Disclosure of Invention
In order to solve the existing technical problem, embodiments of the present invention provide a control method and a smart card.
In order to achieve the above purpose, the technical solution of the embodiment of the present invention is realized as follows:
the embodiment of the invention provides a control method, which is applied to an intelligent card and comprises the following steps:
acquiring first information; the first information includes a Terminal configuration (Terminal Profile) value and an International Mobile Equipment Identity (IMEI) of the first Terminal;
judging whether the acquired first information is the same as second information stored by the user or not; the second information comprises a Terminal Profile value and an IMEI (international mobile equipment identity) stored by the smart card;
and performing authentication locking operation on the first terminal or enabling the first terminal to access a network according to the judgment result.
In the foregoing solution, the performing an authentication locking operation on the first terminal or enabling the first terminal to access a network according to the determination result includes:
and when the first information is different from the second information, performing authentication locking operation on the first terminal.
In the foregoing solution, the acquiring the first information includes:
receiving a Terminal Profile value sent by the first Terminal;
sending a command to the first terminal; the command is used for requesting the first terminal to send an IMEI;
and receiving the IMEI returned by the first terminal.
In the foregoing solution, before the determining whether the obtained first information is the same as the second information stored in the method, the method further includes:
and judging whether the terminal is bound or not, and when the terminal is bound, judging whether the acquired first information is the same as the second information stored by the terminal.
In the foregoing solution, the determining whether the terminal is bound includes:
judging whether the terminal is bound by the terminal or not by using the first identifier stored by the terminal; the first identification represents whether binding is started.
In the above scheme, the method further comprises:
when the terminal is not bound, the first information is stored, the first identifier is set to represent that binding is started, and the first terminal is accessed to a network; the stored first information is used for judging whether the terminal using the intelligent card is allowed to access the network or not.
An embodiment of the present invention further provides a smart card, including:
an acquisition unit configured to acquire first information; the first information comprises a TerminalProfile value and a code IMEI of the first terminal;
the judging unit is used for judging whether the acquired first information is the same as the second information stored by the judging unit; the second information comprises a Terminal Profile value and an IMEI (international mobile equipment identity) stored by the intelligent card;
and the operation unit is used for carrying out authentication locking operation on the first terminal or enabling the first terminal to access a network according to the judgment result.
In the foregoing solution, the operation unit is specifically configured to:
and when the first information is different from the second information, performing authentication locking operation on the first terminal.
In the foregoing solution, the obtaining unit is specifically configured to:
receiving a Terminal Profile value sent by the first Terminal;
sending a command to the first terminal; the command is used for requesting the first terminal to send an IMEI;
and receiving the IMEI returned by the first terminal.
In the foregoing solution, the determining unit is further configured to determine whether the smart card is bound to a terminal, and when the smart card is bound to the terminal, determine whether the obtained first information is the same as second information stored in the smart card.
In the foregoing solution, the determining unit is specifically configured to:
judging whether the smart card is bound with the terminal or not by utilizing a first identifier stored by the smart card; the first identification represents whether binding is started.
In the foregoing solution, the operation unit is further configured to:
when the intelligent card is not bound with a terminal, storing the first information, setting the first identifier to represent that binding is started, and enabling the first terminal to access a network; the stored first information is used for judging whether the terminal using the intelligent card is allowed to access the network or not.
The control method and the smart card provided by the embodiment of the invention obtain first information; the first information comprises a Terminal Profile value and an IMEI of the first Terminal; judging whether the acquired first information is the same as second information stored by the user or not; the second information comprises a Terminal Profile value and an IMEI (international mobile equipment identity) stored by the smart card; and performing authentication locking operation on the first terminal or enabling the first terminal to access a network according to the judgment result. The machine-card binding is realized by adopting the dual judgment of the Terminal Profile value and the IMEI, and the Terminal Profile value is not easy to modify, so that the threshold of the machine-card binding function failure is greatly improved, and the safety is improved.
In addition, when the scheme of the embodiment of the invention is implemented, the network and the terminal do not need to be modified, so the implementation is simple, the modification amount is small, and the operability is strong.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
At present, in the field of internet of things, a scheme of a binding scheme of an intelligent card and a terminal is a public telephone scheme of a current network, namely the intelligent card and the terminal are both customized, symmetric keys are stored, verification of a machine card key is completed through a customization flow during startup, the machine card key can be used through the verification, and otherwise, the machine card key cannot be used.
This solution has the following drawbacks: both the terminal and the smart card need to be customized. However, the field of the internet of things is wide, the equipment is various, and the updating is fast, so the difficulty of terminal customization is high.
Based on this, in various embodiments of the invention: the smart card acquires first information; the first information comprises a Terminal Profile value and an IMEI of the first Terminal; judging whether the acquired first information is the same as second information stored by the user or not; the second information comprises a Terminal Profile value and an IMEI (international mobile equipment identity) stored by the smart card; and performing authentication locking operation on the first terminal or enabling the first terminal to access a network according to the judgment result.
Example one
The embodiment of the invention provides a control method which is applied to an intelligent card. Specifically, the smart card is a smart card applied to the field of internet of things, and may also be referred to as an internet of things card. The smart Card is a Universal Integrated Circuit Card (UICC).
Fig. 1 is a flowchart illustrating a control method according to an embodiment of the invention. As shown in fig. 1, the method comprises the steps of:
step 101: acquiring first information;
here, the first information includes a Terminal Profile value and an IMEI of the first Terminal.
Specifically, receiving a Terminal Profile value sent by the first Terminal;
sending a command to the first terminal; the command is used for requesting the first terminal to send an IMEI;
and receiving the IMEI returned by the first terminal.
In practical application, after the first Terminal is started, a card-machine interaction process is performed with the smart card, after the start-up interaction process is completed, the first Terminal actively sends a Terminal Profile value to the smart card to trigger the smart card to start a machine-card binding judgment process, that is, an IMEI is requested from the first Terminal, and steps 102 to 103 are executed.
The physical meaning of the Terminal Profile value is: this value shows the functions supported by the terminal, and is usually the same for terminals of the same model, and is a fixed value. And are generally not easily modified by the outside world. If the Terminal Profile value is found to be different, the Terminal is replaced.
Step 102: judging whether the acquired first information is the same as second information stored by the user or not;
here, the second information includes a Terminal Profile value and an IMEI stored in the smart card itself.
And when the Terminal Profile value is judged to be the same, the intelligent card compares the Terminal Profile value of the first Terminal with the Terminal Profile value stored by the intelligent card so as to judge whether the Terminal Profile value and the Terminal Profile value are the same. Similarly, the smart card compares the IMEI of the first terminal with the stored IMEI of the first terminal to determine whether the IMEI of the first terminal is the same as the stored IMEI of the first terminal.
The Terminal Profile value of the first Terminal is the same as the Terminal Profile value stored in the first Terminal, the IMEI of the first Terminal is the same as the IMEI stored in the first Terminal, and the smart card considers that the first information is the same as the second information. Certainly, the Terminal Profile value of the first Terminal is different from the Terminal Profile value stored in the smart card, or the IMEI of the first Terminal is different from the IMEI stored in the smart card, the smart card considers that the first information is different from the second information.
Here, the reason why the Terminal Profile value is combined with the IMEI is that: the terminal can easily realize the updating of the IMEI at the system layer, and if lawless persons update the system layer by swiping the mobile phone (re-installing the system for the terminal), so that the IMEI returned to the intelligent card is consistent with the IMEI stored in the intelligent card, the separation of the original mobile phone and the intelligent card can be realized. The Terminal Profile value sent by the Terminal is private and can be modified only by acquiring certain authority, and the modification authority and the modification method of each chip manufacturer are different, so that the modification is very difficult, and the threshold of modifying the IMEI by a lawbreaker in a flashing manner to avoid machine-card binding is greatly improved.
In practical applications, before the step is performed, the method may further include:
the intelligent card judges whether the intelligent card is bound with the terminal or not, and when the intelligent card is bound with the terminal, the intelligent card judges whether the acquired first information is the same as the second information stored in the intelligent card or not.
The intelligent card judges whether the intelligent card is terminated or not by utilizing the first identification stored in the intelligent card.
Here, the first identifier characterizes whether binding has been initiated.
In particular, when the first identity characterizes binding has started, the smart card determines that it is bound to the terminal.
During actual application, the smart card is provided with a special file, and the special file contains a first identifier and second information (Terminal Profile value and IMEI), so that after the Terminal Profile value of the first Terminal is received later, whether the first Terminal is a Terminal bound with the smart card is judged by using the information in the special file.
And when the first identifier representation binding is not started, the intelligent card determines the terminal which is not bound by the intelligent card, at the moment, the intelligent card stores the first information, sets the first identifier representation binding to be started, and enables the first terminal to access the network.
Here, the stored first information is used to determine whether a terminal using the smart card is allowed to access a network. In other words, the first information is used for subsequently judging whether the terminal performing the startup interaction process with the terminal is a terminal bound with the terminal, and when the terminal performing the startup interaction process with the terminal is not the terminal bound with the terminal, the terminal is authenticated and locked, so that the terminal is prevented from accessing the network. And when the terminal which subsequently performs the starting-up interactive process with the terminal is the terminal bound with the terminal (namely the first terminal), performing no intervention so as to enable the terminal to access the network.
Step 103: and performing authentication locking operation on the first terminal or enabling the first terminal to access a network according to the judgment result.
Specifically, when the first information is different from the second information, the smart card performs an authentication locking operation on the first terminal (that is, returns an authentication failure message to the first terminal to intervene in the first terminal access network).
And when the first information is the same as the second information, the intelligent card does not perform any intervention and continues the subsequent process so as to enable the first terminal to normally access the network.
The control method provided by the embodiment of the invention obtains first information; the first information comprises a Terminal Profile value and an IMEI of the first Terminal; judging whether the acquired first information is the same as second information stored by the user or not; the second information comprises a Terminal Profile value and an IMEI (international mobile equipment identity) stored by the smart card; and performing authentication locking operation on the first terminal or enabling the first terminal to access a network according to the judgment result. The machine-card binding is realized by adopting double judgment of the Terminal Profile value and the IMEI, and the Terminal Profile value is not easy to modify, so that the threshold of the machine-card binding function failure is greatly improved, and the safety is improved.
In addition, when the scheme of the embodiment of the invention is implemented, the network and the terminal do not need to be modified, so the implementation is simple, the modification amount is small, and the operability is strong.
Example two
On the basis of the first embodiment, this embodiment describes in detail how to implement the machine-card binding determination process.
Firstly, a dedicated file is set on the UICC, and the dedicated file includes a first identifier, an IMEI, and a Terminal Profile value sent when the Terminal is powered on.
Secondly, the application scenario of this embodiment is: the terminal A is a terminal bound with the UICC, and the terminal B is a non-bound terminal.
Thirdly, the UICC needs to be modified to implement the solution of the embodiment of the present invention. Specifically, the UICC is provided with a machine-card binding determination unit, which performs combination determination on the received content, and performs authentication locking operation (i.e., returns authentication failure) according to the determination result, so that the terminal cannot log in the network or normally logs in the network without any intervention.
Then, the process of binding the terminal a and the UICC, as shown in fig. 2, includes the following steps:
step 201: after the terminal A is started, a starting interactive flow is carried out with the UICC;
here, the process conforms to the flow specified by the international standard.
Step 202: after the interaction is completed, the Terminal A sends a Terminal Profile value to trigger the UICC to start a machine-card binding judgment process;
step 203: after receiving the Terminal Profile value, the UICC sends an active command to the Terminal A to request the Terminal A to send the IMEI;
step 204: after receiving the command, the terminal A returns the IMEI to the UICC;
step 205: and after the UICC receives the IMEI, judging whether the Terminal is bound or not by using the first identifier, recording a Terminal Profile value and the IMEI when the Terminal is determined not to be bound, setting the first identifier to represent that the binding is started without intervention, and continuing a subsequent process so as to normally log on the network by the Terminal A, namely successfully accessing the network.
Here, it should be noted that: when the Terminal is not bound, the first identifier in the proprietary file of the UICC represents that binding is not started, and a Terminal Profile value and an IMEI are not stored. After the UICC binds a Terminal, setting a first identifier to represent that binding is started, and storing a Terminal Profile value and an IMEI.
Then, when the terminal a is powered off and powered back on, the UICC needs to execute a card-to-card determination process. As shown in fig. 3, the process of binding the terminal a and the UICC includes the following steps:
step 301: after the terminal A is started, a starting interactive flow is carried out with the UICC;
step 302: after the interaction is completed, the Terminal A sends a Terminal Profile value to trigger the UICC to start a machine-card binding judgment process;
step 303: after receiving the Terminal Profile value, the UICC sends an active command to the Terminal A to request the Terminal A to send the IMEI;
step 304: after receiving the command, the terminal A returns the IMEI to the UICC;
step 305: and after the UICC receives the IMEI, judging whether the Terminal is bound or not by using the first identifier, judging whether the received Terminal Profile value and the IMEI are the same as the recorded (stored) Terminal Profile value and the IMEI or not when the Terminal is bound, and continuing a subsequent flow without intervention when the Terminal A is the same as the recorded (stored) Terminal Profile value and the IMEI so as to normally log on the network, namely successfully accessing the network.
Here, because the UICC stores the Terminal Profile value and the IMEI when the initial binding is performed, and the first identifier representation is started, after receiving the re-trigger of the Terminal a, the UICC determines that the UICC is bound to the Terminal according to the first identifier, then determines whether the received Terminal Profile value and the IMEI are the same as the stored Terminal Profile value and the stored IMEI, and does not intervene when determining that the Terminal is the same, and continues the subsequent process, so that the Terminal a normally logs on.
Then, after the terminal a is bound with the UICC, if the user wants to pull out the UICC from the terminal a and put the UICC into the terminal B for use, a process of binding the terminal B with the UICC also occurs.
As shown in fig. 4, the process of binding the terminal B and the UICC includes the following steps:
step 401: after the terminal B is started, carrying out a starting interactive flow with the UICC;
step 402: after the interaction is completed, the Terminal B sends a Terminal Profile value to trigger the UICC to start a machine-card binding judgment process;
step 403: after receiving the Terminal Profile value, the UICC sends an active command to the Terminal B to request the Terminal B to send an IMEI;
step 404: after receiving the command, the terminal B returns the IMEI to the UICC;
step 405: after the UICC receives the IMEI, whether the Terminal is bound or not is judged by using the first identifier, when the binding is determined, whether the received Terminal Profile value and the IMEI are the same as the recorded (stored) Terminal Profile value and the IMEI or not is judged, and when the Terminal is determined to be different from the recorded (stored) Terminal Profile value and the IMEI, authentication locking operation is carried out on the Terminal B so as to intervene the access of the Terminal B to the network, so that the Terminal B cannot normally log in the network, and the UICC cannot be used.
Here, because the UICC stores the Terminal Profile value and the IMEI during the initial binding, and the first identifier representation is started, after receiving the trigger of the Terminal B, the UICC may determine that the Terminal is bound to the UICC according to the first identifier, then judge whether the received Terminal Profile value and IMEI are the same as the stored Terminal Profile value and IMEI, and perform an authentication locking operation on the Terminal B (return a message of authentication failure to the Terminal B) when determining that the Terminal B is not the same, so that the Terminal B cannot log on the network normally.
In the process, because the IMEI and the Terminal Profile value are used for double judgment, although the IMEI of the Terminal B can be the same as the IMEI of the Terminal A in a flashing mode of the Terminal B, the Terminal Profile value of the Terminal B cannot be modified, and therefore, after the scheme of the embodiment of the invention is adopted, the threshold for enabling the machine-card binding function to be invalid in the flashing mode of the Terminal is greatly improved.
In other words, as shown in fig. 5, after the scheme of the embodiment of the present invention is adopted, a one-to-one machine-card binding relationship can be effectively realized.
It can be seen from the above description that, in the embodiment of the present invention, the terminal and the network side do not need to be modified, so that the implementation is simple, the modification amount is small, and the operability is strong.
EXAMPLE III
To implement the method of the embodiment of the present invention, the embodiment provides a smart card. Specifically, the smart card is a smart card applied to the field of internet of things, and may also be referred to as an internet of things card. The smart card is a UICC. As shown in fig. 6, the smart card includes:
an acquisition unit 61 configured to acquire first information; the first information comprises a TerminalProfile value and a code IMEI of the first terminal;
a judging unit 62 for judging whether the acquired first information is the same as the second information stored in itself; the second information comprises a Terminal Profile value and an IMEI (international mobile equipment identity) stored by the intelligent card;
and an operation unit 63, configured to perform an authentication locking operation on the first terminal or enable the first terminal to access a network according to the determination result.
The obtaining unit 61 is specifically configured to:
receiving a Terminal Profile value sent by the first Terminal;
sending a command to the first terminal; the command is used for requesting the first terminal to send an IMEI;
and receiving the IMEI returned by the first terminal.
Here, in actual application, after the first Terminal is powered on, a card-machine interaction process is performed with the smart card, after the power-on interaction process is completed, the first Terminal actively sends a Terminal Profile value to the smart card to trigger the smart card to start a machine-card binding judgment process, that is, the obtaining unit 61 requests the first Terminal for an IMEI, and the judgment unit 62 and the operation unit 63 complete corresponding functions.
The physical meaning of the Terminal Profile value is: this value shows the functions supported by the terminal, and is usually the same for terminals of the same model, and is a fixed value. And are generally not easily modified by the outside world. If the Terminal Profile value is found to be different, the Terminal is replaced.
Upon judgment, the judging unit 62 compares the Terminal Profile value of the first Terminal with the Terminal Profile value stored in itself to judge whether or not both are the same. Similarly, the determining unit 62 compares the IMEI of the first terminal with the stored IMEI of the first terminal to determine whether the IMEI of the first terminal is the same as the stored IMEI of the first terminal.
The Terminal Profile value of the first Terminal is the same as the Terminal Profile value stored in the first Terminal, and the IMEI of the first Terminal is the same as the IMEI stored in the first Terminal, the determining unit 62 determines that the first information is the same as the second information. Of course, if the Terminal Profile value of the first Terminal is different from the Terminal Profile value stored in the first Terminal, or the IMEI of the first Terminal is different from the IMEI stored in the first Terminal, the determining unit 62 considers that the first information is different from the second information.
Here, the reason why the Terminal Profile value is combined with the IMEI is that: the terminal can easily realize the updating of the IMEI at the system layer, and if lawless persons update the system layer by swiping the mobile phone (re-installing the system for the terminal), so that the IMEI returned to the intelligent card is consistent with the IMEI stored in the intelligent card, the separation of the original mobile phone and the intelligent card can be realized. The Terminal Profile value sent by the Terminal is private and can be modified only by acquiring certain authority, and the modification authority and the modification method of each chip manufacturer are different, so that the modification is very difficult, and the threshold of modifying the IMEI by a lawbreaker in a flashing manner to avoid machine-card binding is greatly improved.
In practical application, the determining unit 62 is further configured to determine whether the smart card is bound to a terminal, and when the smart card is bound to the terminal, determine whether the obtained first information is the same as the second information stored in the smart card.
Wherein, the judging unit 62 judges whether the smart card is terminated or not by using the first identifier stored in the judging unit.
Here, the first identifier characterizes whether binding has been initiated.
In particular, the determining unit 62 determines that the smart card is bound to the terminal when the first identity characterizes binding has been initiated.
During actual application, the smart card is provided with a special file, and the special file contains a first identifier and second information (Terminal Profile value and IMEI), so that after the Terminal Profile value of the first Terminal is received later, whether the first Terminal is a Terminal bound with the smart card is judged by using the information in the special file.
When the first identifier representation binding is not started, the judging unit 62 determines that the smart card is not bound to the terminal, and at this time, the operating unit 63 stores the first information, sets the first identifier representation binding to be started, and enables the first terminal to access the network.
Here, the stored first information is used to determine whether a terminal using the smart card is allowed to access a network. In other words, the first information is used for subsequently judging whether the terminal performing the startup interaction process with the smart card is the terminal bound with the smart card, and when the terminal performing the startup interaction process with the smart card is not the terminal bound with the smart card, the terminal is authenticated and locked, so that the terminal is prevented from accessing the network. And when the terminal which performs the subsequent startup interaction process with the intelligent card is the terminal bound with the intelligent card (namely the first terminal), performing no intervention so as to enable the terminal to access the network.
When the first information is different from the second information, the operation unit 63 performs an authentication locking operation on the first terminal (that is, returns an authentication failure message to the first terminal to intervene in the first terminal access network).
When the first information is the same as the second information, the operation unit 63 continues the subsequent process without any intervention, so that the first terminal normally accesses the network.
In practical applications, the obtaining Unit 61, the determining Unit 62 and the operating Unit 63 may be implemented by a Microprocessor (MCU) in a smart card, a Digital Signal Processor (DSP) or a Programmable logic Array (FPGA).
In the solution provided by the embodiment of the present invention, the obtaining unit 61 obtains the first information; the first information comprises a Terminal Profile value and an IMEI of the first Terminal; the judging unit 62 judges whether the acquired first information is the same as the stored second information; the second information comprises a Terminal Profile value and an IMEI (international mobile equipment identity) stored by the smart card; the operation unit 63 performs an authentication locking operation on the first terminal or enables the first terminal to access a network according to the judgment result. The machine-card binding is realized by adopting double judgment of the Terminal Profile value and the IMEI, and the Terminal Profile value is not easy to modify, so that the threshold of the machine-card binding function failure is greatly improved, and the safety is improved.
In addition, when the scheme of the embodiment of the invention is implemented, the network and the terminal do not need to be modified, so the implementation is simple, the modification amount is small, and the operability is strong.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.