CN105873045B - Method for security protection, device, system and the terminal of soft SIM card - Google Patents

Method for security protection, device, system and the terminal of soft SIM card Download PDF

Info

Publication number
CN105873045B
CN105873045B CN201510031137.8A CN201510031137A CN105873045B CN 105873045 B CN105873045 B CN 105873045B CN 201510031137 A CN201510031137 A CN 201510031137A CN 105873045 B CN105873045 B CN 105873045B
Authority
CN
China
Prior art keywords
sim card
soft sim
terminal
request
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510031137.8A
Other languages
Chinese (zh)
Other versions
CN105873045A (en
Inventor
郑庆国
王小旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201510031137.8A priority Critical patent/CN105873045B/en
Publication of CN105873045A publication Critical patent/CN105873045A/en
Application granted granted Critical
Publication of CN105873045B publication Critical patent/CN105873045B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of method for security protection of soft SIM card, comprising: after the request for receiving the soft SIM card relevant information that access is stored in the region eMMC replay protection memory block (RPMB), soft SIM card verifies the legitimacy of the request;After being verified, the soft SIM card allows the relevant information of the soft SIM card in the region RPMB described in the corresponding terminal access of the request.The present invention also discloses safety guard, system and the terminals of a kind of soft SIM card.

Description

Security protection method, device, system and terminal for soft SIM card
Technical Field
The present invention relates to the field of wireless communications, and in particular, to a method, an apparatus, a system, and a terminal for security protection of a Subscriber Identity Module (SIM) card.
Background
At present, the field of internet of things has special requirements for Universal Subscriber Identity Module (USIM) cards, for example, the industrial field needs to adapt to special environmental requirements of high temperature and low temperature, wearable equipment requires that the volume of the USIM card is as small as possible, and these requirements make the soft SIM card scheme for realizing the functions of the USIM card through software very feasible, but the security of the software and hardware environment of the soft SIM card scheme is much lower than that of the chip-type USIM card.
In order to improve the security of soft SIM cards, a series of solutions are currently emerging, such as: the soft SIM card scheme based on the ARMTrustZone, the soft SIM card scheme based on the built-in dedicated Flash (Flash) mode, etc., but these schemes all require the baseband chip to support TrustZone or the chip to modify and support the built-in dedicated Flash, i.e., the baseband chip needs to be modified, and these modifications will greatly increase the cost of the chip.
Disclosure of Invention
In order to solve the existing technical problem, embodiments of the present invention provide a method, an apparatus, a system and a terminal for security protection of a soft SIM card.
The embodiment of the invention provides a safety protection method of a soft SIM card, which comprises the following steps:
after receiving a request for accessing the relevant information of the soft SIM card stored in an emmc (embedded Multi Media card) playback Protected Memory Block (RPMB), the soft SIM card verifies the validity of the request;
and after the authentication is passed, the soft SIM card allows the terminal corresponding to the request to access the related information of the soft SIM card in the RPMB region.
In the foregoing solution, before receiving the request, the method further includes:
when the terminal accesses a network, the soft SIM card sends a hardware identifier of the terminal and a self identifier to a network side so as to verify the validity of the terminal;
and after receiving the indication that the terminal is legal at the network side, the soft SIM card enables the terminal to carry out network communication through the soft SIM card.
In the above solution, before verifying the validity of the request, the method further includes:
and the soft SIM card verifies the validity of the request when determining that the terminal is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card.
In the above scheme, the determining that the terminal is legal includes:
and the soft SIM card compares the terminal identification corresponding to the binding relation with the terminal identification corresponding to the request, and when the terminal identification is the same as the terminal identification, the terminal is determined to be legal.
In the foregoing solution, the verifying the validity of the request includes:
the soft SIM card calculates a Message Authentication Code (MAC) value by using a Secure Hash Algorithm (SHA) according to a Counter (Counter) value and a key (key) value of the eMMC where the soft SIM card is located;
the soft SIM card compares the calculated MAC value with the MAC value carried in the request;
and the soft SIM card determines the legality of the request according to the comparison result.
The embodiment of the invention also provides a safety protection method of the soft SIM card, which comprises the following steps:
when accessing a network, the terminal sends a hardware identifier of the terminal and a corresponding soft SIM card identifier to a network side;
and the network side matches the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification and the corresponding soft SIM card identification stored in the network side, and allows the terminal to perform network communication through the corresponding soft SIM card when the matching is determined.
In the above solution, the matching the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier and the corresponding soft SIM card identifier stored in the terminal hardware identifier and the corresponding soft SIM card identifier includes:
the base station sends the received terminal hardware identifier and the corresponding soft SIM card identifier to a Mobile Management Entity (MME);
the MME sends the received terminal hardware identification and the corresponding soft SIM card identification to a Home Subscriber Server (HSS);
the HSS sends the received terminal hardware identification and the corresponding soft SIM card identification to a verification server;
and the verification server matches the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier and the corresponding soft SIM card identifier stored in the verification server.
In the foregoing solution, when the determination is matched, allowing the terminal to perform network communication through the corresponding soft SIM card includes:
the authentication server feeds back successful matching to the HSS when determining that the received terminal hardware identification and the corresponding soft SIM card identification are matched with the terminal hardware identification stored by the authentication server and the corresponding soft SIM card identification;
the HSS feeds back successful matching to the MME; the MME feeds back matching success to the base station;
and after the matching fed back by the MME is successfully received, the base station allows the terminal to perform network communication through a corresponding soft SIM card.
The embodiment of the invention also provides a safety protection device of the soft SIM card, which comprises: a first authentication unit and an access unit; wherein,
the first verification unit is used for verifying the validity of a request after receiving the request for accessing the soft SIM card related information stored in the eMMC RPMB region;
and the access unit is used for allowing the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB region after the authentication is passed.
In the above scheme, the apparatus further comprises: the second verification unit is used for sending the hardware identifier of the terminal and the identifier of the soft SIM card to a network side when the terminal is accessed to the network so as to verify the validity of the terminal; and after receiving the indication that the terminal at the network side is legal, the terminal carries out network communication through the soft SIM card.
In the above scheme, the apparatus further comprises: and the third verification unit is used for triggering the first verification unit to verify the legality of the request when the terminal is determined to be legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card.
In the foregoing scheme, the first verification unit is specifically configured to: calculating an MAC value by utilizing SHA according to the Counter value and the key value of the eMMC; comparing the calculated MAC value with the MAC value carried in the request; and determining the validity of the request according to the comparison result.
The embodiment of the invention also provides a terminal, and the electronic equipment comprises the safety protection device of the soft SIM card.
An embodiment of the present invention further provides a terminal, including: a storage unit and a transmission unit; wherein,
the storage unit is used for storing the hardware identifier of the terminal and the corresponding soft SIM card identifier;
and the sending unit is used for sending the stored hardware identifier of the terminal and the corresponding soft SIM card identifier to a network side when the terminal accesses the network.
The embodiment of the invention also provides a security protection system of the soft SIM card, which comprises: a terminal and a network side device; wherein,
the terminal is used for sending a hardware identifier of the terminal and a corresponding soft SIM card identifier to the network side equipment when the terminal is accessed to a network;
and the network side equipment is used for matching the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier and the corresponding soft SIM card identifier stored in the network side equipment, and allowing the terminal to perform network communication through the corresponding soft SIM card when the matching is determined.
In the foregoing solution, the network side device includes: the system comprises a base station, an MME, an HSS and an authentication server; wherein,
the base station is used for sending the received terminal hardware identifier and the corresponding soft SIM card identifier to the MME; after the matching fed back by the MME is successfully received, allowing the terminal to perform network communication through a corresponding soft SIM card;
the MME is used for sending the received terminal hardware identifier and the corresponding soft SIM card identifier to the HSS; after the matching fed back by the HSS is successful, the matching success is fed back to the base station;
the HSS is used for sending the received terminal hardware identifier and the corresponding soft SIM card identifier to the verification server; after the matching success fed back by the verification server is received, the matching success is fed back to the MME;
the verification server is used for matching the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier and the corresponding soft SIM card identifier stored in the verification server; and when the matching is carried out, the successful matching is fed back to the HSS.
According to the method, the device, the system and the terminal for protecting the soft SIM card, after a request for accessing the related information of the soft SIM card stored in an eMMC RPMB area is received, the soft SIM card verifies the legality of the request; after the verification is passed, the soft SIM card allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB region, and because the user data and the SIM card information which need to be stored by the soft SIM card are stored in the RPMB region, the stealing of malicious sensitive data can be effectively prevented, the application safety of the soft SIM card is improved, the modification of hardware equipment is not needed, and the realization cost is low; when accessing a network, the terminal sends a hardware identifier of the terminal and a corresponding soft SIM card identifier to a network side; the network side matches the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification and the corresponding soft SIM card identification stored in the network side, and allows the terminal to carry out network communication through the corresponding soft SIM card when the matching is determined, so that malicious stealing of sensitive data can be effectively prevented, the application safety of the soft SIM card is improved, the hardware equipment does not need to be modified, and the realization cost is low.
Drawings
In the drawings, which are not necessarily drawn to scale, like reference numerals may describe similar components in different views. Like reference numerals having different letter suffixes may represent different examples of similar components. The drawings illustrate generally, by way of example, but not by way of limitation, various embodiments discussed herein.
Fig. 1 is a schematic flow chart of a security protection method for a soft SIM card according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an eMMC architecture according to an embodiment of the invention;
fig. 3 is a schematic diagram of a memory area of an eMMC according to an embodiment of the invention;
fig. 4 is an interaction diagram of each device for verifying whether a terminal is legal or not through a network side according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a specific process for verifying whether a received request is valid according to an embodiment of the present invention;
fig. 6 is a schematic flow chart illustrating another security protection method for a soft SIM card according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a security protection device of a second soft SIM card according to an embodiment of the present invention;
FIG. 8 is a schematic structural diagram of a second terminal according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a security protection system of a second soft SIM card according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
The security mechanism based on the eMMC can realize the security protection of the soft SIM card with relatively low cost on the basis of the existing hardware architecture.
At present, in the soft SIM card schemes, no matter the soft SIM card schemes are based on dedicated Flash or TrustZone, the schemes all need to change a baseband chip to support the schemes, so that the implementation cost is relatively high. Meanwhile, in recent years, the intelligent terminal tends to adopt an eMMC mode to be externally connected with a Flash chip, supports large-capacity Flash, and does not need a terminal manufacturer to adapt to different Flash. In addition, the eMMC is provided with a mechanism capable of protecting one area, so that the existing security mechanism of the intelligent terminal can be fully utilized to improve the security of the soft SIM card based on the existing security mechanism of the eMMC, and the cost of the eMMC does not need to be increased.
Based on this, in various embodiments of the invention: after receiving a request for accessing the related information of the soft SIM card stored in the eMMC RPMB area, the soft SIM card verifies the legality of the request; and after the authentication is passed, the soft SIM card allows the terminal corresponding to the request to access the related information of the soft SIM card in the RPMB region.
Example one
The security protection method of the soft SIM card of the present embodiment, as shown in fig. 1, includes the following steps:
step 101: after receiving a request for accessing the related information of the soft SIM card stored in the eMMC RPMB area, the soft SIM card verifies the legality of the request;
here, the information related to the soft SIM card may include: user data and SIM card data.
As shown in fig. 2, all current intelligent terminals tend to interface Flash based on eMMC, do not need to adapt to Flash, and can support large-capacity Flash.
As shown in fig. 3, in the storage area of the eMMC external Flash, the RPMB area is a protected area, so that user data and SIM card data that the soft SIM card needs to store can be protected in the RPMB area, thereby preventing malicious theft of sensitive data.
Here, for the sensitive data (such as the secret key) in the user data, the hardware information of the terminal (such as the serial number of the terminal ARM chip or the International Mobile Equipment Identity (IMEI) of the terminal) may be used as the encryption factor to further encrypt and protect the sensitive data, and accordingly, after the encrypted data are obtained, the sensitive data are obtained after being decrypted by using the corresponding encryption factor, so that the security of the application of the soft SIM card can be further ensured.
Before performing this step, the method may further include:
when the terminal accesses a network, the soft SIM card sends a hardware identifier of the terminal and a self identifier to a network side so as to verify the validity of the terminal;
and after receiving the indication that the terminal on the network side is legal, the soft SIM card enables the terminal to carry out network communication through the soft SIM card.
The hardware identifier of the terminal may be: IMEI, etc.; the identifier of the soft SIM card may be an International Mobile Subscriber Identity (IMSI), and the like, as shown in fig. 4, when data is opened, the soft SIM card reports its identifier and a hardware identifier of a terminal where the soft SIM card is located to a network side through a short message, a verification server of the network side stores a corresponding relationship between the hardware identifier of the terminal and the identifier of the soft SIM card, and then the corresponding relationship can be changed only through a manual channel, so that the binding relationship can be changed. When the terminal restarts the access network each time, the access request (Attach _ request) carries the IMEI and the IMSI, and after receiving the request, the network side determines whether the terminal is legal by inquiring the corresponding relationship between the IMEI and the IMSI at the moment.
Specifically, after receiving an access request carrying an IMEI and an IMSI of a terminal, a base station (eNodeB) sends the access request to an MME; after receiving the access request, the MME sends an inquiry request containing the IMEI and the IMSI to the HSS; after receiving the query request, the HSS sends the query request to the verification server; after receiving the query request, the verification server matches the corresponding relation between the IMEI and the IMSI stored in the verification server with the IMEI and the IMSI in the query request, and returns a matching result to the HSS; HSS returns the matching result to MME; and the MME returns the matching result to the terminal (soft SIM card) through the base station. If the IMEI corresponding to the IMSI is the same and the matching result is successful, the terminal is legal and can carry out network communication through the soft SIM card; and if the IMEI corresponding to the IMSI is different and the matching result is matching failure, the terminal is illegal and network communication can not be carried out through the soft SIM card.
Before performing this step, the method may further include:
binding the terminal where the soft SIM card is located with the SIM card;
accordingly, before verifying the validity of the request, the method may further include:
and the soft SIM card verifies the legality of the request when determining that the terminal corresponding to the request is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card.
The determining that the terminal corresponding to the request is legal specifically includes:
and the soft SIM card compares the terminal identification corresponding to the binding relationship with the terminal identification corresponding to the request, if the terminal identification corresponding to the request is the same as the terminal identification, the terminal corresponding to the request is determined to be legal, if the terminal identification corresponding to the request is not the same as the terminal identification, the terminal corresponding to the request is determined to be illegal, and at the moment, the request is rejected.
The verifying the validity of the request, as shown in fig. 5, specifically includes:
step 1: the soft SIM card calculates the MAC value by utilizing SHA (such as SHA-256) according to the Counter value and the key value of the eMMC in which the soft SIM card is positioned;
wherein, the outside program accesses the user data, and calculates the MAC value by using the same SHA (for example: SHA-256) with the soft SIM card by using the Key value and the Counter value before sending the request to the soft SIM card; and carry the calculated MAC value in the request.
Step 2: the soft SIM card compares the calculated MAC value with the MAC value carried in the request;
and step 3: and the soft SIM card determines the legality of the request according to the comparison result.
Specifically, when the two are the same, the request is legal; when the two are different, the request is not legal.
And when the request is illegal, the soft SIM card does not allow the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB region.
Step 102: and after the authentication is passed, the soft SIM card allows the terminal corresponding to the request to access the related information of the soft SIM card in the RPMB region.
In actual application, a scheme of verifying whether the terminal is legal through the network side may be separately adopted, and based on this, the embodiment further provides another security protection method for the soft SIM card, as shown in fig. 6, the method includes the following steps:
step 601: when accessing a network, the terminal sends a hardware identifier of the terminal and a corresponding soft SIM card identifier to a network side;
specifically, the terminal may carry its own hardware identifier and a corresponding soft SIM card identifier through the access request.
The hardware identifier of the terminal may be: IMEI, etc.; the identity of the soft SIM card may be IMSI or the like.
Step 602: and the network side matches the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification and the corresponding soft SIM card identification stored in the network side, and allows the terminal to perform network communication through the corresponding soft SIM card when the matching is determined.
Specifically, the base station sends the received terminal hardware identifier and the corresponding soft SIM card identifier to the mobility management entity MME;
the MME sends the received terminal hardware identification and the corresponding soft SIM card identification to a Home Subscriber Server (HSS);
the HSS sends the received terminal hardware identification and the corresponding soft SIM card identification to a verification server;
and the verification server matches the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier and the corresponding soft SIM card identifier stored in the verification server.
Here, when the verification server determines that the received terminal hardware identifier and the corresponding soft SIM card identifier match with the terminal hardware identifier and the corresponding soft SIM card identifier stored in itself, it feeds back a successful matching to the HSS;
the HSS feeds back successful matching to the MME; the MME feeds back matching success to the base station;
and after the matching fed back by the MME is successfully received, the base station allows the terminal to perform network communication through a corresponding soft SIM card.
In practical application, as shown in fig. 4, when data is opened, the soft SIM card reports its identifier and the hardware identifier of the terminal where the soft SIM card is located to the network side through a short message, the verification server on the network side stores the corresponding relationship between the hardware identifier of the terminal and the identifier of the soft SIM card, and then the corresponding relationship can be changed only through a manual channel, so that the binding relationship can be changed. When the terminal restarts the access network each time, the access request (Attach _ request) carries the IMEI and the IMSI, and after receiving the request, the network side determines whether the terminal is legal by inquiring the corresponding relationship between the IMEI and the IMSI at the moment.
After receiving an access request carrying an IMEI and an IMSI of a terminal, a base station (eNodeB) sends the access request to an MME; after receiving the access request, the MME sends an inquiry request containing the IMEI and the IMSI to the HSS; after receiving the query request, the HSS sends the query request to the verification server; after receiving the query request, the verification server matches the corresponding relation between the IMEI and the IMSI stored in the verification server with the IMEI and the IMSI in the query request, and returns a matching result to the HSS; HSS returns the matching result to MME; and the MME returns the matching result to the terminal through the base station. If the IMEI corresponding to the IMSI is the same and the matching result is successful, the terminal is legal and can carry out network communication through the soft SIM card; and if the IMEI corresponding to the IMSI is different and the matching result is matching failure, the terminal is illegal and network communication can not be carried out through the soft SIM card.
In the security protection method for the soft SIM card provided in this embodiment, after receiving a request for accessing the soft SIM card related information stored in the eMMC RPMB area, the soft SIM card verifies the validity of the request; after the soft SIM card passes the verification, the soft SIM card allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB region, and because the user data and the SIM card information which need to be stored by the soft SIM card are stored in the RPMB region, the stealing of malicious sensitive data can be effectively prevented, and the application safety of the soft SIM card is improved. Moreover, the hardware cost is not increased during implementation.
In addition, when the terminal accesses the network, the soft SIM card sends the hardware identifier of the terminal and the identifier of the soft SIM card to a network side so as to verify the validity of the terminal; after receiving the indication that the terminal is legal from the network side, the soft SIM card enables the terminal to perform network communication through the soft SIM card and perform unified management on the terminal through the network side, so that the soft SIM card has good manageability and can further ensure the application safety of the soft SIM card.
And the soft SIM card verifies the legality of the request when determining that the terminal corresponding to the request is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card, so that the application safety of the soft SIM card can be further ensured.
Example two
To implement the method of the first embodiment, this embodiment provides a security protection apparatus for a soft SIM card, as shown in fig. 7, the apparatus may include: a first authentication unit 71 and an access unit 72; wherein,
the first verifying unit 71 is configured to verify validity of a request after receiving the request for accessing the soft SIM card related information stored in the eMMC RPMB area;
the accessing unit 72 is configured to allow the terminal corresponding to the request to access the information related to the soft SIM card in the RPMB area after the authentication is passed.
Here, the information related to the soft SIM card may include: user data and SIM card data.
As shown in fig. 2, all current intelligent terminals tend to interface Flash based on eMMC, do not need to adapt to Flash, and can support large-capacity Flash.
As shown in fig. 3, in the storage area of the eMMC external Flash, the RPMB area is a protected area, so that user data and SIM card data that the soft SIM card needs to store can be protected in the RPMB area, thereby preventing malicious theft of sensitive data.
For the sensitive data in the user data, the hardware information of the terminal (for example, the serial number of the terminal ARM chip or the IMEI of the terminal, etc.) can be used as an encryption factor to further encrypt and protect the sensitive data, and accordingly, after the encrypted data are obtained, the sensitive data are obtained after being decrypted by adopting the corresponding encryption factor, so that the application security of the soft SIM card can be further ensured.
The apparatus may further include: the second verification unit is used for sending the hardware identifier of the terminal and the identifier of the soft SIM card to a network side when the terminal is accessed to the network so as to verify the validity of the terminal; and after receiving the indication that the terminal at the network side is legal, the terminal carries out network communication through the soft SIM card.
The hardware identifier of the terminal may be: IMEI, etc.; the identifier of the soft SIM card may be IMSI, etc., as shown in fig. 4, when the data is opened, the soft SIM card reports its identifier and the hardware identifier of the terminal where the soft SIM card is located to the network side through a short message, the verification server of the network side stores the corresponding relationship between the hardware identifier of the terminal and the identifier of the soft SIM card, and then the corresponding relationship can be changed only through a manual channel, so that the binding relationship can be changed. When the terminal restarts the access network each time, the access request (Attach _ request) carries the IMEI and the IMSI, and after receiving the request, the network side determines whether the terminal is legal by inquiring the corresponding relationship between the IMEI and the IMSI at the moment.
Specifically, after receiving the access request carrying the IMEI and IMSI sent by the second authentication unit, the eNodeB sends the access request to the MME; after receiving the access request, the MME sends an inquiry request containing the IMEI and the IMSI to the HSS; after receiving the query request, the HSS sends the query request to the verification server; after receiving the query request, the verification server matches the corresponding relation between the IMEI and the IMSI stored in the verification server with the IMEI and the IMSI in the query request, and returns a matching result to the HSS; HSS returns the matching result to MME; and the MME returns a matching result to the second verification unit through the base station. If the IMEI corresponding to the IMSI is the same and the matching result is successful, the terminal is legal and can carry out network communication through the soft SIM card; and if the IMEI corresponding to the IMSI is different and the matching result is matching failure, the terminal is illegal and network communication can not be carried out through the soft SIM card.
The apparatus may further include: and a third verification unit, configured to trigger the first verification unit 71 to verify the validity of the request when determining that the terminal corresponding to the request is valid according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card.
The determining that the terminal corresponding to the request is legal specifically includes:
and comparing the terminal identification corresponding to the binding relation with the terminal identification corresponding to the request, if the terminal identification corresponding to the request is the same as the terminal identification corresponding to the binding relation, determining that the terminal corresponding to the request is legal, and if the terminal identification corresponding to the request is not the same as the terminal identification corresponding to the binding relation, determining that the terminal corresponding to the request is illegal, and rejecting the request.
The verifying the validity of the request, as shown in fig. 5, specifically includes:
step 1: the first verification unit 71 calculates a MAC value by using SHA (for example, SHA-256) according to the Counter value and the key value of the eMMC in which the first verification unit is located;
wherein, the outside program accesses the user data, and calculates the MAC value by using the same SHA (for example: SHA-256) with the soft SIM card by using the Key value and the Counter value before sending the request to the soft SIM card; and carry the calculated MAC value in the request.
Step 2: the first authentication unit 71 compares the calculated MAC value with the MAC value carried in the request;
and step 3: the first authentication unit 71 determines the validity of the request according to the comparison result.
Specifically, when the two are the same, the request is legal; when the two are different, the request is not legal.
And when the request is illegal, the terminal corresponding to the request is not allowed to access the relevant information of the soft SIM card in the RPMB region.
In practical application, the second verification Unit may be implemented by a Central Processing Unit (CPU), a Micro Control Unit (MCU), a Digital Signal Processor (DSP), or a Programmable logic array (FPGA) in the security protection device of the soft SIM card in combination with a transceiver; the first verification unit 71, the access unit 72, and the third verification unit may be implemented by a CPU, an MCU, a DSP, or an FPGA in the security protection apparatus of the soft SIM card.
In the security protection device for a soft SIM card provided in this embodiment, after receiving a request for accessing information related to the soft SIM card stored in an eMMC RPMB area, the first verification unit 71 verifies the validity of the request; after the verification is passed, the access unit 72 allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area, and since the user data and the SIM card information that the soft SIM card needs to store are stored in the RPMB area, malicious stealing of sensitive data can be effectively prevented, and the security of the application of the soft SIM card is improved. Moreover, the hardware cost is not increased during implementation.
In addition, when the terminal accesses the network, the second verification unit sends the hardware identifier of the terminal and the identifier of the soft SIM card to a network side so as to verify the validity of the terminal; after receiving the indication that the terminal on the network side is legal, the terminal carries out network communication through the soft SIM card, so that the application safety of the soft SIM card can be further ensured.
And the third verification unit verifies the legality of the request when determining that the terminal corresponding to the request is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card, and uniformly manages the terminal through a network side, so that the method has good manageability and can further ensure the application safety of the soft SIM card.
Based on the above device, this embodiment further provides a terminal, where the terminal includes the basic structure of the security protection device for the soft SIM card shown in fig. 7 and various modifications and equivalent replacements thereof, which are not described in detail.
In order to implement the method of this embodiment, this embodiment further provides another terminal, as shown in fig. 8, where the terminal includes: a storage unit 81 and a transmission unit 82; wherein,
the storage unit 81 is configured to store a hardware identifier of the terminal and a corresponding soft SIM card identifier;
the sending unit 82 is configured to send the stored hardware identifier of the terminal and the corresponding soft SIM card identifier to a network side when the terminal accesses a network; and the hardware identifier of the terminal and the corresponding soft SIM card identifier are used for verifying the legality of the terminal.
In practical applications, the storage unit 81 may be implemented by a memory in the terminal; the sending unit 82 may be implemented by a transmitter in the terminal.
To implement the method of this embodiment, this embodiment further provides a security protection system for a soft SIM card, as shown in fig. 9, where the system includes: a terminal 91 and a network-side device 92; wherein,
the terminal is configured to send a hardware identifier of the terminal and a corresponding soft SIM card identifier to the network side device 92 when accessing a network;
the network side device 92 is configured to match the received terminal hardware identifier and the corresponding soft SIM card identifier with a terminal hardware identifier and a corresponding soft SIM card identifier stored in the network side device, and allow the terminal 91 to perform network communication through the corresponding soft SIM card when the matching is determined.
Here, the terminal 91 may carry its own hardware identifier and a corresponding soft SIM card identifier through the access request.
The hardware identifier of the terminal 91 may be: IMEI, etc.; the identity of the soft SIM card may be IMSI or the like.
The network-side device 92 may include: the system comprises a base station, an MME, an HSS and an authentication server; wherein,
the base station is used for sending the received terminal hardware identifier and the corresponding soft SIM card identifier to the MME; after the matching fed back by the MME is successfully received, allowing the terminal to perform network communication through a corresponding soft SIM card;
the MME is used for sending the received terminal hardware identifier and the corresponding soft SIM card identifier to the HSS; after the matching fed back by the HSS is successful, the matching success is fed back to the base station;
the HSS is used for sending the received terminal hardware identifier and the corresponding soft SIM card identifier to the verification server; after the matching success fed back by the verification server is received, the matching success is fed back to the MME;
the verification server is used for matching the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier and the corresponding soft SIM card identifier stored in the verification server; and when the matching is carried out, the successful matching is fed back to the HSS.
In practical application, as shown in fig. 4, when data is opened, the soft SIM card reports its identifier and the hardware identifier of the terminal where the soft SIM card is located to the network side through a short message, the verification server on the network side stores the corresponding relationship between the hardware identifier of the terminal and the identifier of the soft SIM card, and then the corresponding relationship can be changed only through a manual channel, so that the binding relationship can be changed. When the terminal 91 restarts to access the network each time, the access request (Attach _ request) carries the IMEI and IMSI, and after receiving the request, the network side determines whether the terminal 91 is legal by inquiring the corresponding relationship between the IMEI and the IMSI at the moment.
After receiving an access request carrying an IMEI and an IMSI of the terminal 91, a base station (eNodeB) sends the access request to an MME; after receiving the access request, the MME sends an inquiry request containing the IMEI and the IMSI to the HSS; after receiving the query request, the HSS sends the query request to the verification server; after receiving the query request, the verification server matches the corresponding relation between the IMEI and the IMSI stored in the verification server with the IMEI and the IMSI in the query request, and returns a matching result to the HSS; HSS returns the matching result to MME; and the MME returns the matching result to the terminal through the base station. If the IMEI corresponding to the IMSI is the same and the matching result is that the matching is successful, it indicates that the terminal 91 is legal and can perform network communication through the soft SIM card; if the IMEI corresponding to the IMSI is different and the matching result is a matching failure, it indicates that the terminal 91 is illegal and cannot perform network communication through the soft SIM card.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (14)

1. A security protection method for a soft SIM card is characterized by comprising the following steps:
after receiving a request for accessing the soft SIM card related information stored in an eMMC playback protection memory block RPMB region, the soft SIM card verifies the legality of the request;
after the verification is passed, the soft SIM card allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB region;
wherein the verifying the validity of the request comprises:
the soft SIM card calculates a message authentication code MAC value by using a secure Hash algorithm SHA according to a Counter value and a key value of a Counter of the eMMC where the soft SIM card is located;
the soft SIM card compares the calculated MAC value with the MAC value carried in the request;
and the soft SIM card determines the legality of the request according to the comparison result.
2. The method of claim 1, wherein prior to receiving the request, the method further comprises:
when the terminal accesses a network, the soft SIM card sends a hardware identifier of the terminal and a self identifier to a network side so as to verify the validity of the terminal;
and after receiving the indication that the terminal is legal at the network side, the soft SIM card enables the terminal to carry out network communication through the soft SIM card.
3. The method of claim 1, wherein prior to said verifying the legitimacy of the request, the method further comprises:
and the soft SIM card verifies the validity of the request when determining that the terminal is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card.
4. The method of claim 3, wherein the determining that the terminal is legitimate is:
and the soft SIM card compares the terminal identification corresponding to the binding relation with the terminal identification corresponding to the request, and when the terminal identification is the same as the terminal identification, the terminal is determined to be legal.
5. A security protection method for a soft SIM card is characterized by comprising the following steps:
when accessing a network, the terminal sends a hardware identifier of the terminal and a corresponding soft SIM card identifier to a network side;
the network side matches the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification and the corresponding soft SIM card identification stored in the network side, and when the matching is determined, the terminal is allowed to carry out network communication through the corresponding soft SIM card, so that the terminal sends a request for accessing the soft SIM card related information stored in an eMMC playback protection memory block RPMB area to the soft SIM card; the request is used for the soft SIM card to verify the validity of the soft SIM card, and after the soft SIM card passes the verification, the terminal corresponding to the request is allowed to access the related information of the soft SIM card in the RPMB region;
wherein the verifying the validity of the request comprises:
the soft SIM card calculates a message authentication code MAC value by using a secure Hash algorithm SHA according to a Counter value and a key value of a Counter of the eMMC where the soft SIM card is located;
the soft SIM card compares the calculated MAC value with the MAC value carried in the request;
and the soft SIM card determines the legality of the request according to the comparison result.
6. The method of claim 5, wherein the matching the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier and the corresponding soft SIM card identifier stored in the terminal hardware identifier and the corresponding soft SIM card identifier comprises:
the base station sends the received terminal hardware identification and the corresponding soft SIM card identification to a mobile management entity MME;
the MME sends the received terminal hardware identification and the corresponding soft SIM card identification to a Home Subscriber Server (HSS);
the HSS sends the received terminal hardware identification and the corresponding soft SIM card identification to a verification server;
and the verification server matches the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier and the corresponding soft SIM card identifier stored in the verification server.
7. The method of claim 6, wherein when determining the match, allowing the terminal to perform network communication via the corresponding soft SIM card comprises:
the authentication server feeds back successful matching to the HSS when determining that the received terminal hardware identification and the corresponding soft SIM card identification are matched with the terminal hardware identification stored by the authentication server and the corresponding soft SIM card identification;
the HSS feeds back successful matching to the MME; the MME feeds back matching success to the base station;
and after the matching fed back by the MME is successfully received, the base station allows the terminal to perform network communication through a corresponding soft SIM card.
8. A security device for a soft SIM card, the device comprising: a first authentication unit and an access unit; wherein,
the first verification unit is used for verifying the validity of a request after receiving the request for accessing the soft SIM card related information stored in the eMMC RPMB region;
the access unit is used for allowing the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB region after the authentication is passed;
the first verification unit is specifically configured to: calculating an MAC value by utilizing SHA according to the Counter value and the key value of the eMMC; comparing the calculated MAC value with the MAC value carried in the request; and determining the validity of the request according to the comparison result.
9. The apparatus of claim 8, further comprising: the second verification unit is used for sending the hardware identifier of the terminal and the identifier of the soft SIM card to a network side when the terminal is accessed to the network so as to verify the validity of the terminal; and after receiving the indication that the terminal at the network side is legal, the terminal carries out network communication through the soft SIM card.
10. The apparatus of claim 8, further comprising: and the third verification unit is used for triggering the first verification unit to verify the legality of the request when the terminal is determined to be legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card.
11. A terminal characterized in that it comprises a security protection device for a soft SIM card according to any one of claims 8 to 10.
12. A terminal, characterized in that the terminal comprises: a storage unit and a transmission unit; wherein,
the storage unit is used for storing the hardware identifier of the terminal and the corresponding soft SIM card identifier;
the sending unit is used for sending the stored hardware identifier of the terminal and the corresponding soft SIM card identifier to a network side when the terminal accesses the network; the hardware identifier of the terminal and the corresponding soft SIM card identifier are used for verifying the legality of the terminal, and when the terminal is determined to be legal, the terminal is allowed to perform network communication through the corresponding soft SIM card, so that the terminal sends a request for accessing the soft SIM card related information stored in an eMMC playback protection memory block RPMB area to the soft SIM card; the request is used for the soft SIM card to verify the validity of the soft SIM card, and after the soft SIM card passes the verification, the terminal corresponding to the request is allowed to access the related information of the soft SIM card in the RPMB region;
wherein the verifying the validity of the request comprises:
the soft SIM card calculates a message authentication code MAC value by using a secure Hash algorithm SHA according to a Counter value and a key value of a Counter of the eMMC where the soft SIM card is located;
the soft SIM card compares the calculated MAC value with the MAC value carried in the request;
and the soft SIM card determines the legality of the request according to the comparison result.
13. A system for securing a soft SIM card, the system comprising: a terminal and a network side device; wherein,
the terminal is used for sending a hardware identifier of the terminal and a corresponding soft SIM card identifier to the network side equipment when the terminal is accessed to a network;
the network side device is configured to match the received terminal hardware identifier and the corresponding soft SIM card identifier with a terminal hardware identifier and a corresponding soft SIM card identifier stored in the network side device, and when the terminal hardware identifier and the corresponding soft SIM card identifier are determined to match each other, allow the terminal to perform network communication via the corresponding soft SIM card, so that the terminal sends a request for accessing soft SIM card related information stored in an eMMC playback protection memory block RPMB area to the soft SIM card; the request is used for the soft SIM card to verify the validity of the soft SIM card, and after the soft SIM card passes the verification, the terminal corresponding to the request is allowed to access the related information of the soft SIM card in the RPMB region;
wherein the verifying the validity of the request comprises:
the soft SIM card calculates a message authentication code MAC value by using a secure Hash algorithm SHA according to a Counter value and a key value of a Counter of the eMMC where the soft SIM card is located;
the soft SIM card compares the calculated MAC value with the MAC value carried in the request;
and the soft SIM card determines the legality of the request according to the comparison result.
14. The system according to claim 13, wherein the network side device comprises: the system comprises a base station, an MME, an HSS and an authentication server; wherein,
the base station is used for sending the received terminal hardware identifier and the corresponding soft SIM card identifier to the MME; after the matching fed back by the MME is successfully received, allowing the terminal to perform network communication through a corresponding soft SIM card;
the MME is used for sending the received terminal hardware identifier and the corresponding soft SIM card identifier to the HSS; after the matching fed back by the HSS is successful, the matching success is fed back to the base station;
the HSS is used for sending the received terminal hardware identifier and the corresponding soft SIM card identifier to the verification server; after the matching success fed back by the verification server is received, the matching success is fed back to the MME;
the verification server is used for matching the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier and the corresponding soft SIM card identifier stored in the verification server; and when the matching is carried out, the successful matching is fed back to the HSS.
CN201510031137.8A 2015-01-21 2015-01-21 Method for security protection, device, system and the terminal of soft SIM card Active CN105873045B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510031137.8A CN105873045B (en) 2015-01-21 2015-01-21 Method for security protection, device, system and the terminal of soft SIM card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510031137.8A CN105873045B (en) 2015-01-21 2015-01-21 Method for security protection, device, system and the terminal of soft SIM card

Publications (2)

Publication Number Publication Date
CN105873045A CN105873045A (en) 2016-08-17
CN105873045B true CN105873045B (en) 2019-05-28

Family

ID=56623209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510031137.8A Active CN105873045B (en) 2015-01-21 2015-01-21 Method for security protection, device, system and the terminal of soft SIM card

Country Status (1)

Country Link
CN (1) CN105873045B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106961678A (en) * 2017-04-13 2017-07-18 上海与德科技有限公司 A kind of method, mobile terminal and service end for preventing mobile terminal stolen
CN109451504B (en) * 2019-01-03 2021-11-16 中国联合网络通信集团有限公司 Internet of things module authentication method and system
CN109831775B (en) * 2019-02-02 2021-12-03 华为数字技术(苏州)有限公司 Processor, baseband chip and SIM card information transmission method
CN111741465B (en) * 2019-03-25 2023-04-28 成都鼎桥通信技术有限公司 Soft SIM protection method and equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101667258A (en) * 2009-08-28 2010-03-10 北京握奇数据***有限公司 Data operating method and device for intelligent card
CN103391535A (en) * 2013-07-31 2013-11-13 华为技术有限公司 Method for allowing multiple terminals to share virtual SIM (subscriber identity module) card, as well as terminals, server and system
CN103813314A (en) * 2012-11-09 2014-05-21 华为技术有限公司 Soft SIM card enabling method and network access method, terminal, and network access device
CN104137587A (en) * 2014-01-09 2014-11-05 华为技术有限公司 Method and terminal sending and receiving user data

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9369938B2 (en) * 2009-03-31 2016-06-14 Microsoft Technology Licensing, Llc Subscriber identity module (SIM) for mobile stations

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101667258A (en) * 2009-08-28 2010-03-10 北京握奇数据***有限公司 Data operating method and device for intelligent card
CN103813314A (en) * 2012-11-09 2014-05-21 华为技术有限公司 Soft SIM card enabling method and network access method, terminal, and network access device
CN103391535A (en) * 2013-07-31 2013-11-13 华为技术有限公司 Method for allowing multiple terminals to share virtual SIM (subscriber identity module) card, as well as terminals, server and system
CN104137587A (en) * 2014-01-09 2014-11-05 华为技术有限公司 Method and terminal sending and receiving user data

Also Published As

Publication number Publication date
CN105873045A (en) 2016-08-17

Similar Documents

Publication Publication Date Title
US9788209B2 (en) Apparatus and methods for controlling distribution of electronic access clients
EP2630816B1 (en) Authentication of access terminal identities in roaming networks
US8713320B2 (en) Security authentication method, apparatus, and system
EP3146741B1 (en) Cellular network authentication control
US20130219180A1 (en) Data processing for securing local resources in a mobile device
US10462667B2 (en) Method of providing mobile communication provider information and device for performing the same
EP3485624B1 (en) Operation related to user equipment using secret identifier
US9537663B2 (en) Manipulation and restoration of authentication challenge parameters in network authentication procedures
CN110545252B (en) Authentication and information protection method, terminal, control function entity and application server
WO2013182154A1 (en) Method, system and terminal for encrypting/decrypting application program on communication terminal
CN105873045B (en) Method for security protection, device, system and the terminal of soft SIM card
EP3146740A1 (en) Cellular network authentication
CN114040401B (en) Terminal authentication method and system
CN111770488B (en) EHPLMN updating method, related equipment and storage medium
EP3146742B1 (en) Exception handling in cellular authentication
CN107005528B (en) Wireless device hardware security system for wireless spectrum usage
CN117256168A (en) Information processing method and device, communication equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant