[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2019134493A1 - Subscriber identity module data writing method, device, platform, and storage medium - Google Patents

Subscriber identity module data writing method, device, platform, and storage medium Download PDF

Info

Publication number
WO2019134493A1
WO2019134493A1 PCT/CN2018/121307 CN2018121307W WO2019134493A1 WO 2019134493 A1 WO2019134493 A1 WO 2019134493A1 CN 2018121307 W CN2018121307 W CN 2018121307W WO 2019134493 A1 WO2019134493 A1 WO 2019134493A1
Authority
WO
WIPO (PCT)
Prior art keywords
user identity
identity module
card
module
certificate
Prior art date
Application number
PCT/CN2018/121307
Other languages
French (fr)
Chinese (zh)
Inventor
乐祖晖
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2019134493A1 publication Critical patent/WO2019134493A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • H04W8/205Transfer to or from user equipment or user record carrier

Definitions

  • the present application relates to the field of mobile communications, but is not limited to the field of mobile communications, and in particular, to a subscriber identity module (SIM) data writing method, a mobile device, a card writing platform, and a storage medium.
  • SIM subscriber identity module
  • User identification data can only be used for communication of mobile devices by writing to the user identification module.
  • the user identification module pre-writes all necessary user identification data before entering the market, and the user obtains direct use.
  • MNO Mobile Network Operator
  • MNO Mobile Network Operator
  • only part of the user identification data is written to the user identification module, and then the card is written by the user to the business hall or by interacting with the information on the network side.
  • the operator must deploy a dedicated channel dedicated to the user identification module, such as a BIP channel, or a pre-set card certificate to the user identification module, for example, CI. certificate.
  • the embodiment of the present application is intended to provide a user identity module writing method, an electronic device, a card writing platform, and a storage medium.
  • the first aspect of the embodiment of the present application provides a user identity identification module data writing method, where the application is applied to a card writing platform, including:
  • the embodiment of the present application provides a method for writing a data of a user identity module, which is applied to a mobile device, and includes:
  • the user identification module data is written into the second user identity module.
  • an embodiment of the present application provides a card writing platform, including:
  • the first receiving unit is configured to receive a write card request sent by the mobile device, where the write card request carries at least the first card identifier of the first user identity module in the mobile device;
  • An acquiring unit configured to acquire, according to the first card identifier, user identity information that is bound to the first user identity identification module
  • a first sending unit configured to send user identity module data to a second user identity module in the mobile device
  • the establishing unit is configured to establish, according to the user identity module data, a binding relationship between the second user identity module and the user identity information.
  • an embodiment of the present application provides an electronic device, where the electronic device is a mobile device, where
  • the reading unit is configured to read the first card identifier from at least the first user identity module
  • a second sending unit configured to send, to the card writing platform, a write card request that carries at least the first card identifier
  • a second receiving unit configured to receive user identification module data acquired by the writing card application based on the writing card request
  • a writing unit configured to write the user identity module data into the second user identity module.
  • an embodiment of the present application provides an electronic device, including: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor;
  • the processor is coupled to the transceiver and the memory, respectively, for implementing the method provided by any one of the foregoing first or second aspects by executing the computer program.
  • the embodiment of the present application is a computer storage medium, where the computer storage medium stores a computer program; after the computer program is executed, the method provided by any one of the foregoing first aspect or the second aspect can be implemented.
  • the SIM data writing method, the mobile device, the card writing platform and the storage medium provided by the embodiment of the present application acquire the first user that has been bound to the user identity information before writing the user identity module to the second user identity module.
  • the information such as the card identifier of the identity module, so that the user identity information of the second user identity module can be obtained according to the user identity information bound by the first user identity module.
  • the user identity information corresponding to the first user identity module in the database has been verified by legality, for example, at least once with the public security system for checking information.
  • legality for example, at least once with the public security system for checking information.
  • the validity of the user is ensured, so that the user identity information is authenticated user identity information, so that when the user identity information of the second user identity module is bound, the user identity information can no longer be verified. Therefore, in the process of binding the user identity information of the second user identity module, not only the user does not need to manually input or the mobile device submits the user identity information, but also ensures the legality of the user identity information, and saves unnecessary users.
  • the verification of the identity information greatly simplifies the steps of obtaining and authenticating the user identity information in the process of data transmission by the second user identity module, and has the characteristics of being simple and convenient.
  • FIG. 1 is a schematic structural diagram of a network system according to an embodiment of the present application.
  • FIG. 2 is a schematic structural diagram of a certificate system according to an embodiment of the present application.
  • FIG. 3 is a schematic flowchart of a method for writing a first user identity module according to an embodiment of the present disclosure
  • FIG. 4 is a schematic flowchart of a method for writing a second user identity module according to an embodiment of the present application
  • FIG. 5 is a schematic structural diagram of a write card platform according to an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a mobile device according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic flowchart of a method for interacting information in communication according to an embodiment of the present application.
  • FIG. 9 is a schematic flowchart of still another method for writing a user identity module according to an embodiment of the present application.
  • FIG. 10 is a schematic flowchart of still another method for writing a user identity module according to an embodiment of the present application.
  • the present example provides a network system, including: a card writing platform located on the network side and a mobile terminal such as a mobile phone.
  • a write card application is provided in the mobile terminal, and the write card application can be a mobile network operator application, and can be used to provide various tasks for network operation.
  • the write card application may be a universal application available to different mobile network operators, or may be a dedicated application of a different mobile network operator.
  • An access control execution module is disposed on the mobile terminal, and the access control execution module can be a component in an Application Programming Interface (API).
  • API Application Programming Interface
  • the access control execution module can access the user identification module.
  • a plurality of user identity (SIM) cards, such as the user identity module 1 and the user identity module 2 may be provided within a mobile terminal.
  • the user identity module 1 and the user identity module 2 herein may each be an independent user identity module that can be separated from the mobile terminal, or a virtual user identity (eSIM) card integrated on the chip in the mobile device.
  • Figure 2 shows a certificate system of a user identity module.
  • a root certificate is set in the system.
  • the node holding the root certificate can issue a carrier certificate to each mobile network operator, and the operator can identify the module to the user.
  • Certificate issuance here can be understood as certificate assignment or configuration.
  • the mobile network operation includes MNO1, MNO2, and the like. Therefore, the holders of the root certificate respectively issued the MNO1 certificate and the MNO2 certificate to the MNO1 and MNO2, and the card vendor issuing the user identification module issued the card vendor certificate.
  • the user identity module certificate issued by the MNO is usually carried with its own carrier identity and is not compatible with other operators.
  • the user identity module certificate written by the general card vendor in the user identity module is a universal certificate and is compatible with different operators.
  • the subscriber identity module certificate can be a sequence of M bits including: a first part and a second part; the first part is a universal certificate sequence and the second part is a sequence representing an operator. If the second part of the user identity module certificate is blank or is the default value, the user identity module certificate may be regarded as a universal user identity module certificate, and has not been written by the operator to the operator identifier.
  • this is only an example, and the specific implementation is not limited to any of the above.
  • the user identity module 1 has downloaded the profile from the operation platform of the MNO (Profute file, that is, the SIM card 1 has already bound the user identity module and the user identity information of the user in the subscription database of the MNO, and when the profile file is written to the user identity module 2, the MNO can pass the identity of the user.
  • the information of the identification module 1 interacts to obtain the user identity information of the user, so that the binding relationship can be established with the user identity module 2 (SIM card 2) based on the acquired user identity information, and the profile file is sent to the user identity module 2.
  • SIM card 2 SIM card 2
  • the profile file may include: an integrated circuit card identity (ICCID) and an International Mobile Subscriber Identity (IMSI).
  • ICCID may also be referred to as a user identity module identifier, which may be used by the MNO to identify the user identity module.
  • the IMSI includes a network identifier, which may be a number of the mobile network, and may be used to identify a mobile network to which the user identity module belongs, that is, a home MNO. In this case, the binding of the user identity information of another user identity module and the issuance of the profile file are completed by the binding of the user identity information by the user identity module.
  • this embodiment provides a method for writing a user identity module, which is applied to a card writing platform, and includes:
  • Step S110 Receive a write card request sent by the mobile device, where the write card request carries at least the first card identifier of the first user identity module in the mobile device;
  • Step S120 Acquire user identity information bound to the first user identity recognition module according to the first card identifier.
  • Step S130 Send user identity module data to the second user identity module in the mobile device
  • Step S140 Establish a binding relationship between the second user identity module and the user identity information according to the user identity module data.
  • the user identification module can write data of various user identification modules.
  • the user identification module can be written to a Subscriber Identity Module (SIM), a global user identification module (Universal). Subscriber Identity Module (USIM), nano-user identity module, SIM card.
  • SIM Subscriber Identity Module
  • USB Global user identification module
  • SIM card is smaller in area than the micro-user identity module being used, which is an upgraded version of the SIM.
  • the nano-user identity module is also referred to as a fourth form factor integrated circuit board and is a new generation SIM.
  • the SIM card also known as the Miro user identity module, is another upgrade of the SIM, which is smaller than the ordinary user identity module.
  • the method for writing the user identity module provided by this embodiment may be a method applied to the card writing platform, and the card writing platform may be a card writing platform of various NMOs.
  • the user identity module may include at least an ICCID, an IMSI, etc., and may be the aforementioned profile file.
  • the profile file carries data such as system files that need to be written to the user identity module.
  • the mobile device sends a write request to the write card platform based on the first user identity module, that is, requests for obtaining the user identity module.
  • the card request carries at least a card identifier of the first user identity module that has established a binding relationship with the user in the mobile terminal, that is, the first card identifier.
  • the write card platform may obtain the identity information of the user according to the first card identifier of the first user identity module, that is, the user identity information, for example, the user's ID card.
  • the user identity information for example, the user's ID card.
  • it is equivalent to completing the identity authentication of the user, and the user does not need to manually input or the mobile device sends the user identity information to the card writing platform. If the user identity information is obtained, the user who is bound by the second user identity module is authenticated, and the identity authentication of the user bound to the second user identity module is implemented, and the second user identity module can be sent to the second user identity module.
  • the user identification module is sent, so the user identification data is sent to the second user identity module. And establishing a binding relationship between the second user identity module and the user identity information based on the user identity module that sends the second user identity module and the read user identity information.
  • the second user identity recognition can be completed while the user identity module of the second user identity module is delivered.
  • the simple binding of the module's user identity information is easy to implement.
  • the first user identity module and the second user identity module may be separate user identity modules that can be separated from the mobile device, or may be integrated on the chip of the mobile device.
  • Integrated user identification module such as a typical virtual user identity (eSIM) card.
  • step S130 and the step S140 do not have a certain sequence relationship, and the step S130 may be performed before the step S140 is performed, or the step S140 may be performed before the step S130.
  • step S130 may be performed first, and then the step is performed after receiving the success notification of successful writing by the user identity module returned by the communication device or the second user identity module. S140. This can avoid the problem that the invalidity binding relationship is established caused by the unsuccessful transmission of the user identity module or the unsuccessful writing to the second user identity module after being transmitted to the communication device.
  • the first user identification module certificate of the first user identity module is carried in the write card request
  • the method further includes: verifying the legality of the first user identity module according to the first user identity module certificate; the step S120 may include: if the first user identity module passes the law And verifying, according to the first card identifier, user identity information bound to the first user identity module.
  • the card writing platform in order to ensure the reliability of the identity information binding of the second user identity module and the legitimacy of the first user identity module, the card writing platform also needs to verify the legitimacy of the first user identity module.
  • the user identification module certificate of the first user identity module is carried in the card requesting request, and the user identity module certificate may be issued by a card writing platform or other platform, and the card writing platform may pass through a local database. Matching the user identity module certificate, or interacting with the information of the device issuing the user identity module certificate, verifying the legitimacy of the first user identity module, thereby ensuring that the first user identity module is a card vendor
  • the user identification module of the method rather than a pseudo-user identification module forged by the mobile device through information; thereby ensuring the reliability and security delivered by the user identity module.
  • the method further includes: transmitting a platform certificate of the card writing platform to the first user identity module;
  • the step S130 may include: after receiving the verification information that indicates that the platform certificate is verified, sending the user identity module to the second user identity module.
  • the mobile terminal Before the user identity module is written to the second user identity module, the mobile terminal also needs to verify the legality of the card writing platform. Therefore, in the embodiment, the card writing platform also sends its own platform certificate to the mobile terminal certificate.
  • the first user identification module the first user identification module verifies the platform certificate, and if verified, the writing card platform is considered to be legal, and the user identification module received from the writing card platform can be safely written into the second user identification. Module.
  • the method further includes:
  • the step S140 may include:
  • the user identity module is sent to the second user identity module.
  • the operation of verifying the legitimacy of the second user identity module is further included in the embodiment of the present application, and the second user identity recognition module is prevented from being falsified, which causes the user identity module to leak.
  • the user identification module certificate is pre-configured in the second user identity module certificate, so the card writing platform also receives the second user identity module certificate, and the legality verification method of the second user identity module certificate can be
  • the authentication method of a user identity module certificate is the same, and is not repeated here. Only after the validity of the second user identity module certificate is verified, the user identity module is sent to the second user identity module for The mobile terminal writes to the second user identity module.
  • the method further includes:
  • the step S140 may specifically include:
  • the user identity module After receiving the verification information characterizing the verification of the platform certificate and the second user identity module has legality, the user identity module is sent to the second user identity module.
  • the second user identity module Before the second user identity module writes the user identity module sent by the write platform to itself, it also verifies the legality of the write card platform again, thereby ensuring that the write user identity module is authentic and reliable, and avoiding The problem that the second user identity module cannot write after the dirty data or illegal user identification module is written to the user identity module.
  • the first user identity module and the second user identity module are both installed in the same mobile device. After the first user identity module has verified the legality of the card writing platform, The second user identity module may omit this step, but to ensure high reliability and security, the second user identity module may repeatedly verify the validity of the card writing platform.
  • the legality verification of the writing card platform may include the mobile terminal performing information interaction with the network device received by the mobile terminal, for example, performing information interaction with the holding node of the root certificate, and verifying the platform certificate. Legitimacy.
  • verification of the platform certificate of the write card platform may also be implemented by verification of a random number.
  • the user identity module generates a random number. In order to distinguish the random number, it may be referred to as a first random number, and is encrypted by the card private key and then sent to the card writing platform. After the card writing platform decrypts the random number based on the card public key, it generates another random number, which may be referred to as a second random number.
  • the card writing platform encrypts its own platform certificate, the first random number and the second random number by using the platform private key, and sends the user identification module. After receiving the user identification module, the user identification module decrypts the platform public key, and if the decoding is performed, the two are extracted. A random number, if one of the two random numbers completely matches the first random number generated by the user identity module itself, the platform certificate of the card writing platform is considered to be verified by the legality.
  • the second user identity module certificate is a universal card certificate that is not bound to the mobile network operation.
  • the second user identity module certificate is a universal card certificate, which is a card certificate that can be recognized by various MNOs.
  • the universal card certificate can also be transformed into its own user identity module certificate by the corresponding MNO platform through information rewriting; in this case, the modified user identity module certificate is a user identity that cannot be recognized by other MNO platforms.
  • Module certificate In this case, a user identification module holding a universal card certificate can be used by any MNO to issue a user identification module, breaking the limitation that only a specific MNO can be written into the user identification module, so that the user can The user chooses the MNO to write the user identification module to the second user identity module.
  • this embodiment provides a method for writing a user identity module, which is applied to a mobile device, and includes:
  • Step S210 Read at least the first card identifier from the first user identity module
  • Step S220 Send a write card request carrying at least the first card identifier to the card writing platform;
  • Step S230 Receive a user identity identification module that is sent by the card writing platform based on the first card identifier.
  • Step S240 Write the user identity module data into the second user identity module.
  • This embodiment provides a method for writing a user identity module applied to a mobile device.
  • a write card application may be installed in the mobile device, and the write card application may be a universal write card application, and the universal write card application may be connected to a plurality of MNO operation platforms.
  • the universal write card application writes its own application identifier into the operation platform of different MNOs, and obtains the approval of the operation platforms of different MNOs, so that information interaction can be performed with different MNO operation platforms.
  • the universal write card application has a dedicated write card platform disposed on the network side, and the write card platform can perform data interaction with the operation platform of different MNOs according to the foregoing write card rules, thereby assisting the universal write card.
  • the application identifies a user identity module that writes different MNOs to the second user identity module.
  • the write card application may be a write card application dedicated to a certain MNO issued by different MNOs, and may perform data interaction with a corresponding MNO write card platform to identify the second user.
  • the user identification module is written in the module.
  • the write card application has realized the communication address of the corresponding write card platform, and can directly perform data interaction with the write card platform based on the communication address of the write card platform.
  • the communication address may be a network protocol (IP) address of the write card platform or a domain name, a tunnel identifier, or the like that can be located to the address of the write card platform.
  • IP network protocol
  • the tunnel identifier is identifier information of a tunnel for data transmission between the card writing platform and the write card application.
  • the card application may read the card identifier of the first user identity module from the first user identity module, and the card identifier may be referred to as a first card identifier, which may be the foregoing user.
  • Information such as the ICCID of the identity module.
  • the write request is a request for a user identity module write to the second user identity module.
  • the application interface of the card writing application detects the writing instruction input by the user, if the current communication device installs the first user identification module, the writing card instruction indicates that the user identification needs to be written to the second user identity module. Module, the write card application will automatically read the first card identifier of the first user identity module.
  • the write card request further includes a write card request field, the field informing the write card platform to request to acquire the user identity module.
  • the card writing platform may obtain the user identity information of the user according to the first card identifier of the first user identity module; and further determine that the second user identity module sends the user identity module, and is based on The user identity module and the user identity information are sent, and the binding relationship between the user identity information and the second user identity module is established.
  • an access control execution module is further disposed in the mobile device; the access control execution module may be one of constituent components of the API, and is used to control various applications to access the user identification module to ensure user identification.
  • the access control execution module verifies the legitimacy of the write card application.
  • the verification of the legality of the write card application may include: verifying whether the write card application has access rights to access the user identity module.
  • the write card application submits its own application information to the access execution control module, and the access control execution module applies the write card to the submitted application information to match the application information that allows access to the user identification module, and if the matching is successful,
  • the write card application is considered to have access to a user identity module that is a legitimate application for accessing the user identity module.
  • the access control module after receiving the application information of the write card application, sends the application information to the user identity recognition module, and the user identity recognition module accesses the user identity with the application on the allowed device stored in the internal device.
  • the application information list of the identification module is matched, and then the matching result is notified to the access control execution module.
  • the access control execution module deny the card application through which the user identity module is accessed or allows the card application to access the user identity module.
  • the application information herein may include: an application identifier (AID) and/or an application certificate.
  • the application certificate here can issue a certificate to the certificate system that determines that the application is a legitimate application that verifies the various authentication processes.
  • the certificate may include information such as a certificate serial number.
  • the step S210 may include:
  • the access control execution module After the write card application passes the validity verification of the access control execution module, the access control execution module reads the first card identifier from at least the first user identity recognition module.
  • the data interaction between the write card application and the user identity recognition module needs to be accessed by the access control execution module, thereby ensuring the correctness of the user identity recognition module.
  • the user identity module sent by the card-writing platform to the second user identity module may carry application information, such as the application certificate and/or the application identifier, such that subsequent user identification is facilitated.
  • the module with the assistance of the access control execution module, determines whether the application to which the request is accessed has the right to access the user identity module to ensure data security on the user identity module and security of use of the user identity module.
  • the embodiment of the present application provides a card writing platform, including:
  • the first receiving unit 110 is configured to receive a write card request sent by the mobile device, where the write card request carries at least the first card identifier of the first user identity module in the mobile device;
  • the obtaining unit 120 is configured to acquire user identity information bound to the first user identity module according to the first card identifier;
  • the first sending unit 130 is configured to send a user identity module to the second user identity module in the mobile device;
  • the establishing unit 140 is configured to establish, according to the user identity identification module, a binding relationship between the second user identity module and the user identity information.
  • the write card platform can include one or more write card servers.
  • the first receiving unit 110 and the first sending unit 130 in the card writing platform may correspond to a transceiver, and can be used by the mobile device to perform various information interactions.
  • the obtaining unit 120 may correspond to a processor, and may query the user identity information on a local storage medium. In some cases, the obtaining unit 120 may also correspond to a communication interface, and may query user identity information bound to the first card identifier from other devices.
  • the establishing unit 140 may include: a processor, where the user identity module sent to the second user identity module and the user identity may be stored in a local database connected to the card writing platform or in a dedicated database connected to the card writing platform. Information, thereby completing the corresponding storage of the second user identity module and the user identity information of the user, that is, the establishment of the binding relationship.
  • the write card request carries a first user identity module certificate of the first user identity module
  • the card writing platform further includes:
  • the first verification unit may be configured to be corresponding to the processor, and configured to verify the validity of the first user identity module according to the first user identity module certificate;
  • the obtaining unit 120 may be configured to acquire user identity information bound to the first user identity recognition module according to the first card identifier, if the first user identity module performs the validity verification.
  • the first sending unit 130 is further configured to send the platform certificate of the card writing platform to the first user identity module; the first receiving unit 110 is further configured to receive the first And verifying, by the user identity module, the verification information returned by the verification result of the platform certificate; and after receiving the verification information indicating that the platform certificate is verified, sending the user identity module to the second user identity module.
  • the first receiving unit 110 is further configured to receive a second user identity module certificate of the second user identity module; the first verification unit is further configured to determine, according to the user identity Identifying a module certificate, verifying the validity of the second user identity module; the first sending unit 130 is further configured to: if the second user identity module has legality, to the second user identity module Send the user identification module.
  • the first sending unit 130 is further configured to send the platform certificate of the card writing platform to the second user identity module; the first receiving unit 110 is further configured to receive the first The verification information returned by the second user identity module to the verification result of the platform certificate; after receiving the verification information indicating the verification of the platform certificate verification, and the second user identity recognition module has legality, to the second The user identity module sends the user identity module.
  • the second user identity module certificate is a universal card certificate that is not bound to the mobile network operation.
  • the embodiment provides a mobile device, including:
  • the reading unit 210 is configured to read at least the first card identifier from the first user identity module
  • the second sending unit 220 is configured to send, to the card writing platform, a write card request that carries at least the first card identifier
  • the second receiving unit 230 is configured to receive a user identity recognition module that is acquired by the write card application based on the write card request;
  • the writing unit 240 is configured to write the user identity module into the second user identity module.
  • the reading unit 210 may correspond to a processor or a processing circuit or a processing chip capable of executing a code or a program, and may read a card identifier of the first user identity module from the first user identity module, ie, the first One card logo.
  • the second sending unit 220 and the second receiving unit 230 may correspond to a communication interface of the communication device, and may be used for information interaction with the card writing platform, thereby assisting the card writing platform to acquire user identity information, and identifying the user identity.
  • the module is written to the second user identification module.
  • an access control execution module is further disposed in the mobile device
  • the reading unit 210 may be configured to read, by the access control execution module, at least the first user identification module, after the write card application is verified by the validity of the access control execution module.
  • the first card identifier may be configured to read, by the access control execution module, at least the first user identification module, after the write card application is verified by the validity of the access control execution module.
  • an embodiment of the present application provides an electronic device, including: a transceiver 310, a memory 320, a processor 330, and a computer program stored on the memory 310 and executed by the processor 330;
  • the communication device can include a transceiver 310, a memory 320, a processor 330, and a computer program stored on the memory 320 and executed by the processor 330;
  • the processor 330 is connected to the transceiver 310 and the memory 320, respectively, for example, to the transceiver and the memory 320 via the integrated circuit bus IIC.
  • the processor 330 may be configured to execute the verification information processing method provided by the foregoing one or more technical solutions by executing the computer program, for example, may perform one or more technologies applied to a card writing platform and/or a mobile device.
  • the user identification module data writing method provided by the solution.
  • the transceiver 310 can be any type of interface that can be used for communication, such as a cable interface or a fiber optic cable interface.
  • the transceiver 310 can provide an interface for information interaction between the processor and other devices.
  • the communication interface can be divided into a serial interface and a parallel interface.
  • the commonly used communication interfaces are standard communication interfaces RS-232, RS-485, and RS. -422 and so on.
  • the memory 320 may be a memory 320 including a storage medium in the communication device, and may be a random access memory 320, a read only memory 320, a storage hard disk, or the like.
  • the memory can be either volatile memory or non-volatile memory, and can include both volatile and nonvolatile memory.
  • the non-volatile memory may be a read only memory (ROM), a programmable read-only memory (PROM), or an erasable programmable read-only memory (Erasable Programmable Read-Only Memory).
  • the magnetic surface memory can be a disk storage or a tape storage.
  • the volatile memory can be a Random Access Memory (RAM) that acts as an external cache.
  • RAM Random Access Memory
  • SRAM Static Random Access Memory
  • SSRAM Synchronous Static Random Access Memory
  • Dynamic Random Access Dynamic Random Access.
  • Memory 802 described in this application embodiment is intended to comprise, without being limited to, these and any other suitable types of memory.
  • the processor 330 can be various types of processors, a central processing unit, a microprocessor, an application processor, a programmable array, or an application specific integrated circuit.
  • the processor 403 can be an integrated circuit chip with signal processing capabilities.
  • each step of the above method may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software.
  • the above processor may be a general purpose processor, a digital signal processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like.
  • DSP digital signal processor
  • the processor may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application.
  • a general purpose processor can be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiment of the present application may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a storage medium, the storage medium being located in the memory, the processor reading the information in the memory, and completing the steps of the foregoing methods in combination with the hardware thereof.
  • the electronic device may be the aforementioned mobile device, such as a communication terminal such as a mobile phone, a tablet computer, a wearable device, an in-vehicle device, or an Internet of Things terminal, or may be a write card server of the write card platform.
  • a communication terminal such as a mobile phone, a tablet computer, a wearable device, an in-vehicle device, or an Internet of Things terminal
  • a write card server of the write card platform may be the aforementioned mobile device, such as a communication terminal such as a mobile phone, a tablet computer, a wearable device, an in-vehicle device, or an Internet of Things terminal.
  • the embodiment of the present application provides a computer storage medium, where the computer storage medium stores a computer program; after the computer program is executed by the processor, one or more technologies applied to the card writing platform and/or the mobile device may be executed.
  • the user identification module data writing method provided by the solution.
  • the computer storage medium may be: a mobile storage device, a read-only memory (ROM, Read-Only Mem or y), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. medium.
  • the computer storage medium is preferably a non-transitory storage medium, or a non-volatile storage medium.
  • the certificate system is shown in Figure 2.
  • the holder node of the root certificate issues an MNO certificate to different operators, and the operator then issues a SIM card certificate, a platform certificate, and an application certificate (for application signature).
  • TLS Secure Transport Layer Protocol
  • the hash value of the operator application certificate is preset in the SIM card 1.
  • the access control execution module loads the hash value from the SIM card 1 to verify whether the hash value of the operator application certificate is consistent with the hash value read in the card. If the two hash values are equal, the carrier application has access to the SIM card 1, otherwise the access is denied;
  • the SIM card 1 and the card writing platform realize mutual authentication through the SIM card, ensuring the legality of the writing card platform and the SIM card 1; thereby realizing the acquisition of the user identity information, and the acquired identity information does not need to be verified again to the third party system. , thereby reducing unnecessary verification.
  • the SIM card 2 presets the root certificate and the SIM card certificate, and implements mutual authentication with the card writing platform of the operator 1 to negotiate the key to complete the profile download.
  • the example provides an information interaction method applied to a mobile device, which may include:
  • Step 1 The access control execution module acquires an access control rule of the SIM card 1;
  • Step 2 The SIM card 1 returns an access control rule to the access control module, and the access control rule is used to control access control of the SIM card by various applications on the access control execution module.
  • Step 3 The MNO1 application (installed on the mobile device as one of the write card applications) acquires the SIM card 1 information. At this time, the access control execution module receives the access request of the MNO1 application.
  • Step 4 The access control execution module verifies the legality of the MNO1 application according to the access control rule.
  • the verification of the legality is mainly to verify whether the MNO1 application is an application having the right to access the SIM card 1, that is, whether the MNO1 can be accessed.
  • Step 5 If the MNO1 application has legality, the access control execution module acquires the SIM card 1 information from the SIM card 1, where the SIM card 1 information may include: a card identifier of the SIM card 1, a SIM card certificate, and the like. Here, it is equivalent to transmitting a request for acquiring the SIM card 1 information to the SIM card 1;
  • Step 6 The SIM card 1 returns the SIM card 1 information to the access control execution module.
  • Step 7 The access control execution module returns the SIM card 1 information through the MNO1 application.
  • the access control execution module loads the access control rule (the hash value of the application certificate from the SIM card 1; the SIM card 1 returns the access control rule.
  • step 3 the MNO1 application wishes to acquire the card information of the SIM card 1 (or send an acquisition request to the SIM card 1).
  • Step 4 may include: the access control execution module verifies whether the MNO1 application has permission to access the SIM card 1 (whether the MNO1 certificate hash value is consistent with that stored in the SIM card 1).
  • the MNO1 application does not have access to the SIM card 1, the error message is returned, and the process ends. If the MNO1 application has access to the SIM card 1, the request for acquiring the SIM card 1 information (or command) is sent to the SIM card 1; the SIM card 1 returns the card information. The MNO1 application receives the card information.
  • the method provided in this example can be used for data interaction between the write card application and the first SIM card and the second SIM card, and implements access control of the SIM card by an application such as a write card application.
  • this example provides a method for verifying the two-way legality between a card writing platform and a SIM card, which may include:
  • Step 11 The MNO1 application obtains the SIM card 1 information, including card information such as the SIM card certificate and the card identifier (Note: In order to enhance security, the user may be required to input a service password to verify that the user is a legitimate holder of the SIM card 1).
  • the MNO1 is applied to an input interface such as an input box of an application interface outputting a service password, and after detecting the service password input by the user, the information carried in the access request of the MNO1 application requesting access to the SIM card is convenient for access control of the access control execution module. .
  • Step 12 The SIM card 1 returns SIM card information such as a SIM card certificate, a card identifier, and a random number (RAND) 1;
  • SIM card information such as a SIM card certificate, a card identifier, and a random number (RAND) 1;
  • Step 13 The MNO1 application submits the returned data of the SIM card information to the card writing platform;
  • Step 14 The card writing platform verifies the legality of the card certificate of the SIM card 1, and if the RAND2 is legally generated;
  • the card-writing platform returns the platform certificate, RAND1, RAND2, and signature 2 (using the platform private key to sign the above information);
  • Step 15 The MNO1 application sends the above information to the SIM card 1;
  • Step 16 The SIM card 1 verifies the validity of the platform certificate. If the signature of the platform public key is legally verified, if the RAND1 is verified to be consistent with the RAND1 generated by the previous card, if the above verification is passed, the signature 1 is generated. The key pair returns the RAND1, RAND2 information to sign);
  • Step 17 SIM card 1 returns signature 1;
  • Step 18 The MNO1 application returns a signature 1;
  • Step 19 The card writing platform verifies the signature 1. If the verification is made, the SIM card 1 is a legal SIM card issued by the operator 1.
  • the method for verifying the signature 1 may include: extracting the random number by using the SIM card public key, and if the extracted random number includes the RAND2 generated by the card writing platform itself, the verification may be considered as passing.
  • Step 20 The user identity information bound to the SIM card can be used to bind to another SIM card, and it is determined that the user identity information bound to the SIM card is legally verified.
  • the SIM card data such as a profile file can be sent to the SIM card 2.
  • this example provides a two-way legality verification between a card writing platform and a SIM card, which may include:
  • Step 21 The MNO1 application acquires card information such as a SIM card certificate, a card vendor certificate, an application certificate, and an MNO certificate of the SIM card 2.
  • Step 22 After receiving the obtained request, the SIM card 2 verifies the application certificate and generates RAND1; the application certificate is an application certificate applied by the MNO1, and if the verification is passed, the RAND1 is generated.
  • Step 23 The SIM card 2 returns a SIM card certificate, a card vendor certificate, a card identifier, RAND1, and card information.
  • Step 24 The MNO1 application submits the SIM card certificate, the card vendor certificate, the card identifier, the RAND1 and the card information to the card writing platform;
  • Step 25 The card writing platform verifies the legality of the SIM card certificate of the SIM card 2, and if the RAND2 is legally generated;
  • Step 26 The card writing platform returns the platform certificate, the MNO1 certificate, the RAND1, the RAND2, and the signature 2 (using the platform private key to sign the above information);
  • Step 27 The MNO1 application sends the above information to the SIM card 2;
  • Step 28 The SIM card 2 verifies the validity of the platform certificate. If the signature of the platform public key is legally verified, if the RAND1 is verified to be consistent with the RAND1 generated by the previous card, if the above verification is passed, the signature 1 is generated. The key pair returns the RAND1, RAND2 information to sign);
  • Step 29 SIM card 2 / eSIM returns signature 1;
  • Step 30 The MNO1 application returns a signature 1;
  • Step 31 The card writing platform verifies the signature 1. If the verification is performed, the SIM card 2 is a legal card, and the profile can be downloaded; the card writing platform negotiates the key with the SIM card 2 to complete the profile download.
  • the key negotiation here may be various key negotiation or the like for subsequent communication.
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit;
  • the unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing storage device includes the following steps: the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.
  • ROM read-only memory
  • RAM random access memory
  • magnetic disk or an optical disk.
  • optical disk A medium that can store program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Telephone Function (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed in embodiments of the present application are a subscriber identity module writing method, electronic device, a card writing platform, and a storage medium. The method is applied in the card writing platform, comprising: receiving a card writing request sent by a mobile device, wherein the card writing request at least carries a first card identifier of a first subscriber identity module in the mobile device; obtaining, according to the first card identifier, subscriber identity information bound to the first subscriber identity module; sending subscriber identity module data to a second subscriber identity module in the mobile device; and establishing a binding relationship between the second subscriber identity module and the subscriber identity information according to the subscriber identity module data.

Description

用户身份识别模块数据写入方法、设备、平台及存储介质User identification module data writing method, device, platform and storage medium
相关申请的交叉引用Cross-reference to related applications
本申请基于申请号为201810016587.3、申请日为2018年01月08日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。The present application is filed on the basis of the Chinese Patent Application No. PCT Application No. 2011.
技术领域Technical field
本申请涉及移动通信领域但不限于移动通信领域,尤其涉及一种用户身份识别模块(Subscriber Identity Module,SIM)数据写入方法、移动设备、写卡平台及存储介质。The present application relates to the field of mobile communications, but is not limited to the field of mobile communications, and in particular, to a subscriber identity module (SIM) data writing method, a mobile device, a card writing platform, and a storage medium.
背景技术Background technique
用户身份识别数据只有写入用户身份识别模块才能用于移动设备的通信。在现有技术中有各种向用户身份识别模块写入用户身份识别数据的方式,例如,用户身份识别模块入市前预先写入所有必需的用户身份识别数据,用户拿到直接使用。但是这样局限了用户选择用户身份识别模块归属的移动网络运营商(Mobile Network Operator,MNO)的问题。例如,仅向用户身份识别模块写入部分用户身份识别数据,然后由用户到营业厅或者通过与网络侧的信息交互进行写卡。但是这种情况下,运营商必须部署专门用于写用户身份识别模块的专属通道,例如BIP通道等,或者,需要向用户身份识别模块内预先设置后续用不到的写卡证书,例如,CI证书。User identification data can only be used for communication of mobile devices by writing to the user identification module. In the prior art, there are various ways to write user identification data to the user identification module. For example, the user identification module pre-writes all necessary user identification data before entering the market, and the user obtains direct use. However, this limits the problem of the user selecting a Mobile Network Operator (MNO) to which the subscriber identity module belongs. For example, only part of the user identification data is written to the user identification module, and then the card is written by the user to the business hall or by interacting with the information on the network side. However, in this case, the operator must deploy a dedicated channel dedicated to the user identification module, such as a BIP channel, or a pre-set card certificate to the user identification module, for example, CI. certificate.
不管采用哪种方式,都可能需要用户手动输入其用户身份信息,需要将用户身份识别模块与用户进行绑定,操作繁琐。Either way, users may need to manually enter their user identity information, and the user identity module needs to be bound to the user, which is cumbersome.
发明内容Summary of the invention
本申请实施例期望提供一种用户身份识别模块写入方法、电子设备、写卡平台及存储介质。The embodiment of the present application is intended to provide a user identity module writing method, an electronic device, a card writing platform, and a storage medium.
本申请的技术方案是这样实现的:The technical solution of the present application is implemented as follows:
本申请实施例第一方面提供一种用户身份识别模块数据写入方法,其中,应用于写卡平台中,包括:The first aspect of the embodiment of the present application provides a user identity identification module data writing method, where the application is applied to a card writing platform, including:
接收移动设备发送的写卡请求;其中,所述写卡请求至少携带有所述移动设备内第一用户身份识别模块的第一卡标识;Receiving a write card request sent by the mobile device, where the write card request carries at least a first card identifier of the first user identity module in the mobile device;
根据所述第一卡标识,获取与所述第一用户身份识别模块绑定的用户身份信息;Acquiring user identity information bound to the first user identity module according to the first card identifier;
向所述移动设备内的第二用户身份识别模块发送用户身份识别模块数据;Transmitting user identity module data to a second user identity module in the mobile device;
根据所述用户身份识别模块数据,建立所述第二用户身份识别模块与所述用户身份信息的绑定关系。And establishing, according to the user identity module data, a binding relationship between the second user identity module and the user identity information.
第二方面,本申请实施例提供一种用户身份识别模块数据写入方法,应用于移动设备中,包括:In a second aspect, the embodiment of the present application provides a method for writing a data of a user identity module, which is applied to a mobile device, and includes:
至少从第一用户身份识别模块读取第一卡标识;Reading at least the first card identifier from the first user identity module;
向写卡平台发送至少携带有所述第一卡标识的写卡请求;Sending a write card request carrying at least the first card identifier to the card writing platform;
接收所述写卡平台基于所述第一卡标识发送的用户身份识别模块数据;Receiving user identity module data sent by the card writing platform based on the first card identifier;
将所述用户身份识别模块数据写入第二用户身份识别模块中。The user identification module data is written into the second user identity module.
第三方面,本申请实施例提供一种写卡平台,包括:In a third aspect, an embodiment of the present application provides a card writing platform, including:
第一接收单元,配置为接收移动设备发送的写卡请求;其中,所述写卡请求至少携带有所述移动设备内第一用户身份识别模块的第一卡标识;The first receiving unit is configured to receive a write card request sent by the mobile device, where the write card request carries at least the first card identifier of the first user identity module in the mobile device;
获取单元,配置为根据所述第一卡标识,获取与所述第一用户身份识 别模块绑定的用户身份信息;An acquiring unit, configured to acquire, according to the first card identifier, user identity information that is bound to the first user identity identification module;
第一发送单元,配置为向所述移动设备内的第二用户身份识别模块发送用户身份识别模块数据;a first sending unit, configured to send user identity module data to a second user identity module in the mobile device;
建立单元,配置为根据所述用户身份识别模块数据,建立所述第二用户身份识别模块与所述用户身份信息的绑定关系。The establishing unit is configured to establish, according to the user identity module data, a binding relationship between the second user identity module and the user identity information.
第四方面,本申请实施例提供一种电子设备,该电子设备为移动设备,其中,包括:In a fourth aspect, an embodiment of the present application provides an electronic device, where the electronic device is a mobile device, where
读取单元配置为至少从第一用户身份识别模块读取第一卡标识;The reading unit is configured to read the first card identifier from at least the first user identity module;
第二发送单元,配置为向写卡平台发送至少携带有所述第一卡标识的写卡请求;a second sending unit, configured to send, to the card writing platform, a write card request that carries at least the first card identifier;
第二接收单元,配置为接收所述写卡应用基于所述写卡请求获取的用户身份识别模块数据;a second receiving unit, configured to receive user identification module data acquired by the writing card application based on the writing card request;
写入单元,配置为将所述用户身份识别模块数据写入第二用户身份识别模块中。And a writing unit configured to write the user identity module data into the second user identity module.
第五方面,本申请实施例提供一种电子设备,包括:收发器、存储器、处理器及存储在所述存储器上并由所述处理器执行的计算机程序;In a fifth aspect, an embodiment of the present application provides an electronic device, including: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor;
所述处理器分别与所述收发器及存储器连接,用于通过执行所述计算机程序实现前述第一方面或第二方面任意一个技术方案提供的方法。The processor is coupled to the transceiver and the memory, respectively, for implementing the method provided by any one of the foregoing first or second aspects by executing the computer program.
第六方面,本申请实施例一种计算机存储介质,所述计算机存储介质存储有计算机程序;所述计算机程序被执行后,能够实现前述第一方面或第二方面任意一个技术方案提供的方法。In a sixth aspect, the embodiment of the present application is a computer storage medium, where the computer storage medium stores a computer program; after the computer program is executed, the method provided by any one of the foregoing first aspect or the second aspect can be implemented.
本申请实施例提供的SIM数据写入方法、移动设备、写卡平台及存储介质,在向第二用户身份识别模块写入用户身份识别模块之前,获取已经与用户身份信息绑定的第一用户身份识别模块的卡标识等信息,故可以根据第一用户身份识别模块绑定的用户身份信息,获取到第二用户身份识别 模块的用户身份信息。The SIM data writing method, the mobile device, the card writing platform and the storage medium provided by the embodiment of the present application acquire the first user that has been bound to the user identity information before writing the user identity module to the second user identity module. The information such as the card identifier of the identity module, so that the user identity information of the second user identity module can be obtained according to the user identity information bound by the first user identity module.
若第一用户身份识别模块已经与用户建立绑定关系,则数据库中与第一用户身份识别模块对应的用户身份信息是已经通过合法性验证的,例如,至少一次与公安系统等进行信息核对的确保了其合法性的,故此时获得用户身份信息是经过了合法性验证的用户身份信息,这样在建立第二用户身份识别模块的用户身份信息绑定时,可以不再验证其用户身份信息。故建立第二用户身份识别模块的用户身份信息的绑定过程中,不仅不需要用户手动输入或移动设备提交用户身份信息,而且在确保用户身份信息的合法性的同时,省却了不必要的用户身份信息的验证,从而大大的简化了第二用户身份识别模块的数据下发的过程中,用户身份信息的获取及认证的步骤,具有实现简便的特点。If the first user identity module has established a binding relationship with the user, the user identity information corresponding to the first user identity module in the database has been verified by legality, for example, at least once with the public security system for checking information. The validity of the user is ensured, so that the user identity information is authenticated user identity information, so that when the user identity information of the second user identity module is bound, the user identity information can no longer be verified. Therefore, in the process of binding the user identity information of the second user identity module, not only the user does not need to manually input or the mobile device submits the user identity information, but also ensures the legality of the user identity information, and saves unnecessary users. The verification of the identity information greatly simplifies the steps of obtaining and authenticating the user identity information in the process of data transmission by the second user identity module, and has the characteristics of being simple and convenient.
附图说明DRAWINGS
图1为本申请实施例提供的一种网络系统的架构示意图;FIG. 1 is a schematic structural diagram of a network system according to an embodiment of the present application;
图2为本申请实施例提供的一种证书系统的架构示意图;2 is a schematic structural diagram of a certificate system according to an embodiment of the present application;
图3为本申请实施例提供的第一种用户身份识别模块写入方法的流程示意图;FIG. 3 is a schematic flowchart of a method for writing a first user identity module according to an embodiment of the present disclosure;
图4为本申请实施例提供的第二种用户身份识别模块写入方法的流程示意图;4 is a schematic flowchart of a method for writing a second user identity module according to an embodiment of the present application;
图5为本申请实施例提供的一种写卡平台的结构示意图;FIG. 5 is a schematic structural diagram of a write card platform according to an embodiment of the present application;
图6为本申请实施例提供的一种移动设备的结构示意图;FIG. 6 is a schematic structural diagram of a mobile device according to an embodiment of the present application;
图7为本申请实施例提供的一种电子设备的结构示意图;FIG. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure;
图8为本申请实施例提供的通信内部的信息你交互方法的流程示意图;FIG. 8 is a schematic flowchart of a method for interacting information in communication according to an embodiment of the present application;
图9为本申请实施例提供的又一种用户身份识别模块写入方法的流程示意图;FIG. 9 is a schematic flowchart of still another method for writing a user identity module according to an embodiment of the present application;
图10为本申请实施例提供的再一种用户身份识别模块写入方法的流程示意图。FIG. 10 is a schematic flowchart of still another method for writing a user identity module according to an embodiment of the present application.
具体实施方式Detailed ways
如图1所述,本示例提供一种网络系统,包括:位于网络侧的写卡平台及手机等移动终端。移动终端内设置有写卡应用,该写卡应用可为移动网络运营商应用,可以用于提供网络运营的各种任务。所述写卡应用可为可供不同移动网络运营商的通用应用,也可以是不同移动网络运营商的专属应用。所述移动终端上设置有访问控制执行模块,该访问控制执行模块可为应用编程接口(Application Programming Interface,API)内的一个组件。该访问控制执行模块可以访问用户身份识别模块。在一个移动终端内可能设置有多种用户身份识别(SIM)卡,例如,用户身份识别模块1和用户身份识别模块2。这里的用户身份识别模块1和用户身份识别模块2均可为能够和移动终端分离的独立用户身份识别模块,也可以是集成在移动设备内芯片上的虚拟用户身份识别(eSIM)卡。As shown in FIG. 1 , the present example provides a network system, including: a card writing platform located on the network side and a mobile terminal such as a mobile phone. A write card application is provided in the mobile terminal, and the write card application can be a mobile network operator application, and can be used to provide various tasks for network operation. The write card application may be a universal application available to different mobile network operators, or may be a dedicated application of a different mobile network operator. An access control execution module is disposed on the mobile terminal, and the access control execution module can be a component in an Application Programming Interface (API). The access control execution module can access the user identification module. A plurality of user identity (SIM) cards, such as the user identity module 1 and the user identity module 2, may be provided within a mobile terminal. The user identity module 1 and the user identity module 2 herein may each be an independent user identity module that can be separated from the mobile terminal, or a virtual user identity (eSIM) card integrated on the chip in the mobile device.
图2所示为一种用户身份识别模块的证书体系,在该体系内设置有根证书,持有根证书的节点可以向各个移动网络运营商颁发运营商证书,运营商可向用户身份识别模块发送用户身份识别模块证书、向写卡平台颁发的平台证书、向可访问用户身份识别模块的应用颁发应用证书。这里的证书颁发可理解为证书分配或配置。在图2中移动网络运营上包括MNO1、MNO2等。故根证书的持有节点分别向MNO1、MNO2颁发了MNO1证书及MNO2证书以及发行用户身份识别模块的卡商颁发了卡商证书。MNO颁发的用户身份识别模块证书通常是携带有其自身的运营商标识的,是不被其他运营商所兼容的。而一般卡商写入用户身份识别模块内的用户身份识别模块证书是通用证书,是可以被不同运营商所兼容的。例如,用户身份识别模块证书可为一个M比特的序列,包括:第一部分和第二部分;第 一部分为通用证书序列,第二部分为代表运营商的序列。若用户身份识别模块证书的第二部分空白或者为默认值,可认为该用户身份识别模块证书为通用用户身份识别模块证书,还未被运营商写入运营商标识。当然这里仅是举例,具体实现时,不局限于上述任意一种。Figure 2 shows a certificate system of a user identity module. A root certificate is set in the system. The node holding the root certificate can issue a carrier certificate to each mobile network operator, and the operator can identify the module to the user. Send the user identification module certificate, the platform certificate issued to the card writing platform, and issue the application certificate to the application that can access the user identification module. Certificate issuance here can be understood as certificate assignment or configuration. In FIG. 2, the mobile network operation includes MNO1, MNO2, and the like. Therefore, the holders of the root certificate respectively issued the MNO1 certificate and the MNO2 certificate to the MNO1 and MNO2, and the card vendor issuing the user identification module issued the card vendor certificate. The user identity module certificate issued by the MNO is usually carried with its own carrier identity and is not compatible with other operators. The user identity module certificate written by the general card vendor in the user identity module is a universal certificate and is compatible with different operators. For example, the subscriber identity module certificate can be a sequence of M bits including: a first part and a second part; the first part is a universal certificate sequence and the second part is a sequence representing an operator. If the second part of the user identity module certificate is blank or is the default value, the user identity module certificate may be regarded as a universal user identity module certificate, and has not been written by the operator to the operator identifier. Of course, this is only an example, and the specific implementation is not limited to any of the above.
基于图1和图2所示的网络系统及证书体系,当一个移动设备内安装或配置了两张用户身份识别模块时,其中,用户身份识别模块1已经从MNO的运营平台上下载了简况(Profile)文件,即其中SIM卡1已经在MNO的签约数据库中绑定了该用户身份识别模块和用户的用户身份信息,则向用户身份识别模块2写入Profile文件时,MNO可以通过与用户身份识别模块1的信息交互获得用户的用户身份信息,这样可以基于获取的用户身份信息与用户身份识别模块2(SIM卡2)建立绑定关系,向用户身份识别模块2下发Profile文件。所述Profile文件可包括:集成电路卡识别(Integrate circuit card identity,ICCID)及国际移动用户识别码(International Mobile Subscriber Identity,IMSI)。所述ICCID又可以称之为用户身份识别模块标识,可用于MNO识别该用户身份识别模块。所述IMSI包括网络标识,该网络标识可为移动网络的编号,可以用于识别该用户身份识别模块归属的移动网络,即归属的MNO。这样的话,就通过一种用户身份识别模块已绑定用户身份信息的完成了对另一张用户身份识别模块的用户身份信息的绑定及Profile文件的下发。Based on the network system and the certificate system shown in FIG. 1 and FIG. 2, when two user identity modules are installed or configured in one mobile device, the user identity module 1 has downloaded the profile from the operation platform of the MNO ( Profile file, that is, the SIM card 1 has already bound the user identity module and the user identity information of the user in the subscription database of the MNO, and when the profile file is written to the user identity module 2, the MNO can pass the identity of the user. The information of the identification module 1 interacts to obtain the user identity information of the user, so that the binding relationship can be established with the user identity module 2 (SIM card 2) based on the acquired user identity information, and the profile file is sent to the user identity module 2. The profile file may include: an integrated circuit card identity (ICCID) and an International Mobile Subscriber Identity (IMSI). The ICCID may also be referred to as a user identity module identifier, which may be used by the MNO to identify the user identity module. The IMSI includes a network identifier, which may be a number of the mobile network, and may be used to identify a mobile network to which the user identity module belongs, that is, a home MNO. In this case, the binding of the user identity information of another user identity module and the issuance of the profile file are completed by the binding of the user identity information by the user identity module.
以下结合说明书附图及具体实施例对本申请的技术方案做进一步的详细阐述。The technical solutions of the present application are further elaborated below in conjunction with the drawings and specific embodiments.
如图3所示,本实施例提供一种用户身份识别模块写入方法,应用于写卡平台中,包括:As shown in FIG. 3, this embodiment provides a method for writing a user identity module, which is applied to a card writing platform, and includes:
步骤S110:接收移动设备发送的写卡请求;其中,所述写卡请求至少携带有所述移动设备内第一用户身份识别模块的第一卡标识;Step S110: Receive a write card request sent by the mobile device, where the write card request carries at least the first card identifier of the first user identity module in the mobile device;
步骤S120:根据所述第一卡标识,获取与所述第一用户身份识别模块绑定的用户身份信息;Step S120: Acquire user identity information bound to the first user identity recognition module according to the first card identifier.
步骤S130:向所述移动设备内的第二用户身份识别模块发送用户身份识别模块数据;Step S130: Send user identity module data to the second user identity module in the mobile device;
步骤S140:根据所述用户身份识别模块数据,建立所述第二用户身份识别模块与所述用户身份信息的绑定关系。Step S140: Establish a binding relationship between the second user identity module and the user identity information according to the user identity module data.
所述用户身识别模块可写入各种用户身份识别模块的数据,例如,所述用户身份识别模块可为能够写入到用户身份识别模块(Subscriber Identity Module,SIM)、全球用户识别模块(Universal Subscriber Identity Module,USIM)、nano-用户身份识别模块、SIM小卡。SIM小卡比正在使用的micro-用户身份识别模块面积更小,所述USIM是所述SIM的升级版。所述nano-用户身份识别模块又被称作第四形式要素集成电路板,是新一代的SIM。所述SIM小卡,又称之为Miro用户身份识别模块,是SIM的另一种升级版,比普通的用户身份识别模块的体积更小。The user identification module can write data of various user identification modules. For example, the user identification module can be written to a Subscriber Identity Module (SIM), a global user identification module (Universal). Subscriber Identity Module (USIM), nano-user identity module, SIM card. The SIM card is smaller in area than the micro-user identity module being used, which is an upgraded version of the SIM. The nano-user identity module is also referred to as a fourth form factor integrated circuit board and is a new generation SIM. The SIM card, also known as the Miro user identity module, is another upgrade of the SIM, which is smaller than the ordinary user identity module.
本实施例提供给的用户身份识别模块写入方法可为应用于写卡平台中的方法,该写卡平台可为各种NMO的写卡平台。The method for writing the user identity module provided by this embodiment may be a method applied to the card writing platform, and the card writing platform may be a card writing platform of various NMOs.
所述用户身份识别模块可至少包括ICCID及IMSI等,可为前述Profile文件。通常所述Profile文件中除了所述ICCID及IMSI以外,还会携带有系统文件等需要写入到用户身份识别模块的数据。The user identity module may include at least an ICCID, an IMSI, etc., and may be the aforementioned profile file. Generally, in addition to the ICCID and the IMSI, the profile file carries data such as system files that need to be written to the user identity module.
在本实施例中移动设备基于第一用户身份识别模块向写卡平台发送写卡请求,即请求获取用户身份识别模块的请求。在本实施例中,所述写卡请求中至少携带有移动终端中已经与用户建立绑定关系的第一用户身份识别模块的卡标识,即所述第一卡标识。In this embodiment, the mobile device sends a write request to the write card platform based on the first user identity module, that is, requests for obtaining the user identity module. In this embodiment, the card request carries at least a card identifier of the first user identity module that has established a binding relationship with the user in the mobile terminal, that is, the first card identifier.
这样的话,所述写卡平台接收到写卡请求之后,就可以根据第一用户身份识别模块的第一卡标识,获取到用户的身份信息,即所述用户身份信 息,例如,用户的身份证号、护照号或者是用户姓名以及用户设置的用户身份识别模块操作密码或者写卡平台自己分配给用户的用户账号等信息。这样的话,就相当于完成了对用户的身份认证,用户就不用再手动输入或者由移动设备在向写卡平台发送用户身份信息了。若获取了用户身份信息,相当于认定了第二用户身份识别模块绑定的用户,实现了对第二用户身份识别模块绑定的用户的身份认证,就可以向第二用户身份识别模块下发用户身份识别模块了,故会向第二用户身份识别模块下发用户身份识别数据。并且基于下发第二用户身份识别模块的用户身份识别模块和读取的用户身份信息,建立第二用户身份识别模块与该用户身份信息的绑定关系。显然在本实施例中利用一张已经与用户身份信息绑定的第一用户身份识别模块,可以完成向第二用户身份识别模块的用户身份识别模块的下发的同时,完成第二用户身份识别模块的用户身份信息的简单绑定,具有实现简便的特点。In this case, after receiving the write request, the write card platform may obtain the identity information of the user according to the first card identifier of the first user identity module, that is, the user identity information, for example, the user's ID card. The number, the passport number or the user name and the user identification module operation password set by the user or the user account assigned to the user by the card writing platform. In this case, it is equivalent to completing the identity authentication of the user, and the user does not need to manually input or the mobile device sends the user identity information to the card writing platform. If the user identity information is obtained, the user who is bound by the second user identity module is authenticated, and the identity authentication of the user bound to the second user identity module is implemented, and the second user identity module can be sent to the second user identity module. The user identification module is sent, so the user identification data is sent to the second user identity module. And establishing a binding relationship between the second user identity module and the user identity information based on the user identity module that sends the second user identity module and the read user identity information. Obviously, in the embodiment, using a first user identity module that has been bound to the user identity information, the second user identity recognition can be completed while the user identity module of the second user identity module is delivered. The simple binding of the module's user identity information is easy to implement.
在本实施例中所述第一用户身份识别模块和第二用户身份识别模块均可为能够与移动设备分离的独立用户身份识别模块,也可以是集成设置在所述移动设备的主板等芯片上的集成用户身份识别模块,例如,典型的虚拟用户身份识别(eSIM)卡等。In this embodiment, the first user identity module and the second user identity module may be separate user identity modules that can be separated from the mobile device, or may be integrated on the chip of the mobile device. Integrated user identification module, such as a typical virtual user identity (eSIM) card.
值得注意的在具体实现时,所述步骤S130和步骤S140没有一定的先后关系,可以先执行步骤S130再执行步骤S140,或者,先执行步骤S140再执行步骤S130均可。在一些实施例中为了确保绑定关系的建立正确性,可先执行步骤S130,然后接收通信设备或第二用户身份识别模块返回的用户身份识别模块写入成功的成功通知之后,执行所述步骤S140,这样可以避免用户身份识别模块传输不成功或传输到通信设备之后未成功写入到第二用户身份识别模块导致的建立了无效绑定关系的问题。It should be noted that, in the specific implementation, the step S130 and the step S140 do not have a certain sequence relationship, and the step S130 may be performed before the step S140 is performed, or the step S140 may be performed before the step S130. In some embodiments, in order to ensure the correctness of the establishment of the binding relationship, step S130 may be performed first, and then the step is performed after receiving the success notification of successful writing by the user identity module returned by the communication device or the second user identity module. S140. This can avoid the problem that the invalidity binding relationship is established caused by the unsuccessful transmission of the user identity module or the unsuccessful writing to the second user identity module after being transmitted to the communication device.
在一些实施例中,所述写卡请求中携带有所述第一用户身份识别模块 的第一用户身份识别模块证书;In some embodiments, the first user identification module certificate of the first user identity module is carried in the write card request;
所述方法还包括:根据所述第一用户身份识别模块证书,验证所述第一用户身份识别模块的合法性;所述步骤S120可包括:若所述第一用户身份识别模块通过所述合法性验证,根据所述第一卡标识获取与所述第一用户身份识别模块绑定的用户身份信息。The method further includes: verifying the legality of the first user identity module according to the first user identity module certificate; the step S120 may include: if the first user identity module passes the law And verifying, according to the first card identifier, user identity information bound to the first user identity module.
在本实施例中为了确保第二用户身份识别模块的身份信息绑定的可靠性和第一用户身份识别模块的合法性,写卡平台还需要验证第一用户身份识别模块的合法性。在所述写卡请求中携带有第一用户身份识别模块的用户身份识别模块证书,该用户身份识别模块证书可由写卡平台颁发的或者其他平台颁发的,所述写卡平台可以通过与本地数据库中的用户身份识别模块证书的匹配,或者与颁发用户身份识别模块证书的设备的信息交互,验证所述第一用户身份识别模块的合法性,从而确保所述第一用户身份识别模块为卡商办法的用户身份识别模块,而非移动设备通过信息伪造的一张伪用户身份识别模块;从而确保用户身份识别模块下发的可靠性和安全性。In this embodiment, in order to ensure the reliability of the identity information binding of the second user identity module and the legitimacy of the first user identity module, the card writing platform also needs to verify the legitimacy of the first user identity module. The user identification module certificate of the first user identity module is carried in the card requesting request, and the user identity module certificate may be issued by a card writing platform or other platform, and the card writing platform may pass through a local database. Matching the user identity module certificate, or interacting with the information of the device issuing the user identity module certificate, verifying the legitimacy of the first user identity module, thereby ensuring that the first user identity module is a card vendor The user identification module of the method, rather than a pseudo-user identification module forged by the mobile device through information; thereby ensuring the reliability and security delivered by the user identity module.
在一些实施例中,所述方法还包括:将写卡平台的平台证书发送给所述第一用户身份识别模块;In some embodiments, the method further includes: transmitting a platform certificate of the card writing platform to the first user identity module;
接收所述第一用户身份识别模块对所述平台证书的验证结果返回的验证信息;Receiving verification information returned by the first user identity module to the verification result of the platform certificate;
所述步骤S130可包括:在接收到表征所述平台证书验证通过的验证信息后,向所述第二用户身份识别模块发送用户身份识别模块。The step S130 may include: after receiving the verification information that indicates that the platform certificate is verified, sending the user identity module to the second user identity module.
在用户身份识别模块写入到第二用户身份识别模块之前,移动终端也会需要验证写卡平台的合法性,故在本实施例中所述写卡平台也会将自身的平台证书下发给第一用户身份识别模块,第一用户身份识别模块会验证该平台证书,若通过验证则可认为写卡平台合法,可以将从写卡平台接收 的用户身份识别模块安全写入第二用户身份识别模块。Before the user identity module is written to the second user identity module, the mobile terminal also needs to verify the legality of the card writing platform. Therefore, in the embodiment, the card writing platform also sends its own platform certificate to the mobile terminal certificate. The first user identification module, the first user identification module verifies the platform certificate, and if verified, the writing card platform is considered to be legal, and the user identification module received from the writing card platform can be safely written into the second user identification. Module.
在一些实施例中。所述方法还包括:In some embodiments. The method further includes:
接收所述第二用户身份识别模块的第二用户身份识别模块证书;Receiving a second user identity module certificate of the second user identity module;
根据所述用户身份识别模块证书,验证所述第二用户身份识别模块的合法性;Verifying the legality of the second user identity module according to the user identity module certificate;
所述步骤S140可包括:The step S140 may include:
若所述第二用户身份识别模块具有合法性,向所述第二用户身份识别模块发送用户身份识别模块。If the second user identity module has legality, the user identity module is sent to the second user identity module.
在本申请实施例中还包括验证第二用户身份识别模块的合法性的操作,避免第二用户身份识别模块是伪造的导致用户身份识别模块的泄露问题。The operation of verifying the legitimacy of the second user identity module is further included in the embodiment of the present application, and the second user identity recognition module is prevented from being falsified, which causes the user identity module to leak.
所述第二用户身份识别模块证书中预先配置用户身份识别模块证书,故写卡平台还会接收到第二用户身份识别模块证书,该第二用户身份识别模块证书的合法性验证方法可与第一用户身份识别模块证书的验证方式相同,在此就不再重复了,只有第二用户身份识别模块证书的合法性通过验证之后,才会向第二用户身份识别模块发送用户身份识别模块,供移动终端写入到第二用户身份识别模块中。The user identification module certificate is pre-configured in the second user identity module certificate, so the card writing platform also receives the second user identity module certificate, and the legality verification method of the second user identity module certificate can be The authentication method of a user identity module certificate is the same, and is not repeated here. Only after the validity of the second user identity module certificate is verified, the user identity module is sent to the second user identity module for The mobile terminal writes to the second user identity module.
在一些实施例中,所述方法还包括:In some embodiments, the method further includes:
将写卡平台的平台证书发送给所述第二用户身份识别模块;Transmitting a platform certificate of the card writing platform to the second user identity module;
接收所述第二用户身份识别模块对所述平台证书的验证结果返回的验证信息;Receiving verification information returned by the second user identity module to the verification result of the platform certificate;
所述步骤S140具体可包括:The step S140 may specifically include:
在接收到表征所述平台证书验证通过的验证信息后且所述第二用户身份识别模块具有合法性,向所述第二用户身份识别模块发送用户身份识别模块。After receiving the verification information characterizing the verification of the platform certificate and the second user identity module has legality, the user identity module is sent to the second user identity module.
第二用户身份识别模块在将写入平台下发的用户身份识别模块写入自身之前,也会对写卡平台进行再次的合法性验证,从而确保写入用户身份识别模块是真实可靠的,避免写入脏数据或非法的用户身份识别模块导致的第二用户身份识别模块写入用户身份识别模块之后不能通信的问题。Before the second user identity module writes the user identity module sent by the write platform to itself, it also verifies the legality of the write card platform again, thereby ensuring that the write user identity module is authentic and reliable, and avoiding The problem that the second user identity module cannot write after the dirty data or illegal user identification module is written to the user identity module.
在一些实施例中,一般第一用户身份识别模块和第二用户身份识别模块都是安装在同一个移动设备中的,第一用户身份识别模块已经对写卡平台进行过了合法性验证,则第二用户身份识别模块可以省略该步骤,但是为了确保高可靠性和安全性,第二用户身份识别模块可以重复对写卡平台进行合法性验证。In some embodiments, the first user identity module and the second user identity module are both installed in the same mobile device. After the first user identity module has verified the legality of the card writing platform, The second user identity module may omit this step, but to ensure high reliability and security, the second user identity module may repeatedly verify the validity of the card writing platform.
在本申请实施例中所述写卡平台的合法性验证,可包括移动终端将接收到的平台证书与其他网络设备进行信息交互,例如,与根证书的持有节点进行信息交互,验证平台证书的合法性。在有些实施例中还可以通过随机数的验证实现所述写卡平台的平台证书的校验。例如,用户身份识别模块生成一个随机数,为了区分该随机数可以称之为第一随机数,通过卡私钥加密之后发送给写卡平台。写卡平台基于卡公钥解密该随机数之后,自身生成另一个随机数,该随机数可以称之为第二随机数。写卡平台将自身的平台证书、第一随机数和第二随机数利用平台私钥加密后发送用户身份识别模块,用户身份识别模块接收到之后,通过平台公钥解密,若解码后提取出两个随机数,若两个随机数中有一个与用户身份识别模块自身生成的第一随机数完全匹配,则认为写卡平台的平台证书通过所述合法性验证。In the embodiment of the present application, the legality verification of the writing card platform may include the mobile terminal performing information interaction with the network device received by the mobile terminal, for example, performing information interaction with the holding node of the root certificate, and verifying the platform certificate. Legitimacy. In some embodiments, verification of the platform certificate of the write card platform may also be implemented by verification of a random number. For example, the user identity module generates a random number. In order to distinguish the random number, it may be referred to as a first random number, and is encrypted by the card private key and then sent to the card writing platform. After the card writing platform decrypts the random number based on the card public key, it generates another random number, which may be referred to as a second random number. The card writing platform encrypts its own platform certificate, the first random number and the second random number by using the platform private key, and sends the user identification module. After receiving the user identification module, the user identification module decrypts the platform public key, and if the decoding is performed, the two are extracted. A random number, if one of the two random numbers completely matches the first random number generated by the user identity module itself, the platform certificate of the card writing platform is considered to be verified by the legality.
当然,以上仅是提供了两种平台证书合法性验证的可选方式,具体实现时,不局限于上述任意一种。Of course, the above is only an alternative method for verifying the legality of the two platform certificates. The specific implementation is not limited to any of the above.
所述第二用户身份识别模块证书是未与移动网络运营上绑定的通用卡证书。在本申请实施例中所述第二用户身份识别模块证书为通用卡证书,是可以被各种MNO所识别的卡证书。所述通用卡证书,还可被对应的MNO 平台通过信息的改写,改造成自己的用户身份识别模块证书;这样的话,改造后的用户身份识别模块证书是其他MNO平台所不能识别的用户身份识别模块证书。这样的话,一张持有通用卡证书的用户身份识别模块,可以供任意一家MNO进行用户身份识别模块的下发,打破仅可以供特定MNO写入用户身份识别模块的局限性,这样用户可以根据自己的喜好选择MNO向第二用户身份识别模块写入用户身份识别模块。The second user identity module certificate is a universal card certificate that is not bound to the mobile network operation. In the embodiment of the present application, the second user identity module certificate is a universal card certificate, which is a card certificate that can be recognized by various MNOs. The universal card certificate can also be transformed into its own user identity module certificate by the corresponding MNO platform through information rewriting; in this case, the modified user identity module certificate is a user identity that cannot be recognized by other MNO platforms. Module certificate. In this case, a user identification module holding a universal card certificate can be used by any MNO to issue a user identification module, breaking the limitation that only a specific MNO can be written into the user identification module, so that the user can The user chooses the MNO to write the user identification module to the second user identity module.
如图4所示,本实施例提供一种用户身份识别模块写入方法,应用于移动设备中,包括:As shown in FIG. 4, this embodiment provides a method for writing a user identity module, which is applied to a mobile device, and includes:
步骤S210:至少从第一用户身份识别模块读取第一卡标识;Step S210: Read at least the first card identifier from the first user identity module;
步骤S220:向写卡平台发送至少携带有所述第一卡标识的写卡请求;Step S220: Send a write card request carrying at least the first card identifier to the card writing platform;
步骤S230:接收所述写卡平台基于所述第一卡标识发送的用户身份识别模块;Step S230: Receive a user identity identification module that is sent by the card writing platform based on the first card identifier.
步骤S240:将所述用户身份识别模块数据写入第二用户身份识别模块中。Step S240: Write the user identity module data into the second user identity module.
本实施例提供一种应用于移动设备中的用户身份识别模块写入方法。在本实施例中,所述移动设备内可安装有写卡应用,该写卡应用可为通用写卡应用,通用写卡应用可与多种MNO的运营平台进行对接。This embodiment provides a method for writing a user identity module applied to a mobile device. In this embodiment, a write card application may be installed in the mobile device, and the write card application may be a universal write card application, and the universal write card application may be connected to a plurality of MNO operation platforms.
在一些实施例中,所述通用写卡应用将自己的应用标识写入了不同MNO的运营平台中,得到了不同MNO的运营平台的认同,从而可以与不同的MNO的运营平台进行信息交互。In some embodiments, the universal write card application writes its own application identifier into the operation platform of different MNOs, and obtains the approval of the operation platforms of different MNOs, so that information interaction can be performed with different MNO operation platforms.
在另一些实施例中,所述通用写卡应用在网络侧有设置其专属写卡平台,该写卡平台可以与不同MNO的运营平台按照前述的写卡规则进行数据交互,从而协助通用写卡应用向第二用户身份识别模块中写入不同MNO的用户身份识别模块。In other embodiments, the universal write card application has a dedicated write card platform disposed on the network side, and the write card platform can perform data interaction with the operation platform of different MNOs according to the foregoing write card rules, thereby assisting the universal write card. The application identifies a user identity module that writes different MNOs to the second user identity module.
在还有一些实施例中,所述写卡应用可为不同MNO下发的专属于某一 个MNO的写卡应用,可以与对应的MNO的写卡平台进行数据交互,从而向第二用户身份识别模块中写入所述用户身份识别模块。In some embodiments, the write card application may be a write card application dedicated to a certain MNO issued by different MNOs, and may perform data interaction with a corresponding MNO write card platform to identify the second user. The user identification module is written in the module.
在本实施例中,所述写卡应用已经实现记录了对应的写卡平台的通信地址,可以直接基于写卡平台的通信地址,与写卡平台进行数据交互。所述通信地址可为写卡平台的网络协议(IP)地址或者域名、隧道标识等可以定位到所述写卡平台的地址。所述隧道标识为写卡平台与写卡应用之间进行数据传输的隧道的标识信息。In this embodiment, the write card application has realized the communication address of the corresponding write card platform, and can directly perform data interaction with the write card platform based on the communication address of the write card platform. The communication address may be a network protocol (IP) address of the write card platform or a domain name, a tunnel identifier, or the like that can be located to the address of the write card platform. The tunnel identifier is identifier information of a tunnel for data transmission between the card writing platform and the write card application.
在本实施例中,所述写卡应用会从所述第一用户身份识别模块读取第一用户身份识别模块的卡标识,该卡标识可称之为第一卡标识,可为前述的用户身份识别模块的ICCID等信息。In this embodiment, the card application may read the card identifier of the first user identity module from the first user identity module, and the card identifier may be referred to as a first card identifier, which may be the foregoing user. Information such as the ICCID of the identity module.
在本实施例中,读取了第一用户身份识别模块标识之后,将其携带在写卡请求中。该写卡请求为向第二用户身份识别模块进行用户身份识别模块写入的请求。例如,在写卡应用的应用界面检测到用户输入的写卡指令,若当前通信设备安装了第一用户身份识别模块,所述写卡指令指示需要向第二用户身份识别模块写入用户身份识别模块,则写卡应用会自动读取第一用户身份识别模块的第一卡标识。在所述写卡请求中还包括:写卡请求字段,该字段告知写卡平台请求获取用户身份识别模块。In this embodiment, after the first user identity module identifier is read, it is carried in the write card request. The write request is a request for a user identity module write to the second user identity module. For example, when the application interface of the card writing application detects the writing instruction input by the user, if the current communication device installs the first user identification module, the writing card instruction indicates that the user identification needs to be written to the second user identity module. Module, the write card application will automatically read the first card identifier of the first user identity module. The write card request further includes a write card request field, the field informing the write card platform to request to acquire the user identity module.
写卡平台在接收到这样的写卡请求之后,可以根据第一用户身份识别模块的第一卡标识获得用户的用户身份信息;进而确定第二用户身份识别模块下发用户身份识别模块,并基于下发的用户身份识别模块及用户身份信息,建立用户身份信息及第二用户身份识别模块的绑定关系。After receiving the write request, the card writing platform may obtain the user identity information of the user according to the first card identifier of the first user identity module; and further determine that the second user identity module sends the user identity module, and is based on The user identity module and the user identity information are sent, and the binding relationship between the user identity information and the second user identity module is established.
在一些实施例中,所述移动设备内还设置有访问控制执行模块;所述访问控制执行模块可为API的构成组件之一,用于控制各种应用访问用户身份识别模块,确保用户身份识别模块上的数据的安全性和用户身份识别模块的应用安全性。所述访问控制执行模块会验证所述写卡应用的合法性。 所述写卡应用的合法性的验证,可包括:验证所述写卡应用是否有访问用户身份识别模块的访问权限。例如,写卡应用向访问执行控制模块提交自己的应用信息,所述访问控制执行模块将写卡应用于提交的应用信息与允许访问用户身份识别模块的应用信息进行匹配,若匹配成功,则可认为所述写卡应用具有访问用户身份识别模块的权限,所述写卡应用是访问用户身份识别模块的合法应用。在一些实施例中,所述访问控制模块在接收到写卡应用的应用信息之后,将该应用信息发送给用户身份识别模块,用户身份识别模块会与自身内部存储的允许设备上应用访问用户身份识别模块的应用信息列表匹配,然后将匹配结果告知访问控制执行模块。访问控制执行模块在接收到用户身份识别模块的匹配结果之后,决绝所述写卡应用通过其访问用户身份识别模块或者允许写卡应用通过其访问用户身份识别模块。In some embodiments, an access control execution module is further disposed in the mobile device; the access control execution module may be one of constituent components of the API, and is used to control various applications to access the user identification module to ensure user identification. The security of the data on the module and the application security of the user identity module. The access control execution module verifies the legitimacy of the write card application. The verification of the legality of the write card application may include: verifying whether the write card application has access rights to access the user identity module. For example, the write card application submits its own application information to the access execution control module, and the access control execution module applies the write card to the submitted application information to match the application information that allows access to the user identification module, and if the matching is successful, The write card application is considered to have access to a user identity module that is a legitimate application for accessing the user identity module. In some embodiments, after receiving the application information of the write card application, the access control module sends the application information to the user identity recognition module, and the user identity recognition module accesses the user identity with the application on the allowed device stored in the internal device. The application information list of the identification module is matched, and then the matching result is notified to the access control execution module. After receiving the matching result of the user identity module, the access control execution module deny the card application through which the user identity module is accessed or allows the card application to access the user identity module.
这里的应用信息可包括:应用标识(Application Identity,AID)和/或应用证书。这里的应用证书可为证书系统颁发确定该应用为通过验证各种验证处理的合法应用的证书。该证书可包括:证书序列号等信息。The application information herein may include: an application identifier (AID) and/or an application certificate. The application certificate here can issue a certificate to the certificate system that determines that the application is a legitimate application that verifies the various authentication processes. The certificate may include information such as a certificate serial number.
所述步骤S210可包括:The step S210 may include:
若所述写卡应用通过所述访问控制执行模块的合法性验证后,通过所述访问控制执行模块至少从所述第一用户身份识别模块读取所述第一卡标识。After the write card application passes the validity verification of the access control execution module, the access control execution module reads the first card identifier from at least the first user identity recognition module.
在本实施例中通过访问控制执行模块的设置,所述写卡应用与用户身份识别模块的数据交互,需要由访问控制执行模块的接入,从而确保用户身份识别模块的正确性。In the embodiment, by the setting of the access control execution module, the data interaction between the write card application and the user identity recognition module needs to be accessed by the access control execution module, thereby ensuring the correctness of the user identity recognition module.
在一些实施例中,写卡平台下发给第二用户身份识别模块的用户身份识别模块中可携带有应用信息,例如,所述应用证书和/或应用标识,这样的话,后续方便用户身份识别模块在所述访问控制执行模块的协助下,确 定向其访问请求的应用是否具有访问用户身份识别模块的权限,以确保用户身份识别模块上的数据安全性及用户身份识别模块的使用安全性。In some embodiments, the user identity module sent by the card-writing platform to the second user identity module may carry application information, such as the application certificate and/or the application identifier, such that subsequent user identification is facilitated. The module, with the assistance of the access control execution module, determines whether the application to which the request is accessed has the right to access the user identity module to ensure data security on the user identity module and security of use of the user identity module.
如图5所示,本申请实施例提供一种写卡平台,包括:As shown in FIG. 5, the embodiment of the present application provides a card writing platform, including:
第一接收单元110,配置为接收移动设备发送的写卡请求;其中,所述写卡请求至少携带有所述移动设备内第一用户身份识别模块的第一卡标识;The first receiving unit 110 is configured to receive a write card request sent by the mobile device, where the write card request carries at least the first card identifier of the first user identity module in the mobile device;
获取单元120,配置为根据所述第一卡标识,获取与所述第一用户身份识别模块绑定的用户身份信息;The obtaining unit 120 is configured to acquire user identity information bound to the first user identity module according to the first card identifier;
第一发送单元130,配置为向所述移动设备内的第二用户身份识别模块发送用户身份识别模块;The first sending unit 130 is configured to send a user identity module to the second user identity module in the mobile device;
建立单元140,配置为根据所述用户身份识别模块,建立所述第二用户身份识别模块与所述用户身份信息的绑定关系。The establishing unit 140 is configured to establish, according to the user identity identification module, a binding relationship between the second user identity module and the user identity information.
所述写卡平台可包括一台或多台写卡服务器。总之,所述写卡平台中的第一接收单元110和第一发送单元130可对应于收发器,能够用于移动设备进行各种信息交互。The write card platform can include one or more write card servers. In summary, the first receiving unit 110 and the first sending unit 130 in the card writing platform may correspond to a transceiver, and can be used by the mobile device to perform various information interactions.
获取单元120可对应于处理器,可以在本地存储介质查询所述用户身份信息。在还有些情况下,所述获取单元120同样可对应于通信接口,可以从其他设备查询与所述第一卡标识绑定的用户身份信息。The obtaining unit 120 may correspond to a processor, and may query the user identity information on a local storage medium. In some cases, the obtaining unit 120 may also correspond to a communication interface, and may query user identity information bound to the first card identifier from other devices.
所述建立单元140可包括:处理器,可以在写卡平台的本地或与写卡平台连接的专用数据库中,对应存储下发给第二用户身份识别模块的用户身份识别模块及所述用户身份信息,从而完成第二用户身份识别模块及用户的用户身份信息的对应存储,即绑定关系的建立。The establishing unit 140 may include: a processor, where the user identity module sent to the second user identity module and the user identity may be stored in a local database connected to the card writing platform or in a dedicated database connected to the card writing platform. Information, thereby completing the corresponding storage of the second user identity module and the user identity information of the user, that is, the establishment of the binding relationship.
在一些实施例中,所述写卡请求中携带有所述第一用户身份识别模块的第一用户身份识别模块证书;In some embodiments, the write card request carries a first user identity module certificate of the first user identity module;
所述写卡平台还包括:The card writing platform further includes:
第一验证单元,可对应于处理器,可配置为根据所述第一用户身份识别模块证书,验证所述第一用户身份识别模块的合法性;The first verification unit may be configured to be corresponding to the processor, and configured to verify the validity of the first user identity module according to the first user identity module certificate;
所述获取单元120,可配置为若所述第一用户身份识别模块通过所述合法性验证,根据所述第一卡标识获取与所述第一用户身份识别模块绑定的用户身份信息。The obtaining unit 120 may be configured to acquire user identity information bound to the first user identity recognition module according to the first card identifier, if the first user identity module performs the validity verification.
在一些实施例中,所述第一发送单元130,还配置为将写卡平台的平台证书发送给所述第一用户身份识别模块;所述第一接收单元110,还用于接收所述第一用户身份识别模块对所述平台证书的验证结果返回的验证信息;并在接收到表征所述平台证书验证通过的验证信息后,向所述第二用户身份识别模块发送用户身份识别模块。In some embodiments, the first sending unit 130 is further configured to send the platform certificate of the card writing platform to the first user identity module; the first receiving unit 110 is further configured to receive the first And verifying, by the user identity module, the verification information returned by the verification result of the platform certificate; and after receiving the verification information indicating that the platform certificate is verified, sending the user identity module to the second user identity module.
在一些实施例中,所述第一接收单元110,还配置为接收所述第二用户身份识别模块的第二用户身份识别模块证书;所述第一验证单元,还用于根据所述用户身份识别模块证书,验证所述第二用户身份识别模块的合法性;所述第一发送单元130,还用于若所述第二用户身份识别模块具有合法性,向所述第二用户身份识别模块发送用户身份识别模块。In some embodiments, the first receiving unit 110 is further configured to receive a second user identity module certificate of the second user identity module; the first verification unit is further configured to determine, according to the user identity Identifying a module certificate, verifying the validity of the second user identity module; the first sending unit 130 is further configured to: if the second user identity module has legality, to the second user identity module Send the user identification module.
在一些实施例中,所述第一发送单元130,还配置为将写卡平台的平台证书发送给所述第二用户身份识别模块;所述第一接收单元110,还用于接收所述第二用户身份识别模块对所述平台证书的验证结果返回的验证信息;在接收到表征所述平台证书验证通过的验证信息后且所述第二用户身份识别模块具有合法性,向所述第二用户身份识别模块发送用户身份识别模块。In some embodiments, the first sending unit 130 is further configured to send the platform certificate of the card writing platform to the second user identity module; the first receiving unit 110 is further configured to receive the first The verification information returned by the second user identity module to the verification result of the platform certificate; after receiving the verification information indicating the verification of the platform certificate verification, and the second user identity recognition module has legality, to the second The user identity module sends the user identity module.
在一些实施例中,所述第二用户身份识别模块证书是未与移动网络运营上绑定的通用卡证书。In some embodiments, the second user identity module certificate is a universal card certificate that is not bound to the mobile network operation.
如图6所示,本实施例提供一种移动设备,包括:As shown in FIG. 6, the embodiment provides a mobile device, including:
读取单元210,配置为至少从第一用户身份识别模块读取第一卡标识;The reading unit 210 is configured to read at least the first card identifier from the first user identity module;
第二发送单元220,配置为向写卡平台发送至少携带有所述第一卡标识的写卡请求;The second sending unit 220 is configured to send, to the card writing platform, a write card request that carries at least the first card identifier;
第二接收单元230,配置为接收所述写卡应用基于所述写卡请求获取的用户身份识别模块;The second receiving unit 230 is configured to receive a user identity recognition module that is acquired by the write card application based on the write card request;
写入单元240,配置为将所述用户身份识别模块写入第二用户身份识别模块中。The writing unit 240 is configured to write the user identity module into the second user identity module.
所述读取单元210可对应于能够执行代码或程序的处理器或处理电路或处理芯片,可以从第一用户身份识别模块读取所述第一用户身份识别模块的卡标识,即所述第一卡标识。The reading unit 210 may correspond to a processor or a processing circuit or a processing chip capable of executing a code or a program, and may read a card identifier of the first user identity module from the first user identity module, ie, the first One card logo.
所述第二发送单元220及所述第二接收单元230可对应于通信设备的通信接口,可以用于与写卡平台进行信息交互,从而协助写卡平台获取用户身份信息,并将用户身份识别模块写入到第二用户身份识别模块中。The second sending unit 220 and the second receiving unit 230 may correspond to a communication interface of the communication device, and may be used for information interaction with the card writing platform, thereby assisting the card writing platform to acquire user identity information, and identifying the user identity. The module is written to the second user identification module.
在一些实施例中,所述移动设备内还设置有访问控制执行模块;In some embodiments, an access control execution module is further disposed in the mobile device;
所述读取单元210,可配置为若所述写卡应用通过所述访问控制执行模块的合法性验证后,通过所述访问控制执行模块至少从所述第一用户身份识别模块读取所述第一卡标识。The reading unit 210 may be configured to read, by the access control execution module, at least the first user identification module, after the write card application is verified by the validity of the access control execution module. The first card identifier.
如图7所示,本申请实施例提供一种电子设备,包括:收发器310、存储器320、处理器330及存储在存储器310上并由所述处理器330执行的计算机程序;As shown in FIG. 7 , an embodiment of the present application provides an electronic device, including: a transceiver 310, a memory 320, a processor 330, and a computer program stored on the memory 310 and executed by the processor 330;
所述通信设备可包括:收发器310、存储器320、处理器330及存储在所述存储器320上并由所述处理器330执行的计算机程序;The communication device can include a transceiver 310, a memory 320, a processor 330, and a computer program stored on the memory 320 and executed by the processor 330;
所述处理器330,分别与所述收发器310及存储器320连接,例如,通过集成电路总线IIC,分别与收发器及存储器320连接。The processor 330 is connected to the transceiver 310 and the memory 320, respectively, for example, to the transceiver and the memory 320 via the integrated circuit bus IIC.
所述处理器330,可用于通过执行所述计算机程序执行前述一个或多个技术方案提供的验证信息处理方法,例如,可以执行应用于写卡平台和/或 移动设备中的一个或多个技术方案提供的用户身份识别模块数据写入方法。The processor 330 may be configured to execute the verification information processing method provided by the foregoing one or more technical solutions by executing the computer program, for example, may perform one or more technologies applied to a card writing platform and/or a mobile device. The user identification module data writing method provided by the solution.
所述收发器310可为电缆接口或光缆接口等各种类型可用于通信的接口。例如,收发器310可以为处理器与其他设备进行的信息交互提供接口,所述通信接口可以分为串行接口和并行接口,常用的通信接口为标准通信接口RS-232、RS-485、RS-422等。The transceiver 310 can be any type of interface that can be used for communication, such as a cable interface or a fiber optic cable interface. For example, the transceiver 310 can provide an interface for information interaction between the processor and other devices. The communication interface can be divided into a serial interface and a parallel interface. The commonly used communication interfaces are standard communication interfaces RS-232, RS-485, and RS. -422 and so on.
所述存储器320可为通信设备中包括存储介质的存储器320件,可为随机存储器320、只读存储器320、存储硬盘等。例如,存储器可以是易失性存储器或非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read Only Memory,ROM)、可编程只读存储器(Programmable Read-Only Memory,PROM)、可擦除可编程只读存储器(Erasable Programmable Read-Only Memory,EPROM)、电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性随机存取存储器(ferromagnetic random access memory,FRAM)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(Compact Disc Read-Only Memory,CD-ROM);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(Static Random Access Memory,SRAM)、同步静态随机存取存储器(Synchronous Static Random Access Memory,SSRAM)、动态随机存取存储器(Dynamic Random Access Memory,DRAM)、同步动态随机存取存储器(Synchronous Dynamic Random Access Memory,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate Synchronous Dynamic Random Access Memory,DDRSDRAM)、增强型同步动态随机存取存储器(Enhanced  Synchronous Dynamic Random Access Memory,ESDRAM)、同步连接动态随机存取存储器(SyncLink Dynamic Random Access Memory,SLDRAM)、直接内存总线随机存取存储器(Direct Rambus Random Access Memory,DRRAM)。本申请实施例描述的存储器802旨在包括但不限于这些和任意其它适合类型的存储器。The memory 320 may be a memory 320 including a storage medium in the communication device, and may be a random access memory 320, a read only memory 320, a storage hard disk, or the like. For example, the memory can be either volatile memory or non-volatile memory, and can include both volatile and nonvolatile memory. The non-volatile memory may be a read only memory (ROM), a programmable read-only memory (PROM), or an erasable programmable read-only memory (Erasable Programmable Read-Only Memory). , EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Ferromagnetic Random Access Memory (FRAM), Flash Memory, Magnetic Surface Memory , CD, or Compact Disc Read-Only Memory (CD-ROM); the magnetic surface memory can be a disk storage or a tape storage. The volatile memory can be a Random Access Memory (RAM) that acts as an external cache. By way of example and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access. Memory (Dynamic Random Access Memory) (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), enhancement Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Rambus Random Access Memory (DRRAM) ). Memory 802 described in this application embodiment is intended to comprise, without being limited to, these and any other suitable types of memory.
所述处理器330可为各种类型的处理器,中央处理器、微处理器、应用处理器、可编程阵列或专用集成电路等。例如,所述处理器403为能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器、数字信号处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。处理器可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成前述方法的步骤。The processor 330 can be various types of processors, a central processing unit, a microprocessor, an application processor, a programmable array, or an application specific integrated circuit. For example, the processor 403 can be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software. The above processor may be a general purpose processor, a digital signal processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor can be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the present application may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a storage medium, the storage medium being located in the memory, the processor reading the information in the memory, and completing the steps of the foregoing methods in combination with the hardware thereof.
该电子设备可为前述的移动设备,例如手机、平板电脑、可穿戴式设备、车载设备或物联网终端等通信终端,也可以是所述写卡平台的写卡服务器。The electronic device may be the aforementioned mobile device, such as a communication terminal such as a mobile phone, a tablet computer, a wearable device, an in-vehicle device, or an Internet of Things terminal, or may be a write card server of the write card platform.
本申请实施例提供一种计算机存储介质,所述计算机存储介质存储有计算机程序;所述计算机程序被处理器执行后,可以执行应用于写卡平台和/或移动设备中的一个或多个技术方案提供的用户身份识别模块数据写入方法。The embodiment of the present application provides a computer storage medium, where the computer storage medium stores a computer program; after the computer program is executed by the processor, one or more technologies applied to the card writing platform and/or the mobile device may be executed. The user identification module data writing method provided by the solution.
所述计算机存储介质可为:移动存储设备、只读存储器(ROM, Read-Only Mem或y)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。可选为,所述计算机存储介质优选为非瞬间存储介质,或非易失性存储介质。The computer storage medium may be: a mobile storage device, a read-only memory (ROM, Read-Only Mem or y), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. medium. Optionally, the computer storage medium is preferably a non-transitory storage medium, or a non-volatile storage medium.
以下结合上述任意一个实施例提供几个具体示例:Several specific examples are provided below in connection with any of the above embodiments:
示例1:Example 1:
在本示例中,证书体系如图2所示,根证书的持有节点给不同运营商发放MNO证书,运营商再发放SIM卡证书、平台证书和应用证书(用于应用签名)。In this example, the certificate system is shown in Figure 2. The holder node of the root certificate issues an MNO certificate to different operators, and the operator then issues a SIM card certificate, a platform certificate, and an application certificate (for application signature).
写卡平台与运营商应用之间通过安全传输层协议(Transport Layer Security,TLS)实现安全通信;Secure communication between the card-writing platform and the carrier application through the Secure Transport Layer Protocol (TLS);
SIM卡1中预置运营商应用证书的哈希(Hash)值,访问控制执行模块从SIM卡1中加载该Hash值,验证运营商应用证书的Hash值是否与卡中读取的Hash值一致,若两个Hash值相等,说明该运营商应用有权访问SIM卡1,否则拒绝访问;The hash value of the operator application certificate is preset in the SIM card 1. The access control execution module loads the hash value from the SIM card 1 to verify whether the hash value of the operator application certificate is consistent with the hash value read in the card. If the two hash values are equal, the carrier application has access to the SIM card 1, otherwise the access is denied;
SIM卡1与写卡平台通过SIM卡实现双向认证,确保写卡平台和SIM卡1的合法性;从而实现了对用户身份信息的获取,且获取的身份信息不用再向第三方系统进行再次验证,从而减少不必要的验证。SIM卡2中预置根证书、SIM卡证书,与运营商1的写卡平台实现双向认证后协商密钥完成Profile下载。The SIM card 1 and the card writing platform realize mutual authentication through the SIM card, ensuring the legality of the writing card platform and the SIM card 1; thereby realizing the acquisition of the user identity information, and the acquired identity information does not need to be verified again to the third party system. , thereby reducing unnecessary verification. The SIM card 2 presets the root certificate and the SIM card certificate, and implements mutual authentication with the card writing platform of the operator 1 to negotiate the key to complete the profile download.
示例2:Example 2:
如图8所示,本示例提供一种应用于移动设备内的信息交互方法,可包括:As shown in FIG. 8, the example provides an information interaction method applied to a mobile device, which may include:
步骤1:访问控制执行模块获取SIM卡1的访问控制规则;Step 1: The access control execution module acquires an access control rule of the SIM card 1;
步骤2:SIM卡1向访问控制模块返回访问控制规则,该访问控制规则,用于所述访问控制执行模块控制设备上的各种应用对SIM卡的访 问控制。Step 2: The SIM card 1 returns an access control rule to the access control module, and the access control rule is used to control access control of the SIM card by various applications on the access control execution module.
步骤3:MNO1应用(安装在移动设备上为写卡应用的一种)获取SIM卡1信息,此时,访问控制执行模块会接收到MNO1应用的访问请求;Step 3: The MNO1 application (installed on the mobile device as one of the write card applications) acquires the SIM card 1 information. At this time, the access control execution module receives the access request of the MNO1 application.
步骤4:访问控制执行模块根据访问控制规则验证MNO1应用的合法性,该合法性的验证,主要是验证所述MNO1应用是否为具有访问SIM卡1的权限的应用,即验证是否MNO1是否能够访问SIM卡1的合法应用。Step 4: The access control execution module verifies the legality of the MNO1 application according to the access control rule. The verification of the legality is mainly to verify whether the MNO1 application is an application having the right to access the SIM card 1, that is, whether the MNO1 can be accessed. Legal application of SIM card 1.
步骤5:若MNO1应用具有合法性,则访问控制执行模块从SIM卡1获取SIM卡1信息,这里的SIM卡1信息可包括:SIM卡1的卡标识、SIM卡证书等信息。此处,相当于向SIM卡1发送获取SIM卡1信息的请求;Step 5: If the MNO1 application has legality, the access control execution module acquires the SIM card 1 information from the SIM card 1, where the SIM card 1 information may include: a card identifier of the SIM card 1, a SIM card certificate, and the like. Here, it is equivalent to transmitting a request for acquiring the SIM card 1 information to the SIM card 1;
步骤6:SIM卡1向访问控制执行模块返回SIM卡1信息。Step 6: The SIM card 1 returns the SIM card 1 information to the access control execution module.
步骤7:访问控制执行模块通过MNO1应用返回SIM卡1信息。Step 7: The access control execution module returns the SIM card 1 information through the MNO1 application.
具体如,在步骤1中,访问控制执行模块从SIM卡1加载访问控制规则(应用证书的Hash值;SIM卡1返回访问控制规则。Specifically, in step 1, the access control execution module loads the access control rule (the hash value of the application certificate from the SIM card 1; the SIM card 1 returns the access control rule.
在步骤3中,MNO1应用希望获取SIM卡1的卡信息(或向SIM卡1发送获取请求)。In step 3, the MNO1 application wishes to acquire the card information of the SIM card 1 (or send an acquisition request to the SIM card 1).
步骤4可包括:访问控制执行模块验证MNO1应用是否有权限访问SIM卡1(比对MNO1证书Hash值是否与SIM卡1中存储的一致)。Step 4 may include: the access control execution module verifies whether the MNO1 application has permission to access the SIM card 1 (whether the MNO1 certificate hash value is consistent with that stored in the SIM card 1).
若MNO1应用无权访问SIM卡1,返回错误提示、流程结束,若MNO1应用有权访问SIM卡1,获取SIM卡1信息(或命令)的请求发往SIM卡1;SIM卡1返回卡信息;MNO1应用收到卡信息。If the MNO1 application does not have access to the SIM card 1, the error message is returned, and the process ends. If the MNO1 application has access to the SIM card 1, the request for acquiring the SIM card 1 information (or command) is sent to the SIM card 1; the SIM card 1 returns the card information. The MNO1 application receives the card information.
本示例提供的方法,可以用于写卡应用与第一SIM卡和第二SIM卡的数据交互,实现写卡应用等应用对SIM卡的访问控制。The method provided in this example can be used for data interaction between the write card application and the first SIM card and the second SIM card, and implements access control of the SIM card by an application such as a write card application.
示例3:Example 3:
如图9所示,本示例提供一种写卡平台和SIM卡之间双向合法性验证方法,可包括:As shown in FIG. 9, this example provides a method for verifying the two-way legality between a card writing platform and a SIM card, which may include:
步骤11:MNO1应用获取SIM卡1信息,包括SIM卡证书及卡标识等卡信息(注:为了增强安全性,可以要求用户输入服务密码以验证用户是SIM卡1的合法持有者)。例如,MNO1应用在应用界面输出服务密码的输入框等输入接口,检测到用户输入的服务密码之后,作为MNO1应用请求访问SIM卡的访问请求中的携带的信息,方便访问控制执行模块的访问控制。Step 11: The MNO1 application obtains the SIM card 1 information, including card information such as the SIM card certificate and the card identifier (Note: In order to enhance security, the user may be required to input a service password to verify that the user is a legitimate holder of the SIM card 1). For example, the MNO1 is applied to an input interface such as an input box of an application interface outputting a service password, and after detecting the service password input by the user, the information carried in the access request of the MNO1 application requesting access to the SIM card is convenient for access control of the access control execution module. .
步骤12:SIM卡1返回SIM卡证书、卡标识、随机数(RAND)1等SIM卡信息;Step 12: The SIM card 1 returns SIM card information such as a SIM card certificate, a card identifier, and a random number (RAND) 1;
步骤13:MNO1应用将SIM卡信息的返回的数据提交给写卡平台;Step 13: The MNO1 application submits the returned data of the SIM card information to the card writing platform;
步骤14:写卡平台验证SIM卡1的卡证书合法性,若合法生成RAND2;Step 14: The card writing platform verifies the legality of the card certificate of the SIM card 1, and if the RAND2 is legally generated;
写卡平台返回平台证书、RAND1、RAND2及签名2(利用平台私钥对上述信息进行签名);The card-writing platform returns the platform certificate, RAND1, RAND2, and signature 2 (using the platform private key to sign the above information);
步骤15:MNO1应用将上述信息发送给SIM卡1;Step 15: The MNO1 application sends the above information to the SIM card 1;
步骤16:SIM卡1验证平台证书合法性,若合法利用收到的平台公钥验证签名2,若通过验证RAND1是否与之前卡产生的RAND1一致,若上述验证通过,生成签名1(利用卡私钥对返回RAND1、RAND2信息进行签名);Step 16: The SIM card 1 verifies the validity of the platform certificate. If the signature of the platform public key is legally verified, if the RAND1 is verified to be consistent with the RAND1 generated by the previous card, if the above verification is passed, the signature 1 is generated. The key pair returns the RAND1, RAND2 information to sign);
步骤17:SIM卡1返回签名1;Step 17: SIM card 1 returns signature 1;
步骤18:MNO1应用返回签名1;Step 18: The MNO1 application returns a signature 1;
步骤19:写卡平台验证签名1,若通过验证,说明SIM卡1是运营商1发行的合法SIM卡。验证签名1的方式可包括:通过SIM卡公钥解 签名,提取出随机数,若提取出的随机数包括写卡平台自身生成的RAND2,则可认为验证通过。Step 19: The card writing platform verifies the signature 1. If the verification is made, the SIM card 1 is a legal SIM card issued by the operator 1. The method for verifying the signature 1 may include: extracting the random number by using the SIM card public key, and if the extracted random number includes the RAND2 generated by the card writing platform itself, the verification may be considered as passing.
步骤20:该SIM卡绑定的用户身份信息可用于与另一张SIM卡绑定,且确定与该SIM卡绑定的用户身份信息是经过合法性验证的。Step 20: The user identity information bound to the SIM card can be used to bind to another SIM card, and it is determined that the user identity information bound to the SIM card is legally verified.
如图9所示,在完成SIM卡1的合法性验证之后,就可以向SIM卡2下发Profile文件等SIM卡数据了。As shown in FIG. 9, after the validity verification of the SIM card 1 is completed, the SIM card data such as a profile file can be sent to the SIM card 2.
示例4:Example 4:
如图10所示,本示例提供一种写卡平台和SIM卡之间双向合法性验证,可包括:As shown in FIG. 10, this example provides a two-way legality verification between a card writing platform and a SIM card, which may include:
步骤21:MNO1应用获取SIM卡2的SIM卡证书、卡商证书、应用证书、MNO证书等卡信息。Step 21: The MNO1 application acquires card information such as a SIM card certificate, a card vendor certificate, an application certificate, and an MNO certificate of the SIM card 2.
步骤22:SIM卡2收到获取的请求后,验证应用证书并生成RAND1;该应用证书为MNO1应用的应用证书,若验证通过之后,生成RAND1。Step 22: After receiving the obtained request, the SIM card 2 verifies the application certificate and generates RAND1; the application certificate is an application certificate applied by the MNO1, and if the verification is passed, the RAND1 is generated.
步骤23:SIM卡2返回SIM卡证书、卡商证书、卡标识、RAND1及卡信息;Step 23: The SIM card 2 returns a SIM card certificate, a card vendor certificate, a card identifier, RAND1, and card information.
步骤24:MNO1应用将SIM卡证书、卡商证书、卡标识、RAND1及卡信息提交给写卡平台;Step 24: The MNO1 application submits the SIM card certificate, the card vendor certificate, the card identifier, the RAND1 and the card information to the card writing platform;
步骤25:写卡平台验证SIM卡2的SIM卡证书合法性,若合法生成RAND2;Step 25: The card writing platform verifies the legality of the SIM card certificate of the SIM card 2, and if the RAND2 is legally generated;
步骤26:写卡平台返回平台证书、MNO1证书、RAND1、RAND2及签名2(利用平台私钥对上述信息进行签名);Step 26: The card writing platform returns the platform certificate, the MNO1 certificate, the RAND1, the RAND2, and the signature 2 (using the platform private key to sign the above information);
步骤27:MNO1应用将上述信息发送给SIM卡2;Step 27: The MNO1 application sends the above information to the SIM card 2;
步骤28:SIM卡2验证平台证书合法性,若合法利用收到的平台公钥验证签名2,若通过验证RAND1是否与之前卡产生的RAND1一致,若上述验证通过,生成签名1(利用卡私钥对返回RAND1、RAND2信 息进行签名);Step 28: The SIM card 2 verifies the validity of the platform certificate. If the signature of the platform public key is legally verified, if the RAND1 is verified to be consistent with the RAND1 generated by the previous card, if the above verification is passed, the signature 1 is generated. The key pair returns the RAND1, RAND2 information to sign);
步骤29:SIM卡2/eSIM返回签名1;Step 29: SIM card 2 / eSIM returns signature 1;
步骤30:MNO1应用返回签名1;Step 30: The MNO1 application returns a signature 1;
步骤31:写卡平台验证签名1,若通过验证,说明SIM卡2是合法的卡,可以下载Profile;写卡平台与SIM卡2协商密钥,完成Profile下载。Step 31: The card writing platform verifies the signature 1. If the verification is performed, the SIM card 2 is a legal card, and the profile can be downloaded; the card writing platform negotiates the key with the SIM card 2 to complete the profile download.
这里的密钥协商可为后续进行通信的各种的密钥协商等。The key negotiation here may be various key negotiation or the like for subsequent communication.
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed. In addition, the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元,即可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请各实施例中的各功能单元可以全部集成在一个处理模块中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; The unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计 算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to the program instructions. The foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing storage device includes the following steps: the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk. A medium that can store program code.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The foregoing is only a specific embodiment of the present application, but the scope of protection of the present application is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present application. It should be covered by the scope of protection of this application. Therefore, the scope of protection of the present application should be determined by the scope of the claims.

Claims (12)

  1. 一种用户身份识别模块数据写入方法,应用于写卡平台中,包括:A user identification module data writing method is applied to a card writing platform, and includes:
    接收移动设备发送的写卡请求;其中,所述写卡请求至少携带有所述移动设备内第一用户身份识别模块的第一卡标识;Receiving a write card request sent by the mobile device, where the write card request carries at least a first card identifier of the first user identity module in the mobile device;
    根据所述第一卡标识,获取与所述第一用户身份识别模块绑定的用户身份信息;Acquiring user identity information bound to the first user identity module according to the first card identifier;
    向所述移动设备内的第二用户身份识别模块发送用户身份识别模块数据;Transmitting user identity module data to a second user identity module in the mobile device;
    根据所述用户身份识别模块数据,建立所述第二用户身份识别模块与所述用户身份信息的绑定关系。And establishing, according to the user identity module data, a binding relationship between the second user identity module and the user identity information.
  2. 根据权利要求1所述的方法,其中,The method of claim 1 wherein
    所述写卡请求中携带有所述第一用户身份识别模块的第一用户身份识别模块证书;The write card request carries a first user identity module certificate of the first user identity module;
    所述方法还包括:The method further includes:
    根据所述第一用户身份识别模块证书,验证所述第一用户身份识别模块的合法性;Verifying the legality of the first user identity module according to the first user identity module certificate;
    所述根据所述第一卡标识,获取与所述第一用户身份识别模块绑定的用户身份信息,包括:And obtaining, according to the first card identifier, user identity information that is bound to the first user identity identification module, including:
    若所述第一用户身份识别模块通过所述合法性验证,根据所述第一卡标识获取与所述第一用户身份识别模块绑定的用户身份信息。If the first user identity module performs the validity verification, the user identity information bound to the first user identity module is obtained according to the first card identifier.
  3. 根据权利要求2所述的方法,其中,The method of claim 2, wherein
    所述方法还包括:The method further includes:
    将写卡平台的平台证书发送给所述第一用户身份识别模块;Transmitting a platform certificate of the card writing platform to the first user identity module;
    接收所述第一用户身份识别模块对所述平台证书的验证结果返回的验 证信息;Receiving verification information returned by the first user identity module to the verification result of the platform certificate;
    所述向所述移动设备内的第二用户身份识别模块发送用户身份识别模块数据,包括:Sending the user identity module data to the second user identity module in the mobile device, including:
    在接收到表征所述平台证书验证通过的验证信息后,向所述第二用户身份识别模块发送用户身份识别模块数据。After receiving the verification information characterizing the verification of the platform certificate, the user identity module data is sent to the second user identity module.
  4. 根据权利要求1或2所述的方法,其中,The method according to claim 1 or 2, wherein
    所述方法还包括:The method further includes:
    接收所述第二用户身份识别模块的第二用户身份识别模块证书;Receiving a second user identity module certificate of the second user identity module;
    根据所述用户身份识别模块证书,验证所述第二用户身份识别模块的合法性;Verifying the legality of the second user identity module according to the user identity module certificate;
    所述向所述移动设备内的第二用户身份识别模块发送用户身份识别模块数据,包括:Sending the user identity module data to the second user identity module in the mobile device, including:
    若所述第二用户身份识别模块具有合法性,向所述第二用户身份识别模块发送用户身份识别模块数据。If the second user identity module has legality, the user identity module data is sent to the second user identity module.
  5. 根据权利要求4所述的方法,其中,The method of claim 4, wherein
    所述方法还包括:The method further includes:
    将写卡平台的平台证书发送给所述第二用户身份识别模块;Transmitting a platform certificate of the card writing platform to the second user identity module;
    接收所述第二用户身份识别模块对所述平台证书的验证结果返回的验证信息;Receiving verification information returned by the second user identity module to the verification result of the platform certificate;
    所述若所述第二用户身份识别模块具有合法性,向所述第二用户身份识别模块发送用户身份识别模块数据,包括:If the second user identity module has legality, the user identity module data is sent to the second user identity module, including:
    在接收到表征所述平台证书验证通过的验证信息后且所述第二用户身份识别模块具有合法性,向所述第二用户身份识别模块发送用户身份识别模块数据。After receiving the verification information characterizing the verification of the platform certificate and the second user identity module has legality, the user identity module data is sent to the second user identity module.
  6. 根据权利要求5所述的方法,其中,所述第二用户身份识别模块证 书是未与移动网络运营上绑定的通用卡证书。The method of claim 5 wherein said second user identity module certificate is a universal card certificate that is not bound to a mobile network operation.
  7. 一种用户身份识别模块数据写入方法,应用于移动设备中,包括:A user identity module data writing method is applied to a mobile device, including:
    至少从第一用户身份识别模块读取第一卡标识;Reading at least the first card identifier from the first user identity module;
    向写卡平台发送至少携带有所述第一卡标识的写卡请求;Sending a write card request carrying at least the first card identifier to the card writing platform;
    接收所述写卡平台基于所述第一卡标识发送的用户身份识别模块数据;Receiving user identity module data sent by the card writing platform based on the first card identifier;
    将所述用户身份识别模块数据写入第二用户身份识别模块中。The user identification module data is written into the second user identity module.
  8. 根据权利要求7所述的方法,其中,所述移动设备内还设置有访问控制执行模块;The method of claim 7, wherein the mobile device is further provided with an access control execution module;
    所述至少从第一用户身份识别模块读取第一卡标识,包括:The reading the first card identifier from the at least the first user identity module includes:
    若所述写卡应用通过所述访问控制执行模块的合法性验证后,通过所述访问控制执行模块至少从所述第一用户身份识别模块读取所述第一卡标识。After the write card application passes the validity verification of the access control execution module, the access control execution module reads the first card identifier from at least the first user identity recognition module.
  9. 一种写卡平台,包括:A card writing platform, including:
    第一接收单元,配置为接收移动设备发送的写卡请求;其中,所述写卡请求至少携带有所述移动设备内第一用户身份识别模块的第一卡标识;The first receiving unit is configured to receive a write card request sent by the mobile device, where the write card request carries at least the first card identifier of the first user identity module in the mobile device;
    获取单元,配置为根据所述第一卡标识,获取与所述第一用户身份识别模块绑定的用户身份信息;An acquiring unit, configured to acquire, according to the first card identifier, user identity information that is bound to the first user identity module;
    第一发送单元,配置为向所述移动设备内的第二用户身份识别模块发送用户身份识别模块数据;a first sending unit, configured to send user identity module data to a second user identity module in the mobile device;
    建立单元,配置为根据所述用户身份识别模块数据,建立所述第二用户身份识别模块与所述用户身份信息的绑定关系。The establishing unit is configured to establish, according to the user identity module data, a binding relationship between the second user identity module and the user identity information.
  10. 一种电子设备,该电子设备为移动设备,包括:An electronic device, the electronic device being a mobile device, comprising:
    读取单元,配置为至少从第一用户身份识别模块读取第一卡标识;a reading unit configured to read at least the first card identifier from the first user identity module;
    第二发送单元,配置为向写卡平台发送至少携带有所述第一卡标识的 写卡请求;a second sending unit, configured to send, to the card writing platform, a write card request that carries at least the first card identifier;
    第二接收单元,配置为接收所述写卡应用基于所述写卡请求获取的用户身份识别模块数据;a second receiving unit, configured to receive user identification module data acquired by the writing card application based on the writing card request;
    写入单元,配置为将所述用户身份识别模块数据写入第二用户身份识别模块中。And a writing unit configured to write the user identity module data into the second user identity module.
  11. 一种电子设备,包括:收发器、存储器、处理器及存储在所述存储器上并由所述处理器执行的计算机程序;An electronic device comprising: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor;
    所述处理器分别与所述收发器及存储器连接,用于通过执行所述计算机程序实现权利要求1至6或7至8任一项提供的用户身份识别模块数据写入方法。The processor is coupled to the transceiver and the memory, respectively, for implementing the user identity module data writing method provided by any one of claims 1 to 6 or 7 to 8 by executing the computer program.
  12. 一种计算机存储介质,所述计算机存储介质存储有计算机程序;所述计算机程序被执行后,能够实现权利要求1至6或7至8任一项提供的用户身份识别模块数据写入方法。A computer storage medium storing a computer program; after the computer program is executed, the user identification module data writing method provided in any one of claims 1 to 6 or 7 to 8 can be implemented.
PCT/CN2018/121307 2018-01-08 2018-12-14 Subscriber identity module data writing method, device, platform, and storage medium WO2019134493A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810016587.3 2018-01-08
CN201810016587.3A CN110022552A (en) 2018-01-08 2018-01-08 User identification module method for writing data, equipment, platform and storage medium

Publications (1)

Publication Number Publication Date
WO2019134493A1 true WO2019134493A1 (en) 2019-07-11

Family

ID=67143590

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/121307 WO2019134493A1 (en) 2018-01-08 2018-12-14 Subscriber identity module data writing method, device, platform, and storage medium

Country Status (2)

Country Link
CN (1) CN110022552A (en)
WO (1) WO2019134493A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112135283A (en) * 2020-09-28 2020-12-25 大唐微电子技术有限公司 Identification module and Internet of things equipment
CN113810898A (en) * 2021-08-11 2021-12-17 天翼物联科技有限公司 Number writing system, method and device integrated with SIM card chip
CN115941199A (en) * 2022-11-11 2023-04-07 南方电网数字电网研究院有限公司 Identity information verification method, apparatus, device, storage medium, and program product

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110929711B (en) * 2019-11-15 2022-05-31 智慧视通(杭州)科技发展有限公司 Method for automatically associating identity information and shape information applied to fixed scene
CN111093190B (en) * 2019-12-10 2024-02-20 爱讯智联科技(北京)有限公司 Method, device, system, electronic equipment and storage medium for writing key data
CN112862481B (en) * 2021-01-25 2024-05-14 联通雄安产业互联网有限公司 Block chain digital asset key management method and system based on SIM card
CN114390509B (en) * 2021-12-28 2023-12-05 天翼物联科技有限公司 Machine-card binding pool realization method, device, equipment and medium based on Internet of things

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102149083A (en) * 2010-02-05 2011-08-10 中国移动通信集团公司 Personalized card writing method, system and device
CN105430635A (en) * 2014-09-04 2016-03-23 中国移动通信集团公司 Card-changing method, device and system for mobile terminal, and mobile terminal
CN105848137A (en) * 2015-01-14 2016-08-10 中国移动通信集团公司 Card writing method and device
CN106162517A (en) * 2015-04-23 2016-11-23 中兴通讯股份有限公司 The management method of a kind of virtual SIM card and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039482B (en) * 2007-04-05 2010-05-12 中兴通讯股份有限公司 Method and system for identifying inter-card data sharing for dual-mode dual-card terminal user
US20090198618A1 (en) * 2008-01-15 2009-08-06 Yuen Wah Eva Chan Device and method for loading managing and using smartcard authentication token and digital certificates in e-commerce
CN101765101B (en) * 2009-12-15 2013-08-21 大唐微电子技术有限公司 Method and system for aerially writing personalized card
WO2012092711A1 (en) * 2011-01-06 2012-07-12 宇龙计算机通信科技(深圳)有限公司 Method for configuring wireless local area network digital certificate and mobile terminal
CN104936167A (en) * 2014-03-21 2015-09-23 中国移动通信集团内蒙古有限公司 Card writing method, system and equipment
CN105989386B (en) * 2015-02-28 2019-03-29 北京天威诚信电子商务服务有限公司 A kind of method and apparatus for reading and writing radio frequency identification card

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102149083A (en) * 2010-02-05 2011-08-10 中国移动通信集团公司 Personalized card writing method, system and device
CN105430635A (en) * 2014-09-04 2016-03-23 中国移动通信集团公司 Card-changing method, device and system for mobile terminal, and mobile terminal
CN105848137A (en) * 2015-01-14 2016-08-10 中国移动通信集团公司 Card writing method and device
CN106162517A (en) * 2015-04-23 2016-11-23 中兴通讯股份有限公司 The management method of a kind of virtual SIM card and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112135283A (en) * 2020-09-28 2020-12-25 大唐微电子技术有限公司 Identification module and Internet of things equipment
CN112135283B (en) * 2020-09-28 2024-05-03 大唐微电子技术有限公司 Identification module and Internet of things equipment
CN113810898A (en) * 2021-08-11 2021-12-17 天翼物联科技有限公司 Number writing system, method and device integrated with SIM card chip
CN113810898B (en) * 2021-08-11 2024-03-12 天翼物联科技有限公司 Number writing system, method and device integrated with SIM card chip
CN115941199A (en) * 2022-11-11 2023-04-07 南方电网数字电网研究院有限公司 Identity information verification method, apparatus, device, storage medium, and program product

Also Published As

Publication number Publication date
CN110022552A (en) 2019-07-16

Similar Documents

Publication Publication Date Title
WO2019134493A1 (en) Subscriber identity module data writing method, device, platform, and storage medium
WO2020093214A1 (en) Application program login method, application program login device and mobile terminal
KR102242218B1 (en) User authentication method and apparatus, and wearable device registration method and apparatus
JP5852265B2 (en) COMPUTER DEVICE, COMPUTER PROGRAM, AND ACCESS Permission Judgment Method
KR101941227B1 (en) A FIDO authentication device capable of identity confirmation or non-repudiation and the method thereof
US10038681B2 (en) Method for managing an access from a remote device to data accessible from a local device and corresponding system
CN112187709B (en) Authentication method, device and server
US9769654B2 (en) Method of implementing a right over a content
US10484372B1 (en) Automatic replacement of passwords with secure claims
US8488787B2 (en) Management of secure access to a secure digital content in a portable communicating object
JP2016072675A (en) Management device, vehicle, management method and computer program
WO2021190197A1 (en) Method and apparatus for authenticating biometric payment device, computer device and storage medium
CN109714769B (en) Information binding method, device, equipment and storage medium
CN109196891B (en) Method, terminal and server for managing subscription data set
KR20180013710A (en) Public key infrastructure based service authentication method and system
CN107396364B (en) Method and equipment for carrying out wireless connection pre-authorization on user equipment
CN111147501A (en) Bluetooth key inquiry method and device
CN110758321A (en) Control method and device of Bluetooth key
CN107396362B (en) Method and equipment for carrying out wireless connection pre-authorization on user equipment
KR102160892B1 (en) Public key infrastructure based service authentication method and system
CN110661797B (en) Data protection method, terminal and computer readable storage medium
CN112514323B (en) Electronic device for processing digital keys and method of operating the same
CN103559430A (en) Application account management method and device based on android system
WO2014166193A1 (en) Application encryption processing method, apparatus, and terminal
KR20200089562A (en) Method and apparatus for managing a shared digital key

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18898443

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 20/10/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18898443

Country of ref document: EP

Kind code of ref document: A1