约信息传输模块,用于将所述签约信息传输至所述服务器,以使所述服务器对切换后的所述有效eID对应的所述目标应用进行管理。
  10. 一种嵌入式通用集成电路卡,其特征在于,包括:
    业务证书集存储模块,用于存储业务证书集,所述业务证书集包含一套或多套业务证书,所述业务证书包括:证书发行方CI证书、嵌入式通用集成电路卡生产厂商EUM证书以及eUICC证书,其中,一套业务证书中,CI证书以及EUM证书的数量为1,eUICC证书的数量为一个或多个,每一eUICC证书中包含一eID;
    eID获取请求处理模块,用于接收本地配置助手LPA发起的eID获取请求,查询存储的业务证书集,获取所述业务证书集中的各eUICC证书中包含的eID,形成eID集,返回至所述LPA。
  11. 根据权利要求10所述的嵌入式通用集成电路卡,其特征在于,还包括:
    有效证书设置模块,用于接收CI证书公钥标识;
    在所述业务证书集中,查找与所述CI证书公钥标识相匹配的业务证书,获取所述相匹配的业务证书中的CI证书、EUM证书;
    在所述相匹配的业务证书中,查找与当前设置的有效eID相匹配的eUICC证书,将所述CI证书、EUM证书以及eUICC证书设置为有效证书。
  12. 一种电子设备,其特征在于,包括:处理器、存储器和总线,所述存储器存储有所述处理器可执行的机器可读指令,当电子设备运行时,所述处理器与所述存储器之间通过总线通信,所述机器可读指令被所述处理器执行时执行如权利要求1至8任一所述的扩展嵌入式通用集成电路卡应用的方法的步骤。
  13. 一种计算机可读存储介质,其特征在于,该计算机可读存储介质上存储有计算机程序,该计算机程序被处理器运行时执行如权利要求1至8任一所述的扩展嵌入式通用集成电路卡应用的方法的步骤。
PCT/CN2019/124622 2019-09-30 2019-12-11 一种扩展嵌入式通用集成电路卡应用的方法及装置 WO2021062945A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910939626.1 2019-09-30
CN201910939626.1A CN110856160B (zh) 2019-09-30 2019-09-30 一种扩展嵌入式通用集成电路卡应用的方法及装置

Publications (1)

Publication Number Publication Date
WO2021062945A1 true WO2021062945A1 (zh) 2021-04-08

Family

ID=69596198

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/124622 WO2021062945A1 (zh) 2019-09-30 2019-12-11 一种扩展嵌入式通用集成电路卡应用的方法及装置

Country Status (2)

Country Link
CN (1) CN110856160B (zh)
WO (1) WO2021062945A1 (zh)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106465460A (zh) * 2014-05-15 2017-02-22 苹果公司 用于支持嵌入式uicc上的globalplatform使用的方法和设备
CN108235821A (zh) * 2016-11-30 2018-06-29 华为技术有限公司 一种获取授权文件的方法及设备
US20180288560A1 (en) * 2017-03-31 2018-10-04 Verizon Patent And Licensing Inc. System and method for euicc personalization and network provisioning
CN109302291A (zh) * 2018-10-26 2019-02-01 江苏恒宝智能系统技术有限公司 一种多证书系统及确定所需证书体系的方法
CN109819434A (zh) * 2019-01-11 2019-05-28 深圳市斯凯荣科技有限公司 一种基于eSIM的卡池系统及控制方法

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634791B (zh) * 2012-08-27 2018-03-09 华为终端(东莞)有限公司 切换运营商网络的方法、用户设备及远程管理平台
US10516988B2 (en) * 2015-09-11 2019-12-24 Huawei Technologies Co., Ltd. Profile processing method, profile processing apparatus, user terminal, and eUICC
CN105873013B (zh) * 2016-03-25 2019-10-11 宇龙计算机通信科技(深圳)有限公司 一种基于e-SIM卡的运营商选择方法、装置及移动终端
EP3358871A1 (en) * 2017-02-03 2018-08-08 Gemalto Sa A method for an euicc embedded into a machine type communication device to trigger the download of a subscription profile
CN109474650B (zh) * 2017-09-08 2021-04-20 中国移动通信有限公司研究院 一种配置文件下载方法及终端
CN109788468A (zh) * 2017-11-10 2019-05-21 中兴通讯股份有限公司 一种嵌入式智能卡的配置切换方法、装置和系统
CN109600740B (zh) * 2018-12-21 2023-01-10 西安良方企业信息咨询有限公司 文件下载方法、装置及计算机可读存储介质

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106465460A (zh) * 2014-05-15 2017-02-22 苹果公司 用于支持嵌入式uicc上的globalplatform使用的方法和设备
CN108235821A (zh) * 2016-11-30 2018-06-29 华为技术有限公司 一种获取授权文件的方法及设备
US20180288560A1 (en) * 2017-03-31 2018-10-04 Verizon Patent And Licensing Inc. System and method for euicc personalization and network provisioning
CN109302291A (zh) * 2018-10-26 2019-02-01 江苏恒宝智能系统技术有限公司 一种多证书系统及确定所需证书体系的方法
CN109819434A (zh) * 2019-01-11 2019-05-28 深圳市斯凯荣科技有限公司 一种基于eSIM的卡池系统及控制方法

Also Published As

Publication number Publication date
CN110856160B (zh) 2021-08-27
CN110856160A (zh) 2020-02-28

Similar Documents

Publication Publication Date Title
CN107396360B (zh) 区块验证方法及装置
JP5651473B2 (ja) 移動体通信装置間でのnfcのアプリケーションの共有または再販
US10387856B2 (en) Online payment method, system, and apparatus
US11868762B2 (en) Method for authenticating and updating eUICC firmware version and related apparatus
KR102082854B1 (ko) 업데이트된 프로파일을 다운로드하기 위한 방법, 서버들 및 시스템
WO2015081882A1 (zh) 下载运营商的文件的方法及设备
CN102308561B (zh) 通过uicc进行的me网络参数配置
US11057827B1 (en) Provisioning an embedded universal integrated circuit card (eUICC) of a mobile communication device
EP4002786B1 (en) Distributed ledger system
US20170181147A1 (en) Communication method, server and terminal
CN108965107B (zh) 好友添加方法、装置、系统、客户端和服务器
WO2023000967A1 (zh) 一种设备管理方法、系统以及装置
CN106535156B (zh) 虚拟用户识别模块卡的迁移方法、终端、服务器、系统
CN104184583A (zh) 用于分配ip地址的方法和系统
CN105227736A (zh) 一种预留手机号码的更新方法、装置及系统
CN107113320B (zh) 一种下载签约文件的方法、相关设备及系统
JP4301770B2 (ja) 接続情報管理システム、接続情報管理方法、icカード、サーバ
WO2021062945A1 (zh) 一种扩展嵌入式通用集成电路卡应用的方法及装置
CN109842482B (zh) 一种信息同步方法、系统及终端设备
JP2007080006A (ja) Id情報の登録更新方法
CN113055254B (zh) 一种地址配置方法、装置、接入服务器及存储介质
CN108737587B (zh) 对域名注册人设置双重标识的方法、设备及系统
CN114024755B (zh) 服务访问控制方法、装置、设备及计算机可读存储介质
KR20120076978A (ko) 식별 코드를 이용하여 콘텐츠를 관리하는 방법 및 장치
WO2017124436A1 (zh) 通信的方法、移动终端、发布终端与通信系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19947628

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19947628

Country of ref document: EP

Kind code of ref document: A1