WO2021062946A1 - Procédé d'émission de certificat de même racine en ligne, dispositif et système - Google Patents

Procédé d'émission de certificat de même racine en ligne, dispositif et système Download PDF

Info

Publication number
WO2021062946A1
WO2021062946A1 PCT/CN2019/124623 CN2019124623W WO2021062946A1 WO 2021062946 A1 WO2021062946 A1 WO 2021062946A1 CN 2019124623 W CN2019124623 W CN 2019124623W WO 2021062946 A1 WO2021062946 A1 WO 2021062946A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
server
euicc
issuance
authentication request
Prior art date
Application number
PCT/CN2019/124623
Other languages
English (en)
Chinese (zh)
Inventor
何碧波
尤洪松
Original Assignee
恒宝股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 恒宝股份有限公司 filed Critical 恒宝股份有限公司
Publication of WO2021062946A1 publication Critical patent/WO2021062946A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • This application relates to the field of smart card communication technology, and in particular to a method, device and system for online issuance of the same root certificate.
  • the eUICC card is an Embedded UICC card defined by the GSMA (Global System for Mobile Communications Association) that supports the download, installation, deletion, activation and deactivation of remote code number resources.
  • GSMA Global System for Mobile Communications Association
  • the eUICC card and the remote server SM -DP+ or SM-DP conduct mutual authentication and establish a secure channel.
  • the mutual authentication is based on the PKI certificate system to authenticate the legal identity of each participant.
  • CA is the root certificate issued by the certificate issuing authority; EUM certificate is the certificate issued by CA on behalf of the eUICC manufacturer; eUICC certificate is the certificate preset when each eUICC card leaves the factory. Issuance; for SM-DP certificates, it includes DPauth, DPpb, and DPtls certificates, among which DPauth and DPpb certificates are used for mutual authentication with eUICC and for establishing a secure channel, and DPtls certificates are used for establishing authentication with LPA.
  • the certificate preset in the eUICC card and the certificate preset in the SM-DP server are issued by the same certificate issuing center, so that two-way authentication can be completed and a secure channel can be established.
  • GSMA believes that CA certificates are managed and issued by independent organizations other than operators. However, due to security considerations in different countries and regions, they may choose to establish certificate issuing centers and SM-DP servers. Therefore, the eUICC card pre- The set certificate may be a certificate of a certain operator, so that the eUICC card cannot access the SM-DP server of other operators, which leads to the inability of interconnection between different operators.
  • the eUICC card with a mobile operator certificate pre-installed cannot download the code number resource from the SM-DP server of the Unicom operator.
  • the essential reason is that the certificate in the card and the server certificate are not issued by the same CA center. , Unable to complete mutual authentication, and thus unable to communicate with each other.
  • GSMA proposes that the eUICC card should support certificates issued by multiple CA systems, so that the card can be preset with certificates of multiple operators, so that the eUICC card can download profiles from the SM-DP servers of multiple operators.
  • the more pre-installed certificates of the card the more storage space of the eUICC card is consumed, and the remaining space for downloading code number resources becomes less and less.
  • this solution makes the eUICC card only limited to download
  • the profiles of several operators' SM-DP servers cannot download the profiles of all operators' SM-DP servers with the eUICC card. Therefore, this solution cannot fully meet the interconnection requirements. Based on this, how to fundamentally solve the need for eUICC card to download the profile of all operators' SM-DP servers so that operators can communicate with each other is a problem that needs to be solved urgently.
  • This application provides an eUICC card with the same root certificate issued online, including:
  • the storage element is used to pre-store the CA certificate issuance information list and the CA certificate issuance center server address when the eUICC card leaves the factory;
  • the processing element is used to provide the SM-DP server with a list of CA certificate issuance information for verifying whether the certificate is the same as the root, and to provide the SM-DP server with the address of the CA certificate issuance center server used for online certificate application.
  • the processing element is also used to provide the SM-DP server with a challenge value for verifying the legitimacy of the eUICC card.
  • the online issuance of the eUICC card with the same root certificate as described above further includes an authentication module, and the authentication module specifically includes:
  • the server authentication request receiving sub-module is used to receive the server authentication request sent by the SM-DP server including the SM-DP certificate issued by the CA certificate issuing center;
  • the server authentication request legitimacy verification sub-module is configured to verify the legitimacy of the SM-DP certificate in the server authentication request based on the eUICC certificate;
  • the eUICC authentication request generation sub-module is used to sign the data to be signed using the eUICC card private key to obtain the eUICC card signature result, and generate the eUICC authentication request according to the eUICC signature result;
  • the eUICC authentication request transmission sub-module is used to transmit the eUICC authentication request to the SM-DP server for authentication.
  • server authentication request legitimacy verification sub-module is specifically used to verify the CERT_SM-DPauth certificate in the server authentication request using the eUICC certificate, and use the CERT_SM-DPauth certificate to verify the authentication request in the authentication request.
  • Server signature result is specifically used to verify the CERT_SM-DPauth certificate in the server authentication request using the eUICC certificate, and use the CERT_SM-DPauth certificate to verify the authentication request in the authentication request.
  • the eUICC card that issues the same root certificate online as described above, wherein the eUICC authentication request generation submodule is specifically used to generate eUICC to-be-signed data according to the service identifier, server address, and server challenge value in the server authentication request; use the eUICC private key pair
  • the eUICC data to be signed is signed to obtain the eUICC signature result, and the eUICC authentication request is generated according to the eUICC signature result, the eUICC data to be signed, the eUICC certificate, and the CERT_EUM certificate issued by the eUICC card manufacturer.
  • This application also provides an SM-DP server that issues the same root certificate online, including:
  • the CA certificate issuance information receiving module is used to receive the CA certificate issuance information sent by the eUICC card;
  • the certificate and root verification module is used to verify whether the certificates of the eUICC card and the SM-DP server are issued by the same root according to the CA certificate issuance information list in the CA certificate issuance information;
  • the online certificate application and issuance module is used to apply for online issuance of a new SM from the corresponding CA certificate issuance center based on the CA certificate issuance center server address in the CA certificate issuance information when it is verified that the eUICC card and the SM-DP server certificate are not issued by the same root. -DP certificate.
  • the SM-DP server that issues the same root certificate online as described above, wherein the certificate online application issuance module is specifically used to verify that the eUICC certificate and the SM-DP certificate are not the same root, the SM-DP server applies to the CA certificate issuance center to issue CA public key certificate; receive the CA public key certificate issued by the CA certificate issuing center;
  • the SM-DP server that issues the same root certificate online as described above further includes an authentication module, and the authentication module specifically includes:
  • the server authentication request generation sub-module is used to generate a server authentication request according to the SM-DP certificate issued online by the CA certificate issuing center;
  • the server authentication request sending submodule is used to transmit the server authentication request to the eUICC card for authentication;
  • the eUICC authentication request receiving sub-module is configured to receive the eUICC authentication request returned by the eUICC card;
  • the eUICC authentication request authentication sub-module is used to authenticate the eUICC authentication request.
  • the SM-DP server that issues the same root certificate online as described above, wherein the server authentication request generation sub-module is specifically used for the local communication service identifier, the received challenge value of the eUICC card, and the random number generated by the SM-DP server
  • the challenge value and the SM-DP server address generate the server data to be signed; the newly issued two-way authentication certificate is used to sign the data to be signed, and the signature result is obtained;
  • This application also provides a method for online issuance of the same root certificate, which is applied to the SM-DP server, and the method includes:
  • the method for online issuance of the same root certificate as described above, wherein, applying to the corresponding CA certificate issuance center for the online issuance of a new SM-DP certificate includes the following sub-steps:
  • the SM-DP server When verifying that the eUICC certificate and the SM-DP certificate are not at the same root, the SM-DP server applies to the CA certificate issuing center to issue the CA public key certificate;
  • the method for online issuance of the same root certificate as described above, wherein, generating a server authentication request according to the new SM-DP certificate issued online by the CA certificate issuance center specifically includes the following sub-steps:
  • the SM-DP server authentication request is generated according to the signature result, the server data to be signed, the newly issued two-way authentication certificate, the authentication certificate to be downloaded, and the SM-DP server address.
  • This application also provides a system for online issuance of the same root certificate, including the above-mentioned eUICC card, LPAd, the above-mentioned SM-DP server and the CA certificate issuing center;
  • the LPAd is used to send a request for obtaining CA certificate issuance information to the eUICC card, and send the CA certificate issuance information to the SM-DP server;
  • the CA certificate issuance center is configured to issue a new SM-DP certificate according to an application for online issuance of a certificate request sent by the SM-DP server, and return the new SM-DP certificate to the SM-DP server.
  • the SM-DP server generates server data to be signed according to the local communication service identifier, eUICC challenge value, server challenge value and server address; uses the newly issued CERT_SM-DPauth certificate to sign the server data to be signed to obtain the server signature result; according to the server Signature result, server data to be signed, newly issued CERT_SM-DPauth certificate, CERT_SM-DPpb certificate and SM-DP server address generate server authentication request;
  • the SM-DP server sends the server authentication request to LPAd;
  • LPAd parses out the SM-DP server address from the server authentication request, and checks the validity of the SM-DP server address
  • LPAd will forward the server authentication request to the eUICC card
  • the eUICC card verifies the legitimacy of the server authentication request, and generates the eUICC to-be-signed data according to the service ID, server address, and server challenge value in the server authentication request after the verification is passed;
  • the eUICC card uses the eUICC private key to sign the eUICC data to be signed, and the eUICC signature result is obtained. Based on the eUICC signature result, the eUICC data to be signed, the eUICC certificate, and the CERT_EUM certificate issued by the eUICC card manufacturer, an eUICC certification request is generated; the eUICC certification request is sent To LPAd;
  • LPAd sends the eUICC authentication request to the SM-DP server
  • the SM-DP server verifies the CERT_EUM certificate in the eUICC certification request with the issued CA public key certificate, uses the CERT_EUM certificate to verify the eUICC certificate after the verification is passed, and uses the eUICC certificate to verify the eUICC signature result after the verification is passed again.
  • the beneficial effects achieved by this application are as follows: using the method of online issuance of the same root certificate provided by this application, the SM-DP certification certificate is issued online and ready for download when the eUICC card certificate and the SM-DP certificate are not issued by the same root Certificate, complete the two-way authentication, realize the download of the operator's profile, so that the eUICC card can download the SM-DP server profile of all operators, and truly realize interconnection with different operators.
  • FIG. 1 is a flowchart of a method for online issuance of an eUICC card with the same root certificate provided in Embodiment 1 of the present application;
  • FIG. 2 is a flowchart of the SM-DP server method for online issuance of the same root certificate provided in the second embodiment of the application;
  • 3 and 4 are the flowcharts of the system method for online issuance of the same root certificate provided by the third embodiment of the present application;
  • FIG. 5 is a schematic diagram of an eUICC card for online issuance of the same root certificate provided in Embodiment 4 of the present application;
  • Fig. 6 is a schematic diagram of an eUICC card for online issuance of the same root certificate provided in the fourth embodiment of the present application;
  • Fig. 7 is a schematic diagram of a system for online issuance of the same root certificate provided in the fourth embodiment of the present application.
  • the first embodiment of the present application provides a method for online issuance of the same root certificate, as shown in FIG. 1, which is applied to an eUICC card, and the method includes:
  • Step 110 Send CA certificate issuance information to the SM-DP server to verify whether the certificates of the eUICC card and the SM-DP server have the same root;
  • the eUICC card needs to use the terminal connected to it to communicate with the outside, and the terminal side LPAd is preset, LPAd (local profile assistant when lpa is in the device) is the terminal Local configuration assistant.
  • LPAd local profile assistant when lpa is in the device
  • the eUICC card sends the CA certificate issuance information to the SM-DP server through LPAd according to the request for obtaining CA certificate issuance information initiated by LPAd.
  • the CA certificate issuance information is the data pre-stored in the card memory when the eUICC card leaves the factory, including but not limited to CA
  • the certificate issuance information list (including the identification of the CA certificates in all eUICC cards) and the CA certificate issuance center server address are used to verify whether the eUICC certificate and the SM-DP certificate are the same root, that is, to verify whether the eUICC certificate and the SM-DP certificate are the same CA certificate Certificate issued by the issuing center;
  • the data sent to the SM-DP server may also include the challenge value eUICCchallenge generated by the eUICC card.
  • Step 120 If the certificates of the eUICC card and the SM-DP server are not issued by the same root, receive the SM-DP server authentication request sent by the SM-DP server; the authentication request includes the new SM-DP certificate issued by the CA certificate issuing center;
  • the SM-DP server sequentially issues the information according to the CA certificate
  • One or more CA certificate identifiers in the list check whether the SM-DP certificate is a certificate issued by the same CA certificate issuing center.
  • the SM-DP server needs to request the corresponding CA certificate issuance center to issue a new SM-DP certificate matching the eUICC card CA certificate according to the certificate issuance center server address in the CA certificate issuance information, otherwise directly use the same root SM- DP certificate for mutual authentication;
  • the new SM-DP certificate issued includes the CERT_SM-DPauth certificate (two-way authentication certificate) used for subsequent mutual authentication with the eUICC card and used for key negotiation to generate the session secret before downloading the profile after mutual authentication.
  • the SM-DP server generates two sets of public and private key pairs according to the certificate application data information (such as password algorithm identification, certificate issuance identification, etc.) in the CA certificate issuance information list of the eUICC card, and the two sets of public and private key pairs are used respectively Generate the csr_SM-DP file and csr_SM-DPpb file of the same root, and then the CA certificate issuing center generates the CERT_SM-DPauth certificate and CERT_SM-DPpb certificate based on these two files, and then issues these two certificates to the SM-DP server, SM- The DP server generates an authentication request according to the CERT_SM-DPauth certificate and the CERT_SM-DPpb certificate and transmits it to the eUICC card for two-way authentication; the specific generation process of the authentication request is detailed in the subsequent system method embodiments, and will not be repeated here.
  • the certificate application data information such as password algorithm identification, certificate issuance identification, etc.
  • Step 130 Verify the validity of the SM-DP certificate in the authentication request based on the eUICC card CA certificate, use the eUICC card private key to sign the signature data, and transmit the obtained eUICC card signature result to the SM-DP server for authentication;
  • the eUICC card CA certificate is used to verify the CERT_SM-DPauth certificate, and then the CERT_SM-DPauth certificate is used Verify the server signature result;
  • the eUICC card authenticates the SM-DP server, and then uses the eUICC card private key to sign the data to be signed, and transmits the signature result to the SM-DP server.
  • the SM-DP server completes the authentication of the eUICC card. Realize two-way authentication between SM-DP server and eUICC card.
  • the terminal-side LPAd initiates a request to obtain the CA certificate issuance information in the eUICC card, and sends the received CA certificate issuance information and challenge value to the current SM-DP server.
  • the SM-DP server checks the eUICC card CA
  • the SM-DP server applies to the CA certificate issuing center corresponding to the eUICC card CA certificate to issue the SM-DP certificate, generates a certification request based on the SM-DP certificate and sends it to the eUICC card through LPAd.
  • the eUICC card After the eUICC card passes the authentication request of the SM-DP server, it generates a signed authentication package and sends it to the SM-DP server for authentication.
  • the two-way authentication between the eUICC card and the SM-DP server can be realized, so that all operators can be downloaded without increasing the number of certificates in the eUICC card
  • the profile in the SM-DP server further realizes online two-way authentication to meet the interconnection requirements with different operators.
  • the second embodiment of the present application provides a method for online issuance of the same root certificate, as shown in FIG. 2, which is applied to an SM-DP server, and the method includes:
  • Step 210 Receive the CA certificate issuance information sent by the eUICC card, and parse the CA certificate issuance information list and the corresponding CA certificate issuance center server address from the CA certificate issuance information;
  • the SM-DP server receives the CA certificate issuance information sent by the eUICC card via LPAd, where the transmitted data may also include the random number challenge value generated by the eUICC card.
  • Step 220 If it is verified according to the CA certificate issuance information list that the certificates of the eUICC card and the SM-DP server are not the same root, then apply to the corresponding CA certificate issuance center to issue a new SM-DP certificate online according to the CA certificate issuance center server address;
  • applying to the CA certificate issuance center for online issuance of the SM-DP certificate includes the following sub-steps:
  • Step 221 When it is verified that the eUICC certificate and the SM-DP certificate are not the same root, the SM-DP server applies to the CA certificate issuing center to issue the CA public key certificate;
  • Step 222 The SM-DP server receives the CA public key certificate CERT_CA issued by the CA certificate issuing center;
  • Step 223 The SM-DP server uses the eUICC certificate to generate the csr_SM-DP file and the csr_SM-DPpb file of the same root, and sends the csr_SM-DP file and the csr_SM-DPpb file to the CA certificate issuing center to request the issuance of the SM-DP certificate;
  • Step 224 The SM-DP server receives the CERT_SM-DPauth certificate and the CERT_SM-DPpb certificate newly issued by the CA certificate issuance center;
  • the certificate issuance process follows the existing certificate issuance business specifications.
  • the CA certificate issuance center verifies the csr_SM-DP file and csr_SM-DPpb file generated by SM-DP. After the verification is passed, the certificate is issued for follow-up and The CERT_SM-DPauth certificate (two-way authentication certificate) for the eUICC card for mutual authentication and the CERT_SM-DPpb certificate for downloading the operator profile after the two-way authentication (ready to download the authentication certificate).
  • step 230 generate an authentication request based on the new SM-DP certificate issued online by the CA certificate issuing center and transmit it to the eUICC card for authentication;
  • the SM-DP server generates the transaction ID of the local communication service, the received challenge value eUICCchallenge of the eUICC card, the random number challenge value serverchallenge generated by the SM-DP server, and the SM-DP server address SM-XX address. Then use the newly issued CERT_SM-DPauth certificate to sign the signed data serversign to obtain the signature result serversignature. Then, according to the signature result serversignature, the data serversign to be signed, the newly issued CERT_SM-DPauth certificate, CERT_SM-DPpb certificate and The SM-DP server address SM-XX address generates the SM-DP server authentication request.
  • Step 240 Receive the eUICC authentication request returned by the eUICC card, and authenticate the eUICC authentication request.
  • the eUICC card sends the eUICC authentication request generated by the eUICC card to the SM-DP after the authentication request is authenticated and passed, where the eUICC authentication request includes the eUICC signature result eUICCsignature, eUICC to-be-signed data eUICCsign, eUICC card certificate
  • the eUICC authentication request includes the eUICC signature result eUICCsignature, eUICC to-be-signed data eUICCsign, eUICC card certificate
  • the CERT_EUICC certificate and the CERT_EUM certificate issued by the eUICC card manufacturer uses the CA public key certificate CERT_CA issued by the CA certificate issuing center to verify the CERT_EUM certificate, then uses the CERT_EUM certificate to authenticate the CERT_EUICC certificate, and then uses the CERT_EUICC certificate to verify the correctness of the eUICCSignature ; If all verifications are passed, the two-way authentication initiated by the SD-DP server is successful.
  • the third embodiment of the application provides a method for online issuance of the same root certificate, as shown in Figure 3 and Figure 4, which is applied to include eUICC card, LAd (Local Profile Assistant, local configuration assistant), SM-DP server and CA certificate issuing center
  • eUICC card Lical Profile Assistant, local configuration assistant
  • LAd Local Profile Assistant, local configuration assistant
  • SM-DP server SM-DP server
  • Step 301 The LPAd sends a request to the eUICC card to obtain the CA certificate issuance information in the eUICC card.
  • Step 302 The eUICC card returns the CA certificate issuance information to LPAd;
  • the CA certificate issuance information includes but is not limited to the CA certificate issuance information list and the CA certificate issuance center server address, where the CA certificate list information includes one or more CA certificate identifiers, which are maintained in the secure memory of the eUICC card A mapping table between CA certificate issuance information and server address, and each CA certificate issuance information corresponds to the address of the server that issued the certificate.
  • Step 303 LPAd sends an instruction to acquire a challenge value to the eUICC card.
  • Step 304 The eUICC card generates a random number as the challenge value and sends it to the LPAd;
  • the LPAd sends to the eUICC card the request to obtain the CA certificate issuance information in the eUICC card and the operation of sending the command to obtain the challenge value can be combined in one transmission, that is, the LPAd sends to the eUICC card to obtain the CA certificate issuance. Information and challenge value request.
  • the eUICC card transmits the obtained CA certificate issuance information and the generated random number challenge value once to LPAd.
  • Step 305 LPAd sends the CA certificate issuance information and the eUICC challenge value to the SM-DP server;
  • the method of establishing a secure channel by negotiating a session key between the LPAd and the SM-DP server is used for data transmission, which is the same as the existing secure transmission method and is not limited here.
  • Step 306 The SM-DP server parses the CA certificate issuance information returned by the eUICC card to obtain the CA certificate issuance information list, the corresponding CA certificate issuance center server address, and the eUICC challenge value;
  • Step 307 The SM-DP server checks whether the certificates of the eUICC card and the SM-DP server are issued by the same root, and if so, use the same root certificate to directly perform the mutual authentication operation; otherwise, go to step 308;
  • the SM-DP server sequentially checks whether one or more CA certificates and SM-DP certificates in the CA certificate issuance information are certificates issued by the same CA certificate issuing center, and if it is determined that the eUICC certificate is not the same as the existing SM-DP certificate If it is issued with the same root, two-way authentication cannot be performed at this time. If it is determined that the eUICC certificate and the existing SM-DP certificate are issued with the same root, the normal two-way authentication operation will be directly performed, where the normal two-way authentication operation here refers to the existing two-way authentication The method is not limited here.
  • Step 308 The SM-DP server applies to the corresponding CA certificate issuance center to issue a CA public key certificate according to the received CA certificate issuance center server address.
  • Step 309 The CA certificate issuing center issues the CA public key certificate CERT_CA and returns the newly issued CA public key certificate to the SM-DP server;
  • Step 310 The SM-DP server generates a CERT_SM-Dpauth file and a CERT_SM-DPpb file according to the eUICC certificate.
  • Step 311 The SM-DP server applies to the CA certificate issuance center to issue the SM-DP certificate according to the CERT_SM-Dpauth file and the CERT_SM-DPpb file.
  • Step 312 The CA certificate issuing center verifies the legality of the CERT_SM-Dpauth file and the CERT_SM-DPpb file, issues the CERT_SM-Dpauth certificate and the CERT_SM-DPpb certificate after passing the verification, and returns the issued certificate to the SM-DP server;
  • the SM-DP certificate issued by the CA certificate issuing center includes the CERT_SM-Dpauth certificate for two-way authentication and the CERT_SM-DPpb certificate for downloading the operator profile after two-way authentication.
  • Step 313 The SM-DP server generates server data to be signed according to the service identifier of the local communication, the eUICC challenge value, the server challenge value, and the server address.
  • the SM-DP server generates the server challenge value serverchallenge based on the local communication service identifier transactionID, the received eUICC challenge value eUICCchallenge, and generates a random number as the SM-DP server challenge value serverchallenge, and the SM-DP server address SM-XX address to generate server data to be signed serversign.
  • Step 314 The SM-DP server uses the newly issued CERT_SM-DPauth certificate to sign the server's to-be-signed data to obtain the server's signature result;
  • the SM-DP server uses the newly issued CERT_SM-DPauth certificate to sign the signed data serversign to obtain the signature result serversignature.
  • Step 315 The SM-DP server generates a server authentication request according to the server signature result, the server data to be signed, the newly issued CERT_SM-DPauth certificate, and the CERT_SM-DPpb certificate;
  • the SM-DP server generates a server authentication request according to the signature result serversignature, the data to be signed serversign, the newly issued CERT_SM-DPauth certificate and the CERT_SM-DPpb certificate.
  • Step 316 The SM-DP server sends the server authentication request to LPAd.
  • Step 317 LPAd verifies whether the SM-DP server address in the server authentication request is a legal address, if it is, execute step 318, otherwise an error is reported;
  • LPAd parses the SM-DP server address from the server to be signed in the server authentication request, and determines whether the SM-DP server that sent the CA certificate signing information is the same according to the parsed SM-DP server address. If it is the same server, the source of the received authentication request is legal.
  • Step 318 LPAd forwards the server authentication request to the eUICC card
  • Step 319 The eUICC card verifies the legitimacy of the server authentication request, and generates eUICC to-be-signed data according to the service identifier, server address, and server challenge value in the server authentication request after the verification is passed;
  • verifying the legitimacy of the server authentication request includes using the eUICC certificate to verify the CERT_SM-DPauth certificate in the server authentication request, using the CERT_SM-DPauth certificate to verify the server signature result in the authentication request, and verifying the eUICC challenge value in the server authentication request;
  • the eUICC to-be-signed result eUICCSigned is generated according to the service identifier transactionId, server address serverAddress, and server challenge value serverChallenge.
  • Step 320 The eUICC card uses the eUICC private key to sign the eUICC data to be signed to obtain the eUICC signature result, and generate an eUICC authentication request according to the eUICC signature result, the eUICC data to be signed, the eUICC certificate, and the CERT_EUM certificate issued by the eUICC card manufacturer;
  • the eUICC private key is used to sign the eUICC to-be-signed data eUICCSigned to obtain the eUICC signature result eUICCSignature.
  • Step 321 The eUICC card sends the eUICC authentication request to the LPAd.
  • Step 322 LPAd sends the eUICC authentication request to the SM-DP server.
  • Step 323 The SM-DP server verifies the CERT_EUM certificate in the eUICC certification request with the issued CA public key certificate, uses the CERT_EUM certificate to verify the eUICC certificate after the verification is passed, and uses the eUICC certificate to verify the eUICC signature result after the verification is passed again;
  • the SM-DP server and the eUICC card complete the mutual authentication after all verifications are completed.
  • the fourth embodiment of the present application provides an eUICC card that issues the same root certificate online.
  • the eUICC card includes:
  • the storage element 510 is used to pre-store the CA certificate issuance information list and the CA certificate issuance center server address when the eUICC card leaves the factory;
  • the processing element 520 is used to provide the SM-DP server with a list of CA certificate issuance information that verifies whether the certificate is the same as the root, and is used to provide the SM-DP server with the address of the CA certificate issuance center server used for online certificate application.
  • the processing unit is further configured to provide the SM-DP server with a challenge value for verifying the legitimacy of the eUICC card.
  • the eUICC card further includes an authentication module 530, and the authentication module 530 specifically includes:
  • the server authentication request receiving submodule 531 is configured to receive the server authentication request sent by the SM-DP server and including the SM-DP certificate issued by the CA certificate issuing center;
  • the server authentication request legitimacy verification sub-module 532 is configured to verify the legitimacy of the SM-DP certificate in the server authentication request based on the eUICC certificate;
  • the eUICC authentication request generation sub-module 533 is configured to use the eUICC card private key to sign the data to be signed to obtain the eUICC card signature result, and generate the eUICC authentication request according to the eUICC signature result;
  • the eUICC authentication request transmission sub-module 534 is configured to transmit the eUICC authentication request to the SM-DP server for authentication.
  • server authentication request legitimacy verification sub-module 532 is specifically configured to use the eUICC certificate to verify the CERT_SM-DPauth certificate in the server authentication request, and use the CERT_SM-DPauth certificate to verify the server signature result in the authentication request.
  • the eUICC authentication request generation submodule 533 is specifically used to generate eUICC data to be signed according to the service identifier, server address, and server challenge value in the server authentication request; use the eUICC private key to sign the eUICC data to be signed to obtain the eUICC
  • the signature result is based on the eUICC signature result, the eUICC to-be-signed data, the eUICC certificate, and the CERT_EUM certificate issued by the eUICC card manufacturer to generate an eUICC certification request.
  • the fifth embodiment of the present application provides an SM-DP server that issues the same root certificate online.
  • the SM-DP server includes:
  • the CA certificate issuance information receiving module 610 is configured to receive the CA certificate issuance information sent by the eUICC card;
  • the certificate and root verification module 620 is used to verify whether the certificates of the eUICC card and the SM-DP server are issued by the same root according to the CA certificate issuance information list in the CA certificate issuance information;
  • the certificate online application and issuance module 630 is used to apply for online issuance of a new certificate from the corresponding CA certificate issuance center according to the CA certificate issuance center server address in the CA certificate issuance information when it is verified that the eUICC card and the SM-DP server certificate are not issued by the same root SM-DP certificate.
  • the certificate online application issuance module 630 is specifically used to verify that the eUICC certificate and the SM-DP certificate are not the same root, the SM-DP server applies to the CA certificate issuance center to issue the CA certificate Key certificate; to receive the CA public key certificate issued by the CA certificate issuing center;
  • the SM-DP server further includes an authentication module 640, and the authentication module 640 specifically includes:
  • the server authentication request generating sub-module 641 is configured to generate a server authentication request according to the SM-DP certificate issued online by the CA certificate issuing center;
  • the server authentication request sending submodule 642 is configured to transmit the server authentication request to the eUICC card for authentication
  • the eUICC authentication request receiving submodule 643 is configured to receive the eUICC authentication request returned by the eUICC card;
  • the eUICC authentication request authentication sub-module 644 is used to authenticate the eUICC authentication request.
  • server authentication request generation sub-module 641 is specifically configured to generate a server to be signed according to the service identifier of the local communication, the received challenge value of the eUICC card, the random number challenge value generated by the SM-DP server, and the SM-DP server address. Data; use the newly issued two-way authentication certificate to sign the data to be signed, and get the signature result;
  • the sixth embodiment of the application provides a system for online issuance of the same root certificate.
  • the system includes: eUICC card 710, LPAd720, SM-DP server 730, and CA certificate issuance center 740;
  • the LPAd is used to send a request for obtaining CA certificate issuance information to the eUICC card, and send the CA certificate issuance information to the SM-DP server;
  • the CA certificate issuance center is configured to issue a new SM-DP certificate according to an application for online issuance of a certificate request sent by the SM-DP server, and return the new SM-DP certificate to the SM-DP server.
  • the new SM-DP certificate after the new SM-DP certificate is returned to the SM-DP server, it also includes:
  • the SM-DP server generates server data to be signed according to the local communication service identifier, eUICC challenge value, server challenge value and server address; uses the newly issued CERT_SM-DPauth certificate to sign the server data to be signed to obtain the server signature result; according to the server Signature result, server data to be signed, newly issued CERT_SM-DPauth certificate, CERT_SM-DPpb certificate and SM-DP server address generate server authentication request;
  • the SM-DP server sends the server authentication request to LPAd;
  • LPAd parses out the SM-DP server address from the server authentication request, and checks the validity of the SM-DP server address
  • LPAd will forward the server authentication request to the eUICC card
  • the eUICC card verifies the legitimacy of the server authentication request, and generates the eUICC to-be-signed data according to the service ID, server address, and server challenge value in the server authentication request after the verification is passed;
  • the eUICC card uses the eUICC private key to sign the eUICC data to be signed, and the eUICC signature result is obtained. Based on the eUICC signature result, the eUICC data to be signed, the eUICC certificate, and the CERT_EUM certificate issued by the eUICC card manufacturer, an eUICC certification request is generated; the eUICC certification request is sent To LPAd;
  • LPAd sends the eUICC authentication request to the SM-DP server
  • the SM-DP server verifies the CERT_EUM certificate in the eUICC certification request with the issued CA public key certificate, uses the CERT_EUM certificate to verify the eUICC certificate after the verification is passed, and uses the eUICC certificate to verify the eUICC signature result after the verification is passed again.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

L'invention concerne un procédé, un dispositif et un système permettant de signer et d'émettre des certificats de même racine en ligne. Une carte eUICC permettant de signer et d'émettre un certificat de même racine en ligne comprend : un élément de stockage permettant de pré-stocker une liste d'informations de signature et d'émission de certificat CA et une adresse de serveur central de signature et d'émission de certificat CA lorsque la carte eUICC quitte une usine ; et un élément de traitement permettant de fournir une liste d'informations de signature et d'émission de certificat CA permettant de vérifier si des certificats sont ou non au niveau de la même racine pour le serveur SM-DP, et de fournir une adresse de serveur central de signature et d'émission de certificat CA pour une application de certificat en ligne pour le serveur SM-DP. À condition que le certificat de la carte eUICC et le certificat du SM-DP ne soient pas signés et émis au niveau de la même racine, le certificat d'authentification du SM-DP et le certificat à télécharger sont signés et émis en ligne, l'authentification bidirectionnelle est réalisée, et le profil de l'opérateur est téléchargé de façon à ce que la carte eUICC puisse télécharger les profils de serveur SM-DP de tous les opérateurs, et l'interconnexion et l'intercommunication entre les différents opérateurs soient pleinement réalisées.
PCT/CN2019/124623 2019-09-30 2019-12-11 Procédé d'émission de certificat de même racine en ligne, dispositif et système WO2021062946A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910940020.XA CN110535665B (zh) 2019-09-30 2019-09-30 一种在线签发同根证书的方法、装置及系统
CN201910940020.X 2019-09-30

Publications (1)

Publication Number Publication Date
WO2021062946A1 true WO2021062946A1 (fr) 2021-04-08

Family

ID=68671457

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/124623 WO2021062946A1 (fr) 2019-09-30 2019-12-11 Procédé d'émission de certificat de même racine en ligne, dispositif et système

Country Status (2)

Country Link
CN (1) CN110535665B (fr)
WO (1) WO2021062946A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115333793A (zh) * 2022-07-22 2022-11-11 中国第一汽车股份有限公司 一种基于可联网诊断设备的obd接口认证方法、车辆

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535665B (zh) * 2019-09-30 2021-02-19 恒宝股份有限公司 一种在线签发同根证书的方法、装置及系统
CN113395160B (zh) * 2020-03-11 2022-11-01 大唐移动通信设备有限公司 证书管理方法、装置、颁发实体、管理实体及车联网设备
CN112533211B (zh) * 2020-12-30 2023-08-29 深圳杰睿联科技有限公司 eSIM卡的证书更新方法和系统以及存储介质
CN115134154B (zh) * 2022-06-30 2024-06-18 长城汽车股份有限公司 认证方法、装置、远程控制车辆的方法及系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018014930A1 (fr) * 2016-07-18 2018-01-25 Telefonaktiebolaget Lm Ericsson (Publ) Fourniture à distance d'une entité d'abonné
CN107660346A (zh) * 2015-03-25 2018-02-02 三星电子株式会社 用于在无线通信系统中下载简档的方法和设备
WO2018145547A1 (fr) * 2017-02-10 2018-08-16 华为技术有限公司 Procédé de mise à jour de clé publique d'émetteur de certificat, et dispositif et système associés
CN108924821A (zh) * 2018-08-10 2018-11-30 江苏恒宝智能系统技术有限公司 一种管理与运营商无关应用的方法及其eUICC卡
CN109428717A (zh) * 2017-09-01 2019-03-05 苹果公司 管理具有多个证书颁发者的嵌入式通用集成电路卡调配
CN110535665A (zh) * 2019-09-30 2019-12-03 恒宝股份有限公司 一种在线签发同根证书的方法、装置及系统

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108574683A (zh) * 2017-03-13 2018-09-25 中兴通讯股份有限公司 签约数据处理方法、签约管理服务器及签约数据处理装置
CN109495429B (zh) * 2017-09-12 2020-08-07 华为技术有限公司 一种鉴权方法、终端及服务器

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107660346A (zh) * 2015-03-25 2018-02-02 三星电子株式会社 用于在无线通信系统中下载简档的方法和设备
WO2018014930A1 (fr) * 2016-07-18 2018-01-25 Telefonaktiebolaget Lm Ericsson (Publ) Fourniture à distance d'une entité d'abonné
WO2018145547A1 (fr) * 2017-02-10 2018-08-16 华为技术有限公司 Procédé de mise à jour de clé publique d'émetteur de certificat, et dispositif et système associés
CN109428717A (zh) * 2017-09-01 2019-03-05 苹果公司 管理具有多个证书颁发者的嵌入式通用集成电路卡调配
CN108924821A (zh) * 2018-08-10 2018-11-30 江苏恒宝智能系统技术有限公司 一种管理与运营商无关应用的方法及其eUICC卡
CN110535665A (zh) * 2019-09-30 2019-12-03 恒宝股份有限公司 一种在线签发同根证书的方法、装置及系统

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115333793A (zh) * 2022-07-22 2022-11-11 中国第一汽车股份有限公司 一种基于可联网诊断设备的obd接口认证方法、车辆

Also Published As

Publication number Publication date
CN110535665A (zh) 2019-12-03
CN110535665B (zh) 2021-02-19

Similar Documents

Publication Publication Date Title
US11323441B2 (en) System and method for proxying federated authentication protocols
WO2021062946A1 (fr) Procédé d'émission de certificat de même racine en ligne, dispositif et système
EP2939386B1 (fr) Méthode et dispositif de collaboration single-sign-on entre appareils mobiles
EP2255507B1 (fr) Système et procédé destinés à réaliser un envoi sécurisé de justificatifs d'identité d'abonnement à des dispositifs de communication
US8806205B2 (en) Apparatus for and method of multi-factor authentication among collaborating communication devices
EP2842258B1 (fr) Autorité de certificat à facteurs multiples
CN111783068B (zh) 设备认证方法、系统、电子设备及存储介质
CN112311543B (zh) Gba的密钥生成方法、终端和naf网元
CN113746633A (zh) 物联网设备绑定方法、装置、系统、云服务器和存储介质
CN112203271A (zh) 一种通信连接方法、装置及系统
JP2023505471A (ja) プロビジョニング方法及び端末機器
CN108259486B (zh) 基于证书的端到端密钥交换方法
JP2020120173A (ja) 電子署名システム、証明書発行システム、証明書発行方法及びプログラム
CN114915418A (zh) 业务证书管理方法、装置、系统及电子设备
WO2017076257A1 (fr) Système et procédé pour une certification d'application
CN114158046B (zh) 一键登录业务的实现方法和装置
WO2022094936A1 (fr) Procédé d'accès, dispositif, et dispositif de plateforme en nuage
CN113727059A (zh) 多媒体会议终端入网认证方法、装置、设备及存储介质
CN105530687A (zh) 一种无线网络接入控制方法及接入设备
CN115362664B (zh) 基于物联网的通信方法、装置及设备
WO2019047714A1 (fr) Procédé de génération de justificatif d'identité d'utilisateur temporaire, carte d'utilisateur, terminal et dispositif de réseau
CN114697137B (zh) 应用程序的登录方法、装置、设备及存储介质
CN114158047B (zh) 一键登录业务的实现方法和装置
CN113656788B (zh) 多媒体会议终端入会认证方法、装置、设备及存储介质
WO2023240587A1 (fr) Procédé et appareil de configuration de permissions de dispositif, et dispositif terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19948032

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19948032

Country of ref document: EP

Kind code of ref document: A1