WO2010051715A1 - Method, system and mobile terminal for distributing the initial key of security sub-domain of a smart card - Google Patents

Method, system and mobile terminal for distributing the initial key of security sub-domain of a smart card Download PDF

Info

Publication number
WO2010051715A1
WO2010051715A1 PCT/CN2009/073489 CN2009073489W WO2010051715A1 WO 2010051715 A1 WO2010051715 A1 WO 2010051715A1 CN 2009073489 W CN2009073489 W CN 2009073489W WO 2010051715 A1 WO2010051715 A1 WO 2010051715A1
Authority
WO
WIPO (PCT)
Prior art keywords
management platform
smart card
card
mobile terminal
security domain
Prior art date
Application number
PCT/CN2009/073489
Other languages
French (fr)
Chinese (zh)
Inventor
余万涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2010051715A1 publication Critical patent/WO2010051715A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards

Definitions

  • the present invention relates to an NFC-based mobile terminal electronic payment technology, and in particular, to a smart card slave security key initial key distribution method, system, and mobile terminal.
  • NFC Near Field Communication
  • 1356MHz a short-range wireless communication technology operating at 13.56MHz
  • mobile communication terminals such as mobile phones can simulate contactless IC cards for related applications of electronic payment.
  • Implementing this solution on a mobile communication terminal requires adding an NFC analog front end chip and an NFC antenna to the terminal, and using a smart card that supports electronic payment.
  • IC cards especially non-contact IC cards
  • mobile phones have experienced rapid development for more than 20 years, and have been widely popular among residents, bringing great convenience to people's work and life.
  • the capabilities of mobile phones are becoming more powerful and there is a tendency to integrate more features.
  • Combining mobile phones with non-contact IC card technology mobile phones used in the field of electronic payment will further expand the use of mobile phones, bring convenience to people's lives, and have broad application prospects.
  • the business framework of the mobile payment system for mobile terminals based on NFC technology usually adopts the multi-application framework of the Global Platform specification.
  • the smart card supporting the Global Platform specification refers to the Global Platform Card Specification V2.1.1/V2.2 specification.
  • the IC chip or smart card can be physically a SIM/USIM card, a pluggable smart memory card or an IC chip integrated on the mobile terminal.
  • NFC Near Field Communication
  • secure channel protocol needs to support SCP02 (based on symmetric key); if the mobile terminal electronic payment system based on near field communication technology supports GP2.2 specification, the secure channel protocol needs to support SCP02 (based on symmetric key) and SCP10 (based on non- Symmetric keys), card issuers, application providers can choose based on security policy requirements.
  • an NFC-based mobile terminal short-range electronic payment system mainly consists of a card issuer management platform, an application provider management platform, and a mobile terminal supporting a smart card with an electronic payment application function, and multiple application providers may exist in the system. Management platform.
  • multiple applications can be installed on the smart card supporting the Global Platform specification.
  • the smart card is divided into several independent security domains to ensure the isolation and independence of multiple applications. Manage their respective security domains as well as applications, application data, and more.
  • Security domains include primary and secondary security domains.
  • the primary security domain is the card issuer's mandatory card representation on the smart card.
  • the security domain is represented by a card issuer or application provider on an additional optional card on the smart card.
  • the key generation and distribution of the secure domain is the responsibility of the card issuer or application provider that manages the secure domain, which ensures that applications and data from different application providers can coexist on the same card.
  • the keys for the security domain include the primary security domain key, the security domain initial key, and the secondary security domain key.
  • the primary security domain key and the secondary domain security key are generated by the card issuer management platform, and the security domain key is managed by
  • a secure domain Before downloading and installing an electronic payment application to a smart card, a secure domain needs to be created for the application on the smart card.
  • the creation of a smart card from a secure domain is done by the card issuer management platform. After the smart card is issued, when the smart card is created from the secure domain, the initial key from the secure domain must be imported by the card issuer management platform to the secure domain on the smart card.
  • the process of distributing the initial key from the security domain is related to the specific implementation of the system network architecture. In order to realize the security management of the smart card and the downloading, installation, etc. of the payment application, the smart card needs to establish communication with the card issuer management platform and the application provider management platform.
  • the smart card establishes communication through the mobile terminal using the mobile communication network and the management platform, and how to import the security key from the security domain initial key to the slave security zone generated by the card issuer management platform while establishing communication, is the mobile terminal electronic payment One that needs to be solved Question.
  • the present invention provides a smart card initial key distribution method, system and mobile terminal from a security domain to securely import a security key from a security domain initial key.
  • the present invention provides a method for initializing a smart card from a security domain.
  • the method establishes communication between a smart card and an out-of-card entity management platform through an over-the-air server and a mobile terminal to implement distribution of a smart card from a security domain initial key.
  • the method includes:
  • the card issuer management platform creates a slave security domain for the smart card and generates a slave security domain initial key, and the generated slave security key initial key is imported into the smart card through the secure channel area.
  • the method further includes: before the step (a):
  • the smart card establishes an over-the-air connection with the over-the-air server through the mobile terminal; and the over-the-air server establishes a secure connection with the out-of-card entity management platform.
  • the application download request includes smart card identification information, an application identifier, and application provider identity information;
  • the method further includes: the card issuer management platform, according to the smart card identification information, application identifier and application provider identity information, or according to smart card status information, between the step (b) and the step (c) , to determine whether to create a slave security domain for the smart card.
  • the step of establishing a secure channel between the card issuer management platform and the smart card primary security domain includes:
  • the card issuer management platform performs mutual authentication with the primary security domain of the smart card
  • the user submits an application download request to the card issuer management platform through the mobile terminal and the over-the-air download server;
  • the card issuer management platform performs mutual authentication through the over-the-air server and the mobile terminal and the primary security domain of the smart card;
  • the card issuer management platform creates the slave security domain and generates the slave security domain initial key for the smart card
  • the generated secure domain initial key is imported to the airlink server and the mobile terminal through the secure channel.
  • the slave security zone of the smart card is defined by the card issuer management platform.
  • the card external entity management platform is an application provider management platform
  • the user submits an application download request to the card issuing management platform through the mobile terminal, the over-the-air server, and the application provider management platform;
  • the card issuer management platform performs mutual authentication through an application provider management platform, an over-the-air server, and a mobile terminal and a primary security domain of the smart card;
  • the card issuer management platform creates the slave security domain and generates the slave security domain initial key
  • the generated slave security domain initial key is downloaded through the application provider management platform through the secure channel.
  • the server and the mobile terminal are imported into the slave security domain of the smart card.
  • the present invention further provides a mobile terminal electronic payment system, the system comprising a smart card having an electronic payment application function, a mobile terminal, an OTA server, and a card issuer management platform, wherein the smart card is installed on the mobile terminal;
  • the smart card is configured to communicate with the card issuing management platform through the mobile terminal and the over-the-air server;
  • the card issuer management platform is arranged to distribute the smart card from the secure domain initial key to the smart card via the over-the-air server and the mobile terminal.
  • the smart card is further configured to pass the mobile terminal and the over-the-air download service Establish an over-the-air connection;
  • the over-the-air server is configured to communicate with the card issuer management platform over a secure connection and to communicate communication data between the smart card and the card issuer management platform over the over-the-air connection.
  • the smart card is further configured to provide support for submitting an application download request to the card issuer management platform, perform mutual authentication with the card issuer management platform, and establish a temporary session key, and decrypt the obtained slave security domain initial The key, as well as the initialization from the security domain;
  • the card issuer management platform is further configured to perform mutual authentication with the smart card and establish a temporary session key, determine whether to establish a slave security domain for the smart card according to an application download request or smart card status information, and establish a slave security for the smart card.
  • system further includes an application provider management platform, the application provider management platform being configured to communicate with the card issuer management platform and the over-the-air server via a secure connection;
  • the smart card is further configured to pass the mobile terminal and the over-the-air download server and the
  • the card issuer management platform is further configured to distribute the slave security domain initial key to the smart card by the application provider management platform, the air download server, and the mobile terminal;
  • the over-the-air server is further configured to transmit communication data between the smart card and the application provider management platform over the over-the-air connection.
  • the present invention further provides a mobile terminal, the mobile terminal comprising a smart card having an electronic payment application function, wherein the slave security domain initial key of the smart card is distributed by the card issuer management platform through the over-the-air server and the mobile terminal; or The slave security zone initial key of the smart card is distributed by the card issuer management platform through the application provider management platform, the over-the-air server, and the mobile terminal.
  • the smart card initial key distribution method, system and mobile terminal of the smart card can solve the situation that after the card is issued, for the symmetric key, when the slave security domain is created, the card issuer management platform generates the initial secret from the security domain. Key security is imported into the security domain, thus achieving initial security from the security domain. Secure distribution of keys.
  • 1 is a schematic diagram of the architecture of an electronic payment system for a mobile terminal based on the near field communication technology of the present invention.
  • 2 is a schematic diagram of an OTA-based slave domain initial key distribution process according to the present invention.
  • FIG. 3 is a schematic diagram of an initial key distribution process of a slave security domain based on an application provider management platform and an OTA according to the present invention.
  • the mobile payment electronic payment system of the present invention comprises an application provider management platform, a card issuer management platform, an OTA server, a mobile terminal and a smart card, wherein:
  • a smart card having an electronic payment application function installed on a mobile terminal, the smart card and the mobile terminal supporting an OTA function, the smart card also supporting a Global Platform Card Specification V2.1.1/V2.2 specification; when a user downloads an application, The smart card establishes an OTA connection with the OTA server through the mobile terminal, and the OTA connection supports transmission methods such as short message and BIP.
  • connection may also be connected to the card issuer management platform and the application provider management platform through the card issuer service terminal or the application provider service terminal, respectively.
  • the OTA server communicates with the card issuer management platform and the application provider management platform through a secure connection, and transmits communication data between the smart card and the card issuer management platform and the application provider management platform through the OTA connection;
  • the card issuer management platform is responsible for card issuance and management, manages card resources and lifecycles, keys, and certificates, is responsible for creating security domains, and interacts with other security domains to apply data to interact with the smart cards. Authenticate and establish temporary session keys, and generate and distribute to smart cards from Security domain initial key.
  • the card issuer management platform may include a card management system, an application management system, a key management system, a certificate management system, an application provider management system, etc., wherein the certificate management system supports an asymmetric key.
  • the certificate management system supports an asymmetric key.
  • CA card issuer certification authority
  • the application provider management platform is responsible for the provision and management functions of the electronic payment application, provides various business applications, and performs security management on the card with its corresponding slave security domain, and applies the key, certificate, and data to the slave security domain. Control, etc., to provide secure download and installation of applications.
  • the application provider management platform may include an application management system, a key management system, and a certificate management system, wherein the certificate management system is used in the case of supporting asymmetric keys, a certificate management system, and an application provider certification authority.
  • CA System connection.
  • the application provider management platform communicates with the card issuer management platform over a secure connection.
  • the card issuer management platform and the application provider management platform can provide electronic payment related services through the OTA server: provide a list of downloadable electronic payment applications, participate in creation of security domains and key distribution, download of electronic payment applications, and electronic payment. Personalization of the application, etc.
  • the smart card communicates with the application provider management platform and the card issuer management platform through the mobile terminal and the OTA server.
  • the card issuer management platform can also communicate with the smart card through the card issuer service terminal, the application provider management platform management, or the application provider service terminal can communicate with the smart card.
  • the present invention is described based on the mobile payment electronic payment system architecture shown in FIG. 1 , but is not limited to the mobile terminal electronic payment system architecture shown in FIG. 1 .
  • FIG. 2 is a schematic diagram of the initial key distribution process from the security domain of the present invention. As shown in Figure 2, when creating a slave security domain, the initial key distribution process steps from the security domain include:
  • Step 201 The user triggers an application download request by using a mobile terminal client program or a card program, and submits an application download request to the card issuer management platform via the OTA server, where the application download request may include the smart card identification information ICCID information, the application identifier, and the application provider. Identity information, etc.; when the user downloads the application, the smart card establishes an OTA connection between the mobile terminal and the OTA server, and the OTA connection supports a transmission mode bearer such as a short message and a BIP.
  • OTA server passed Secure connection to the application provider management platform and card issuer management platform;
  • Step 202 The card issuer management platform sends a SELECT command message to the smart card via the OTA server and the mobile terminal, and selects a primary security domain.
  • Step 203 The smart card submits a SELECT command response to the card issuer management platform via the mobile terminal and the OTA server;
  • Step 204 The card issuer management platform and the smart card master security domain establish an SCP02 security channel via the OTA server and the mobile terminal; the mutual authentication of the domain, after the mutual authentication is completed, between the card issuer management platform and the smart card primary security domain Establish a temporary session key to establish a secure channel.
  • the temporary session key may be established in accordance with the Global Platform Card Specification V2.1.1/V2.2 specification, or may be established by other methods; the mutual authentication process is managed by the card issuer via the UI server and the mobile terminal The platform and the smart card primary security domain are completed.
  • Step 205 The card issuer management platform determines whether the slave security domain needs to be created. If the slave security domain is not required to be created, the slave security domain creation process is terminated. If the slave security domain needs to be created, the subsequent steps are continued.
  • the card issuer management platform determines whether to create a slave security domain according to the information such as the smart card ICCID information, the application identifier, and the application provider identity, or the smart card status information.
  • the smart card status information is obtained from the smart card primary security domain by the card issuer management platform.
  • Step 206 The card issuer management platform sends the smart card to the smart card via the UI server and the mobile terminal
  • Step 207 The smart card submits an INSTALL command response to the card issuer management platform via the mobile terminal and the OTA server.
  • Step 208 The card issuer management platform generates an initial key, and sends a slave security initial key to the smart card primary security domain via the OTA server and the mobile terminal through the PUTKEY command.
  • Step 209 After receiving the initial key from the security domain, the smart card primary security domain initializes the secondary security domain with the received secondary domain security key; Step 210: The smart card master security domain sends a PUTKEY command response to the card issuer management platform via the mobile terminal and the OTA server, and ends the initial key distribution process from the security domain.
  • FIG. 3 is a schematic diagram of an initial key distribution process of a slave security domain based on an application provider management platform and an OTA according to the present invention. As shown in Figure 3, the steps from the security provider initial key distribution process based on the application provider management platform and the OTA include:
  • Step 301 The user triggers an application download request by using a mobile terminal client program or a card program, and the application download request includes the smart card ICCID information, the application identifier, and the application provider identity information;
  • Step 302 The card issuer management platform sends a SELECT command message to the smart card via the application provider management platform, the OTA server, and the mobile terminal, and selects the primary security domain.
  • Step 303 The smart card submits a SELECT command response to the card issuer management platform via the mobile terminal, the OTA server, and the application provider management platform.
  • Step 304 The card issuer management platform and the smart card primary security domain establish an SCP02 secure channel via the application provider management platform, the OTA server, and the mobile terminal; the mutual authentication of the domain, after the mutual authentication is completed, the card issuer management platform and the A temporary session key is established between the smart card primary security domains to establish a secure communication channel.
  • the temporary session key can be established in accordance with the Global Platform Card Specification V2.1.1/V2.2 specification, or it can be established by other methods.
  • the mutual authentication process may also be completed between the card issuer management platform and the smart card primary security domain via the application provider management platform, the UI server, and the mobile terminal.
  • Step 305 The card issuer management platform determines whether the slave security domain needs to be created. If the slave security domain is not required to be created, the slave security domain creation process is terminated. If the slave security domain needs to be created, the subsequent steps are continued.
  • Step 306 The card issuer management platform sends an INSTALL command to the smart card via the application provider management platform, the server and the mobile terminal;
  • Step 307 The smart card is managed by the mobile terminal, the OTA server, and the application provider management platform.
  • the card issuer management platform submits an INSTALL command response;
  • Step 308 The card issuer management platform sends the slave security domain initial key to the smart card primary security domain via the application provider management platform, the OTA server, and the mobile terminal through the PUTKEY command.
  • Step 309 The smart card primary security domain receives the initial from the security domain. After the key, the slave security domain initial key is used to initialize the slave security domain;
  • Step 310 The smart card primary security domain sends a PUTKEY command response to the card issuer management platform via the mobile terminal, the OTA server, and the application provider management platform, and ends the initial key distribution process from the secure domain.
  • the smart card initial key distribution method and system for the smart card can solve the problem that the security key initial key is generated by the card issuer management platform when creating the slave security domain after the card is issued for the symmetric key. Imported from a secure domain, thereby enabling secure distribution of the initial key from the secure domain.
  • the smart card from the security domain initial key distribution method, system and mobile terminal adopts OTA technology, and can solve the situation that after the card is issued, for the symmetric key, when the slave security domain is created, the card issuer management platform is generated.
  • the security of the initial key security from the security domain is imported into the security domain, thereby enabling secure distribution of the initial key from the security domain.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, a system and a mobile terminal for distributing the initial key of security sub-domain of a smart card, the system includes a smart card with electric payment application function, a mobile terminal, an Over-The-Air (OTA) server and a management platform of card issuer, wherein the smart card is installed on the mobile terminal, and is utilized to communicate with the management platform of card issuer through the mobile terminal and the OTA server; the management platform of card issuer is utilized to distribute the initial key of security sub-domain of a smart card to the smart card through the OTA server and the mobile terminal. The method of the present invention creates communication between the smart card and the entity management platform out of card with the mobile terminal and the OTA server, in order to enable the initial key of security sub-domain of the smart card be imported into the smart card safely.

Description

智能卡从安全域初始密钥分发方法、 ***及移动终端  Smart card from security domain initial key distribution method, system and mobile terminal
技术领域 Technical field
本发明涉及基于 NFC的移动终端电子支付技术, 特别地, 涉及一种智能 卡从安全域初始密钥分发方法、 ***及移动终端。  The present invention relates to an NFC-based mobile terminal electronic payment technology, and in particular, to a smart card slave security key initial key distribution method, system, and mobile terminal.
背景技术 Background technique
近场通信技术(Near Field Communication, NFC )是工作于 13.56MHz的 一种近距离无线通信技术, 由 RFID技术及互连技术融合演变而来。 手机等 移动通信终端集成 NFC技术后, 可以模拟非接触式 IC卡, 用于电子支付的 有关应用。移动通信终端上实现该方案需要在终端上增加 NFC模拟前端芯片 和 NFC天线, 并使用支持电子支付的智能卡。  Near Field Communication (NFC) is a short-range wireless communication technology operating at 13.56MHz, which is a fusion of RFID technology and interconnection technology. After integrating NFC technology, mobile communication terminals such as mobile phones can simulate contactless IC cards for related applications of electronic payment. Implementing this solution on a mobile communication terminal requires adding an NFC analog front end chip and an NFC antenna to the terminal, and using a smart card that supports electronic payment.
IC卡特别是非接触式 IC卡经过十多年的发展, 已经被广泛应用于公交、 门禁、 小额电子支付等领域。 与此同时, 手机经历 20多年的迅速发展, 在居 民中基本得到普及, 给人们的工作及生活带来很大的便利。 手机的功能越来 越强大, 并存在集成更多功能的趋势。 将手机和非接触式 IC卡技术结合, 手 机应用于电子支付领域, 会进一步扩大手机的使用范围, 给人们的生活带来 便捷, 存在着广阔的应用前景。  IC cards, especially non-contact IC cards, have been widely used in public transportation, access control, and small-scale electronic payment after more than ten years of development. At the same time, mobile phones have experienced rapid development for more than 20 years, and have been widely popular among residents, bringing great convenience to people's work and life. The capabilities of mobile phones are becoming more powerful and there is a tendency to integrate more features. Combining mobile phones with non-contact IC card technology, mobile phones used in the field of electronic payment will further expand the use of mobile phones, bring convenience to people's lives, and have broad application prospects.
为实现基于 NFC技术的移动电子支付,需要建立移动终端电子支付***, 通过该***实现对基于 NFC的移动终端电子支付的管理, 包括: 智能卡的发 行, 电子支付应用的下载、 安装和个人化, 釆用相关技术和管理策略实现电 子支付应用的安全等。  In order to realize mobile electronic payment based on NFC technology, it is necessary to establish a mobile payment electronic payment system, and implement management of electronic payment for NFC-based mobile terminals, including: distribution of smart cards, downloading, installation and personalization of electronic payment applications, Use related technologies and management strategies to achieve security of electronic payment applications.
基于 NFC 技术的移动终端电子支付***的业务框架通常釆用 Global Platform规范的多应用框架, 在该框架下, 支持 Global Platform规范的智能卡 指的是符合 Global Platform Card Specification V2.1.1/V2.2规范的 IC芯片或智 能卡, 从物理形式上可以为 SIM/USIM卡、 可插拔的智能存储卡或者集成在 移动终端上的 IC芯片。  The business framework of the mobile payment system for mobile terminals based on NFC technology usually adopts the multi-application framework of the Global Platform specification. Under this framework, the smart card supporting the Global Platform specification refers to the Global Platform Card Specification V2.1.1/V2.2 specification. The IC chip or smart card can be physically a SIM/USIM card, a pluggable smart memory card or an IC chip integrated on the mobile terminal.
如果基于近场通信(NFC )技术的移动终端电子支付***支持 GP2丄 1 规范, 安全通道协议需要支持 SCP02 (基于对称密钥) ; 如果基于近场通信 技术的移动终端电子支付***支持 GP2.2 规范, 安全通道协议需要支持 SCP02 (基于对称密钥)和 SCP10 (基于非对称密钥) , 卡片发行商、 应用 提供商可以根据安全策略需求进行选择。 If the mobile terminal electronic payment system based on Near Field Communication (NFC) technology supports GP2丄1 Specification, secure channel protocol needs to support SCP02 (based on symmetric key); if the mobile terminal electronic payment system based on near field communication technology supports GP2.2 specification, the secure channel protocol needs to support SCP02 (based on symmetric key) and SCP10 (based on non- Symmetric keys), card issuers, application providers can choose based on security policy requirements.
一般情况下,基于 NFC的移动终端近距离电子支付***主要由卡片发行 商管理平台、 应用提供商管理平台和支持具有电子支付应用功能智能卡的移 动终端组成, 该***中可以存在多个应用提供商管理平台。  In general, an NFC-based mobile terminal short-range electronic payment system mainly consists of a card issuer management platform, an application provider management platform, and a mobile terminal supporting a smart card with an electronic payment application function, and multiple application providers may exist in the system. Management platform.
在支持 Global Platform规范的智能卡上可以安装多个应用, 为了实现电 子支付应用的安全, 智能卡被分隔为若干个独立的安全域, 以保证多个应用 相互之间的隔离以及独立性, 各个应用提供商管理各自的安全域以及应用、 应用数据等。  Multiple applications can be installed on the smart card supporting the Global Platform specification. In order to realize the security of the electronic payment application, the smart card is divided into several independent security domains to ensure the isolation and independence of multiple applications. Manage their respective security domains as well as applications, application data, and more.
用于支持安全通道协议运作以及智能卡内容管理的密钥。 安全域包括主安全 域和从安全域等。 主安全域是卡发行商在智能卡上的强制的卡上代表。 从安 全域是卡发行商或应用提供商在智能卡上的附加的可选卡上代表。 A key used to support secure channel protocol operation and smart card content management. Security domains include primary and secondary security domains. The primary security domain is the card issuer's mandatory card representation on the smart card. The security domain is represented by a card issuer or application provider on an additional optional card on the smart card.
安全域的密钥生成与分发由管理该安全域的卡发行商或应用提供商负 责, 这保证了来自不同应用提供者的应用和数据可以共存于同一个卡上。 安 全域的密钥包括主安全域密钥、 从安全域初始密钥和从安全域密钥。 主安全 域密钥和从安全域初始密钥由卡发行商管理平台生成, 从安全域密钥由管理  The key generation and distribution of the secure domain is the responsibility of the card issuer or application provider that manages the secure domain, which ensures that applications and data from different application providers can coexist on the same card. The keys for the security domain include the primary security domain key, the security domain initial key, and the secondary security domain key. The primary security domain key and the secondary domain security key are generated by the card issuer management platform, and the security domain key is managed by
在将电子支付应用下载并安装到智能卡之前, 需要在智能卡上为该应用 先创建从安全域。 智能卡从安全域的创建是由卡发行商管理平台完成的。 在 智能卡发行后, 创建智能卡从安全域时, 从安全域初始密钥必须由卡发行商 管理平台通过安全途径导入到智能卡上的从安全域。 从安全域初始密钥的分 发过程与***网络架构的具体实现方式有关。 为了实现智能卡的安全性管理 和支付应用的下载、 安装等, 智能卡需要和卡发行商管理平台以及应用提供 商管理平台建立通信。 智能卡通过移动终端使用移动通信网络和管理平台建 立通信, 在建立通信的同时如何将卡发行商管理平台生成的从安全域初始密 钥安全的导入到智能卡上的从安全域, 是移动终端电子支付需要解决的一个 问题。 Before downloading and installing an electronic payment application to a smart card, a secure domain needs to be created for the application on the smart card. The creation of a smart card from a secure domain is done by the card issuer management platform. After the smart card is issued, when the smart card is created from the secure domain, the initial key from the secure domain must be imported by the card issuer management platform to the secure domain on the smart card. The process of distributing the initial key from the security domain is related to the specific implementation of the system network architecture. In order to realize the security management of the smart card and the downloading, installation, etc. of the payment application, the smart card needs to establish communication with the card issuer management platform and the application provider management platform. The smart card establishes communication through the mobile terminal using the mobile communication network and the management platform, and how to import the security key from the security domain initial key to the slave security zone generated by the card issuer management platform while establishing communication, is the mobile terminal electronic payment One that needs to be solved Question.
发明内容 Summary of the invention
为了解决现有技术问题, 本发明提供一种智能卡从安全域初始密钥分发 方法、 ***及移动终端, 以将从安全域初始密钥安全导入智能卡。  In order to solve the prior art problem, the present invention provides a smart card initial key distribution method, system and mobile terminal from a security domain to securely import a security key from a security domain initial key.
本发明提供一种智能卡从安全域初始密钥分发方法, 所述方法通过空中 下载服务器及移动终端建立智能卡与卡外实体管理平台的通信, 以实现智能 卡从安全域初始密钥的分发。  The present invention provides a method for initializing a smart card from a security domain. The method establishes communication between a smart card and an out-of-card entity management platform through an over-the-air server and a mobile terminal to implement distribution of a smart card from a security domain initial key.
进一步地, 所述方法包括:  Further, the method includes:
( a )用户向卡发行商管理平台提交应用下载请求;  (a) the user submits an application download request to the card issuer management platform;
( b )所述卡发行商管理平台收到所述应用下载请求后, 所述卡发行商管 理平台和所述智能卡的主安全域之间建立安全信道;  (b) after the card issuer management platform receives the application download request, a secure channel is established between the card issuer management platform and the primary security domain of the smart card;
( c )所述卡发行商管理平台为所述智能卡创建从安全域并生成从安全域 初始密钥, 通过所述安全信道将所生成的从安全域初始密钥导入到所述智能 卡的从安全域。  (c) the card issuer management platform creates a slave security domain for the smart card and generates a slave security domain initial key, and the generated slave security key initial key is imported into the smart card through the secure channel area.
进一步地, 所述方法在所述步骤(a )之前还包括:  Further, the method further includes: before the step (a):
智能卡通过移动终端与空中下载服务器建立空中下载连接; 以及 所述空中下载服务器与卡外实体管理平台建立安全连接。  The smart card establishes an over-the-air connection with the over-the-air server through the mobile terminal; and the over-the-air server establishes a secure connection with the out-of-card entity management platform.
进一步地, 所述方法中, 所述应用下载请求中包括智能卡标识信息、 应 用标识及应用提供商身份信息;  Further, in the method, the application download request includes smart card identification information, an application identifier, and application provider identity information;
所述方法在所述步骤(b )和所述步骤(c )之间还包括: 所述卡发行商 管理平台根据所述智能卡标识信息, 应用标识及应用提供商身份信息, 或者 根据智能卡状态信息, 判断是否为所述智能卡创建从安全域。  The method further includes: the card issuer management platform, according to the smart card identification information, application identifier and application provider identity information, or according to smart card status information, between the step (b) and the step (c) , to determine whether to create a slave security domain for the smart card.
进一步地, 所述方法中, 所述卡发行商管理平台和所述智能卡主安全域 之间建立安全信道的所述步骤包括:  Further, in the method, the step of establishing a secure channel between the card issuer management platform and the smart card primary security domain includes:
( bl )所述卡发行商管理平台与所述智能卡的主安全域进行互认证; (bl) the card issuer management platform performs mutual authentication with the primary security domain of the smart card;
( b2 ) 所述卡发行商管理平台与所述智能卡的主安全域之间建立临时会 话密钥, 从而建立安全信道。 (b2) establishing a temporary meeting between the card issuer management platform and the primary security domain of the smart card The key is established to establish a secure channel.
台时: ' 、 、 ' " ^ Taiwan time: ' , , ' " ^
用户是通过移动终端及空中下载服务器向卡发行商管理平台提交应用下 载请求;  The user submits an application download request to the card issuer management platform through the mobile terminal and the over-the-air download server;
所述卡发行商管理平台是通过空中下载服务器和移动终端与智能卡的主 安全域进行互认证; 以及  The card issuer management platform performs mutual authentication through the over-the-air server and the mobile terminal and the primary security domain of the smart card;
所述卡发行商管理平台为所述智能卡创建从安全域并生成从安全域初始 密钥后, 是通过所述安全信道将所生成的从安全域初始密钥经由空中下载服 务器和移动终端导入到所述智能卡的从安全域。  After the card issuer management platform creates the slave security domain and generates the slave security domain initial key for the smart card, the generated secure domain initial key is imported to the airlink server and the mobile terminal through the secure channel. The slave security zone of the smart card.
进一步地, 所述的方法中, 当所述卡外实体管理平台为应用提供商管理 平台时,  Further, in the method, when the card external entity management platform is an application provider management platform,
用户是通过移动终端、 空中下载服务器以及应用提供商管理平台向卡发 行商管理平台提交应用下载请求;  The user submits an application download request to the card issuing management platform through the mobile terminal, the over-the-air server, and the application provider management platform;
所述卡发行商管理平台是通过应用提供商管理平台、 空中下载服务器以 及移动终端与智能卡的主安全域进行互认证;  The card issuer management platform performs mutual authentication through an application provider management platform, an over-the-air server, and a mobile terminal and a primary security domain of the smart card;
所述卡发行商管理平台为所述智能卡创建从安全域并生成从安全域初始 密钥后, 是通过所述安全信道将所生成的从安全域初始密钥经由应用提供商 管理平台、 空中下载服务器以及移动终端导入到所述智能卡的从安全域。  After the card issuer management platform creates the slave security domain and generates the slave security domain initial key, the generated slave security domain initial key is downloaded through the application provider management platform through the secure channel. The server and the mobile terminal are imported into the slave security domain of the smart card.
本发明还提供一种移动终端电子支付***, 该***包括具有电子支付应 用功能的智能卡、 移动终端、 OTA服务器及卡发行商管理平台, 其中, 所述智能卡安装在所述移动终端上;  The present invention further provides a mobile terminal electronic payment system, the system comprising a smart card having an electronic payment application function, a mobile terminal, an OTA server, and a card issuer management platform, wherein the smart card is installed on the mobile terminal;
所述智能卡设置成通过所述移动终端及所述空中下载服务器与所述卡发 行商管理平台进行通信;  The smart card is configured to communicate with the card issuing management platform through the mobile terminal and the over-the-air server;
所述卡发行商管理平台设置成通过所述空中下载服务器和所述移动终端 向所述智能卡分发智能卡从安全域初始密钥。  The card issuer management platform is arranged to distribute the smart card from the secure domain initial key to the smart card via the over-the-air server and the mobile terminal.
进一步地, 所述智能卡还设置成通过所述移动终端与所述空中下载服务 器建立空中下载连接; Further, the smart card is further configured to pass the mobile terminal and the over-the-air download service Establish an over-the-air connection;
所述空中下载服务器设置成通过安全连接与所述卡发行商管理平台进行 通信, 以及通过所述空中下载连接传输所述智能卡与所述卡发行商管理平台 之间的通讯数据。  The over-the-air server is configured to communicate with the card issuer management platform over a secure connection and to communicate communication data between the smart card and the card issuer management platform over the over-the-air connection.
进一步地, 所述智能卡还设置成提供向所述卡发行商管理平台提交应用 下载请求的支持 ,与所述卡发行商管理平台进行互认证及建立临时会话密钥 , 解密获得的从安全域初始密钥, 以及对从安全域进行初始化;  Further, the smart card is further configured to provide support for submitting an application download request to the card issuer management platform, perform mutual authentication with the card issuer management platform, and establish a temporary session key, and decrypt the obtained slave security domain initial The key, as well as the initialization from the security domain;
所述卡发行商管理平台还设置成与所述智能卡进行互认证及建立临时会 话密钥, 根据应用下载请求或智能卡状态信息判断是否为所述智能卡建立从 安全域, 为所述智能卡建立从安全域, 以及生成并向所述智能卡分发从安全 域初始密钥。  The card issuer management platform is further configured to perform mutual authentication with the smart card and establish a temporary session key, determine whether to establish a slave security domain for the smart card according to an application download request or smart card status information, and establish a slave security for the smart card. The domain, as well as the initial key generated and distributed to the smart card from the secure domain.
进一步地, 该***还包括应用提供商管理平台, 所述应用提供商管理平 台设置成通过安全连接与所述卡发行商管理平台和所述空中下载服务器进行 通信;  Further, the system further includes an application provider management platform, the application provider management platform being configured to communicate with the card issuer management platform and the over-the-air server via a secure connection;
所述智能卡还设置成通过所述移动终端及、 所述空中下载服务器及所述  The smart card is further configured to pass the mobile terminal and the over-the-air download server and the
所述卡发行商管理平台还设置成通过所述应用提供商管理平台、 所述空 中下载服务器以及所述移动终端向所述智能卡分发从安全域初始密钥; The card issuer management platform is further configured to distribute the slave security domain initial key to the smart card by the application provider management platform, the air download server, and the mobile terminal;
所述空中下载服务器还设置成通过所述空中下载连接传输所述智能卡与 所述应用提供商管理平台之间的通讯数据。  The over-the-air server is further configured to transmit communication data between the smart card and the application provider management platform over the over-the-air connection.
本发明还提供一种移动终端, 所述移动终端包括具有电子支付应用功能 的智能卡, 其中, 所述智能卡的从安全域初始密钥由卡发行商管理平台通过 空中下载服务器和移动终端分发; 或者所述智能卡的从安全域初始密钥由卡 发行商管理平台通过应用提供商管理平台、 空中下载服务器和所述移动终端 分发。  The present invention further provides a mobile terminal, the mobile terminal comprising a smart card having an electronic payment application function, wherein the slave security domain initial key of the smart card is distributed by the card issuer management platform through the over-the-air server and the mobile terminal; or The slave security zone initial key of the smart card is distributed by the card issuer management platform through the application provider management platform, the over-the-air server, and the mobile terminal.
本发明智能卡从安全域初始密钥分发方法、 ***及移动终端, 可以解决 在发卡后, 针对对称密钥的情况, 在创建从安全域时, 将卡发行商管理平台 生成的从安全域初始密钥安全的导入到从安全域, 从而实现从安全域初始密 钥的安全分发。 The smart card initial key distribution method, system and mobile terminal of the smart card can solve the situation that after the card is issued, for the symmetric key, when the slave security domain is created, the card issuer management platform generates the initial secret from the security domain. Key security is imported into the security domain, thus achieving initial security from the security domain. Secure distribution of keys.
附图概述 BRIEF abstract
图 1 是本发明基于近场通信技术的移动终端电子支付***架构示意图。 图 2是本发明基于 OTA的从安全域初始密钥分发流程示意图。  1 is a schematic diagram of the architecture of an electronic payment system for a mobile terminal based on the near field communication technology of the present invention. 2 is a schematic diagram of an OTA-based slave domain initial key distribution process according to the present invention.
图 3是本发明基于应用提供商管理平台和 OTA的从安全域初始密钥分发 流程示意图。  FIG. 3 is a schematic diagram of an initial key distribution process of a slave security domain based on an application provider management platform and an OTA according to the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
如图 1所示, 本发明移动终端电子支付***包括应用提供商管理平台、 卡发行商管理平台、 OTA服务器、 移动终端及智能卡, 其中:  As shown in FIG. 1, the mobile payment electronic payment system of the present invention comprises an application provider management platform, a card issuer management platform, an OTA server, a mobile terminal and a smart card, wherein:
智能卡, 具有电子支付应用功能, 安装在移动终端上, 所述智能卡和所 述移动终端支持 OTA 功能, 所述智能卡还支持 Global Platform Card Specification V2.1.1/V2.2规范; 当用户下载应用时, 智能卡通过移动终端与 OTA服务器建立 OTA连接, OTA连接支持短信和 BIP等传输方式承载。  a smart card having an electronic payment application function installed on a mobile terminal, the smart card and the mobile terminal supporting an OTA function, the smart card also supporting a Global Platform Card Specification V2.1.1/V2.2 specification; when a user downloads an application, The smart card establishes an OTA connection with the OTA server through the mobile terminal, and the OTA connection supports transmission methods such as short message and BIP.
持, 与卡发行商管理平台进行互认证及建立临时会话密钥, 还用于解密获得 的从安全域初始密钥, 以及对从安全域进行初始化。 Hold, mutual authentication with the card issuer management platform and establishment of a temporary session key, also used to decrypt the obtained slave domain initial key, and to initialize the slave security domain.
连接, 也可以通过卡发行商业务终端或应用提供商业务终端分别与卡发行商 管理平台和应用提供商管理平台连接。 The connection may also be connected to the card issuer management platform and the application provider management platform through the card issuer service terminal or the application provider service terminal, respectively.
OTA服务器, 通过安全连接与卡发行商管理平台和应用提供商管理平台 进行通信 ,通过 OTA连接传输智能卡与卡发行商管理平台和应用提供商管理 平台之间的通讯数据; The OTA server communicates with the card issuer management platform and the application provider management platform through a secure connection, and transmits communication data between the smart card and the card issuer management platform and the application provider management platform through the OTA connection;
卡发行商管理平台, 负责卡的发行和管理, 对卡的资源和生命周期、 密 钥、 证书进行管理, 负责从安全域的创建, 并与其他安全域交互应用数据, 与所述智能卡进行互认证及建立临时会话密钥, 以及生成并向智能卡分发从 安全域初始密钥。 The card issuer management platform is responsible for card issuance and management, manages card resources and lifecycles, keys, and certificates, is responsible for creating security domains, and interacts with other security domains to apply data to interact with the smart cards. Authenticate and establish temporary session keys, and generate and distribute to smart cards from Security domain initial key.
就具体实现而言, 卡发行商管理平台可以包括卡片管理***、 应用管理 ***、 密钥管理***、 证书管理***、 应用提供商管理***等, 其中证书管 理***在支持非对称密钥的情况下使用, 证书管理***和卡片发行商认证机 构 (CA ) ***连接。  For specific implementation, the card issuer management platform may include a card management system, an application management system, a key management system, a certificate management system, an application provider management system, etc., wherein the certificate management system supports an asymmetric key. Use, certificate management system and card issuer certification authority (CA) system connection.
应用提供商管理平台, 负责电子支付应用的提供和管理功能, 提供各种 业务应用, 并对卡上与其对应的从安全域进行安全管理, 对所述从安全域的 应用密钥、 证书、 数据等进行控制, 提供应用的安全下载、 安装等功能。  The application provider management platform is responsible for the provision and management functions of the electronic payment application, provides various business applications, and performs security management on the card with its corresponding slave security domain, and applies the key, certificate, and data to the slave security domain. Control, etc., to provide secure download and installation of applications.
就具体实现而言, 应用提供商管理平台可以包括应用管理***、 密钥管 理***、证书管理***, 其中证书管理***在支持非对称密钥的情况下使用, 证书管理***和应用提供商认证机构 (CA ) ***连接。  For specific implementation, the application provider management platform may include an application management system, a key management system, and a certificate management system, wherein the certificate management system is used in the case of supporting asymmetric keys, a certificate management system, and an application provider certification authority. (CA) System connection.
应用提供商管理平台和卡发行商管理平台之间通过安全连接进行通信。 卡发行商管理平台和应用提供商管理平台可以通过 OTA服务器提供电 子支付有关服务: 提供可以下载的电子支付应用列表, 参与从安全域的创建 和密钥分发、 电子支付应用的下载、 以及电子支付应用的个人化等;  The application provider management platform communicates with the card issuer management platform over a secure connection. The card issuer management platform and the application provider management platform can provide electronic payment related services through the OTA server: provide a list of downloadable electronic payment applications, participate in creation of security domains and key distribution, download of electronic payment applications, and electronic payment. Personalization of the application, etc.
智能卡通过移动终端及 OTA服务器与应用提供商管理平台以及卡发行 商管理平台通信。  The smart card communicates with the application provider management platform and the card issuer management platform through the mobile terminal and the OTA server.
卡发行商管理平台也可以通过卡发行商业务终端与智能卡通信, 应用提 供商管理平台管理也可以通过应用提供商业务终端与智能卡通信。  The card issuer management platform can also communicate with the smart card through the card issuer service terminal, the application provider management platform management, or the application provider service terminal can communicate with the smart card.
本发明基于图 1所示的移动终端电子支付***架构为例进行描述, 但不 限于图 1所示移动终端电子支付***架构。  The present invention is described based on the mobile payment electronic payment system architecture shown in FIG. 1 , but is not limited to the mobile terminal electronic payment system architecture shown in FIG. 1 .
图 2是本发明从安全域初始密钥分发流程示意图。 如图 2所示, 当创建 从安全域时, 从安全域初始密钥分发流程步骤包括:  2 is a schematic diagram of the initial key distribution process from the security domain of the present invention. As shown in Figure 2, when creating a slave security domain, the initial key distribution process steps from the security domain include:
步骤 201 : 用户通过移动终端客户端程序或卡片程序触发应用下载请求, 并经由 OTA服务器向卡发行商管理平台提交应用下载请求,应用下载请求可 以包含智能卡标识信息 ICCID信息、 应用标识及应用提供商身份信息等; 当用户下载应用时,所述智能卡通过所述移动终端与 OTA服务器之间建 立 OTA连接, OTA连接支持短信和 BIP等传输方式承载。 OTA服务器通过 安全连接与应用提供商管理平台、 卡发行商管理平台通讯; Step 201: The user triggers an application download request by using a mobile terminal client program or a card program, and submits an application download request to the card issuer management platform via the OTA server, where the application download request may include the smart card identification information ICCID information, the application identifier, and the application provider. Identity information, etc.; when the user downloads the application, the smart card establishes an OTA connection between the mobile terminal and the OTA server, and the OTA connection supports a transmission mode bearer such as a short message and a BIP. OTA server passed Secure connection to the application provider management platform and card issuer management platform;
步骤 202: 卡发行商管理平台经由 OTA服务器和移动终端向智能卡发送 SELECT命令报文, 选择主安全域;  Step 202: The card issuer management platform sends a SELECT command message to the smart card via the OTA server and the mobile terminal, and selects a primary security domain.
步骤 203: 智能卡经由移动终端和 OTA服务器向卡发行商管理平台提交 SELECT命令响应;  Step 203: The smart card submits a SELECT command response to the card issuer management platform via the mobile terminal and the OTA server;
步骤 204: 卡发行商管理平台与智能卡主安全域经由 OTA服务器和移动 终端建立 SCP02安全信道; 域的互认证, 完成互认证后, 所述卡发行商管理平台与所述智能卡主安全域 之间建立临时会话密钥,从而建立安全信道。该临时会话密钥可以遵循 Global Platform Card Specification V2.1.1/V2.2规范建立, 也可以通过其它方法建立; 所述互认证过程经由所述 ΟΤΑ服务器和所述移动终端在所述卡发行商 管理平台和所述智能卡主安全域之间完成。  Step 204: The card issuer management platform and the smart card master security domain establish an SCP02 security channel via the OTA server and the mobile terminal; the mutual authentication of the domain, after the mutual authentication is completed, between the card issuer management platform and the smart card primary security domain Establish a temporary session key to establish a secure channel. The temporary session key may be established in accordance with the Global Platform Card Specification V2.1.1/V2.2 specification, or may be established by other methods; the mutual authentication process is managed by the card issuer via the UI server and the mobile terminal The platform and the smart card primary security domain are completed.
步骤 205: 卡发行商管理平台判断是否需要创建从安全域, 如果不需要 创建从安全域, 则终止从安全域创建过程, 如果需要创建从安全域, 则继续 执行后续步骤;  Step 205: The card issuer management platform determines whether the slave security domain needs to be created. If the slave security domain is not required to be created, the slave security domain creation process is terminated. If the slave security domain needs to be created, the subsequent steps are continued.
所述卡发行商管理平台根据所述智能卡 ICCID信息、 应用标识及应用提 供商身份等信息, 或者通过智能卡状态信息等方式, 判断是否创建从安全域。  The card issuer management platform determines whether to create a slave security domain according to the information such as the smart card ICCID information, the application identifier, and the application provider identity, or the smart card status information.
智能卡状态信息由卡发行商管理平台从智能卡主安全域获取。  The smart card status information is obtained from the smart card primary security domain by the card issuer management platform.
步骤 206: 卡发行商管理平台经由 ΟΤΑ服务器和移动终端向智能卡发送 Step 206: The card issuer management platform sends the smart card to the smart card via the UI server and the mobile terminal
INSTALL命令; INSTALL command;
步骤 207: 智能卡经由移动终端和 OTA服务器向卡发行商管理平台提交 INSTALL命令响应;  Step 207: The smart card submits an INSTALL command response to the card issuer management platform via the mobile terminal and the OTA server.
步骤 208: 卡发行商管理平台生成初始密钥, 通过 PUTKEY命令, 经由 OTA服务器和移动终端向智能卡主安全域发送从安全域初始密钥;  Step 208: The card issuer management platform generates an initial key, and sends a slave security initial key to the smart card primary security domain via the OTA server and the mobile terminal through the PUTKEY command.
步骤 209: 智能卡主安全域接收到从安全域初始密钥后, 用接收到的从 安全域初始密钥初始化从安全域; 步骤 210: 智能卡主安全域经由移动终端和 OTA服务器向卡发行商管理 平台发送 PUTKEY命令响应, 结束从安全域初始密钥分发过程。 Step 209: After receiving the initial key from the security domain, the smart card primary security domain initializes the secondary security domain with the received secondary domain security key; Step 210: The smart card master security domain sends a PUTKEY command response to the card issuer management platform via the mobile terminal and the OTA server, and ends the initial key distribution process from the security domain.
图 3是本发明基于应用提供商管理平台和 OTA的从安全域初始密钥分发 流程示意图。 如图 3所示,基于应用提供商管理平台和 OTA的从安全域初始 密钥分发流程步骤包括:  FIG. 3 is a schematic diagram of an initial key distribution process of a slave security domain based on an application provider management platform and an OTA according to the present invention. As shown in Figure 3, the steps from the security provider initial key distribution process based on the application provider management platform and the OTA include:
步骤 301 : 用户通过移动终端客户端程序或卡片程序触发应用下载请求, 载请求, 应用下载请求包含智能卡 ICCID信息、 应用标识及应用提供商身份 信息等;  Step 301: The user triggers an application download request by using a mobile terminal client program or a card program, and the application download request includes the smart card ICCID information, the application identifier, and the application provider identity information;
步骤 302: 卡发行商管理平台经由应用提供商管理平台、 OTA服务器和 移动终端向智能卡发送 SELECT命令报文, 选择主安全域;  Step 302: The card issuer management platform sends a SELECT command message to the smart card via the application provider management platform, the OTA server, and the mobile terminal, and selects the primary security domain.
步骤 303: 智能卡经由移动终端、 OTA服务器和应用提供商管理平台向 卡发行商管理平台提交 SELECT命令响应;  Step 303: The smart card submits a SELECT command response to the card issuer management platform via the mobile terminal, the OTA server, and the application provider management platform.
步骤 304: 卡发行商管理平台与智能卡主安全域经由应用提供商管理平 台、 OTA服务器和移动终端建立 SCP02安全信道; 域的互认证, 完成互认证后, 所述卡发行商管理平台与所述智能卡主安全域 之间建立临时会话密钥, 从而建立安全通信信道。 该临时会话密钥可以遵循 Global Platform Card Specification V2.1.1/V2.2规范建立,也可以通过其它方法 建立。  Step 304: The card issuer management platform and the smart card primary security domain establish an SCP02 secure channel via the application provider management platform, the OTA server, and the mobile terminal; the mutual authentication of the domain, after the mutual authentication is completed, the card issuer management platform and the A temporary session key is established between the smart card primary security domains to establish a secure communication channel. The temporary session key can be established in accordance with the Global Platform Card Specification V2.1.1/V2.2 specification, or it can be established by other methods.
所述互认证过程也可以经由所述应用提供商管理平台、所述 ΟΤΑ服务器 和所述移动终端在所述卡发行商管理平台和所述智能卡主安全域之间完成。  The mutual authentication process may also be completed between the card issuer management platform and the smart card primary security domain via the application provider management platform, the UI server, and the mobile terminal.
步骤 305: 卡发行商管理平台判断是否需要创建从安全域, 如果不需要 创建从安全域, 则终止从安全域创建过程, 如果需要创建从安全域, 则继续 执行后续步骤;  Step 305: The card issuer management platform determines whether the slave security domain needs to be created. If the slave security domain is not required to be created, the slave security domain creation process is terminated. If the slave security domain needs to be created, the subsequent steps are continued.
步骤 306: 卡发行商管理平台经由应用提供商管理平台、 ΟΤΑ服务器和 移动终端向智能卡发送 INSTALL命令;  Step 306: The card issuer management platform sends an INSTALL command to the smart card via the application provider management platform, the server and the mobile terminal;
步骤 307: 智能卡经由移动终端、 OTA服务器和应用提供商管理平台向 卡发行商管理平台提交 INSTALL命令响应; Step 307: The smart card is managed by the mobile terminal, the OTA server, and the application provider management platform. The card issuer management platform submits an INSTALL command response;
步骤 308: 卡发行商管理平台通过 PUTKEY命令, 经由应用提供商管理 平台、 OTA服务器和移动终端向智能卡主安全域发送从安全域初始密钥; 步骤 309: 智能卡主安全域接收到从安全域初始密钥后, 用接收到的从 安全域初始密钥初始化从安全域;  Step 308: The card issuer management platform sends the slave security domain initial key to the smart card primary security domain via the application provider management platform, the OTA server, and the mobile terminal through the PUTKEY command. Step 309: The smart card primary security domain receives the initial from the security domain. After the key, the slave security domain initial key is used to initialize the slave security domain;
步骤 310: 智能卡主安全域经由移动终端、 OTA服务器和应用提供商管 理平台向卡发行商管理平台发送 PUTKEY命令响应, 结束从安全域初始密钥 分发过程。  Step 310: The smart card primary security domain sends a PUTKEY command response to the card issuer management platform via the mobile terminal, the OTA server, and the application provider management platform, and ends the initial key distribution process from the secure domain.
本发明智能卡从安全域初始密钥分发方法和***, 可以解决在发卡后, 针对对称密钥的情况, 在创建从安全域时, 将卡发行商管理平台生成的从安 全域初始密钥安全的导入到从安全域, 从而实现从安全域初始密钥的安全分 发。  The smart card initial key distribution method and system for the smart card can solve the problem that the security key initial key is generated by the card issuer management platform when creating the slave security domain after the card is issued for the symmetric key. Imported from a secure domain, thereby enabling secure distribution of the initial key from the secure domain.
工业实用性 Industrial applicability
本发明智能卡从安全域初始密钥分发方法、***及移动终端,釆用了 OTA 技术, 可以解决在发卡后, 针对对称密钥的情况, 在创建从安全域时, 将卡 发行商管理平台生成的从安全域初始密钥安全的导入到从安全域, 从而实现 从安全域初始密钥的安全分发。  The smart card from the security domain initial key distribution method, system and mobile terminal adopts OTA technology, and can solve the situation that after the card is issued, for the symmetric key, when the slave security domain is created, the card issuer management platform is generated. The security of the initial key security from the security domain is imported into the security domain, thereby enabling secure distribution of the initial key from the security domain.

Claims

权 利 要 求 书 Claim
1、一种智能卡从安全域初始密钥分发方法, 所述方法通过空中下载服务 器及移动终端建立智能卡与卡外实体管理平台的通信, 以实现智能卡从安全 域初始密钥的分发。  A method for distributing a smart card from a security domain initial key, the method establishing communication between a smart card and an external card management platform by an over-the-air server and a mobile terminal to implement distribution of a smart card from a security domain initial key.
2、 如权利要求 1所述的方法, 所述方法包括:  2. The method of claim 1 , the method comprising:
( a )用户向卡发行商管理平台提交应用下载请求;  (a) the user submits an application download request to the card issuer management platform;
( b )所述卡发行商管理平台收到所述应用下载请求后, 所述卡发行商管 理平台和所述智能卡的主安全域之间建立安全信道; 以及  (b) after the card issuer management platform receives the application download request, establishing a secure channel between the card issuer management platform and the primary security domain of the smart card;
( c )所述卡发行商管理平台为所述智能卡创建从安全域并生成从安全域 初始密钥, 通过所述安全信道将所生成的从安全域初始密钥导入到为所述智 能卡所创建的从安全域。  (c) the card issuer management platform creates a slave security domain for the smart card and generates a slave security domain initial key, and the generated slave domain initial key is imported through the secure channel to be created for the smart card From the security domain.
3、 如权利要求 2所述的方法, 其中, 所述方法在所述步骤(a )之前还 包括:  3. The method according to claim 2, wherein the method further comprises: before the step (a):
所述智能卡通过移动终端与空中下载服务器建立空中下载连接; 以及 所述空中下载服务器与卡外实体管理平台建立安全连接。  The smart card establishes an over-the-air connection with the over-the-air server through the mobile terminal; and the over-the-air server establishes a secure connection with the out-of-card entity management platform.
4、 如权利要求 3所述的方法, 其中, 所述应用下载请求通过智能卡程序 或移动终端客户端程序进行触发,所述应用下载请求中包括智能卡标识信息、 应用标识及应用提供商身份信息;  The method of claim 3, wherein the application download request is triggered by a smart card program or a mobile terminal client program, where the application download request includes smart card identification information, an application identifier, and application provider identity information;
所述方法在所述步骤(b )和所述步骤(c )之间还包括: 所述卡发行商 管理平台根据所述智能卡标识信息, 应用标识及应用提供商身份信息, 或者 根据智能卡状态信息, 判断是否为所述智能卡创建从安全域。  The method further includes: the card issuer management platform, according to the smart card identification information, application identifier and application provider identity information, or according to smart card status information, between the step (b) and the step (c) , to determine whether to create a slave security domain for the smart card.
5、 如权利要求 2所述的方法, 其中, 所述卡发行商管理平台和所述智能 卡的主安全域之间建立安全信道的所述步骤包括:  5. The method of claim 2, wherein the step of establishing a secure channel between the card issuer management platform and the primary security domain of the smart card comprises:
( bl )所述卡发行商管理平台与所述智能卡的主安全域进行互认证; ( b2 ) 所述卡发行商管理平台与所述智能卡的主安全域之间建立临时会 话密钥, 从而建立安全信道。  (bl) the card issuer management platform performs mutual authentication with the primary security domain of the smart card; (b2) establishing a temporary session key between the card issuer management platform and the primary security domain of the smart card, thereby establishing Secure channel.
6、 如权利要求 5所述的方法, 其中, 当所述卡外实体管理平台指卡发行 商管理平台时: 6. The method of claim 5, wherein when the card external entity management platform refers to a card issue When managing the platform:
用户是通过移动终端及空中下载服务器向卡发行商管理平台提交应用下 载请求;  The user submits an application download request to the card issuer management platform through the mobile terminal and the over-the-air download server;
所述卡发行商管理平台是通过空中下载服务器和移动终端与所述智能卡 的主安全域进行互认证; 以及  The card issuer management platform performs mutual authentication with the main security domain of the smart card through an over-the-air server and a mobile terminal;
所述卡发行商管理平台为所述智能卡创建从安全域并生成从安全域初始 密钥后, 是通过所述安全信道将所生成的从安全域初始密钥经由空中下载服 务器和移动终端导入到 为所述智能卡所创建的从安全域。  After the card issuer management platform creates the slave security domain and generates the slave security domain initial key for the smart card, the generated secure domain initial key is imported to the airlink server and the mobile terminal through the secure channel. The slave security domain created for the smart card.
7、 如权利要求 5所述的方法, 其中, 当所述卡外实体管理平台指应用提 供商管理平台时, 7. The method according to claim 5, wherein, when the out-of-card entity management platform refers to an application provider management platform,
用户是通过移动终端、 空中下载服务器以及应用提供商管理平台向卡发 行商管理平台提交应用下载请求;  The user submits an application download request to the card issuing management platform through the mobile terminal, the over-the-air server, and the application provider management platform;
所述卡发行商管理平台是通过应用提供商管理平台、 空中下载服务器以 及移动终端与所述智能卡的主安全域进行互认证;  The card issuer management platform performs mutual authentication through an application provider management platform, an over-the-air server, and a mobile terminal and a primary security domain of the smart card;
所述卡发行商管理平台为所述智能卡创建从安全域并生成从安全域初始 密钥后, 是通过所述安全信道将所生成的从安全域初始密钥经由应用提供商 管理平台、 空中下载服务器以及移动终端导入到为所述智能卡所创建的从安 全域。  After the card issuer management platform creates the slave security domain and generates the slave security domain initial key, the generated slave security domain initial key is downloaded through the application provider management platform through the secure channel. The server and the mobile terminal are imported to the slave security domain created for the smart card.
8、 一种移动终端电子支付***, 所述***包括具有电子支付应用功能的 智能卡、 移动终端、 空中下载服务器及卡发行商管理平台, 其中,  8. A mobile terminal electronic payment system, the system comprising a smart card having an electronic payment application function, a mobile terminal, an over-the-air download server, and a card issuer management platform, wherein
所述智能卡安装在所述移动终端上;  The smart card is installed on the mobile terminal;
所述智能卡设置成通过所述移动终端及所述空中下载服务器与所述卡发 行商管理平台进行通信;  The smart card is configured to communicate with the card issuing management platform through the mobile terminal and the over-the-air server;
所述卡发行商管理平台设置成通过所述空中下载服务器和所述移动终端 向所述智能卡分发智能卡从安全域初始密钥。  The card issuer management platform is arranged to distribute the smart card from the secure domain initial key to the smart card via the over-the-air server and the mobile terminal.
9、 如权利要求 8所述的***, 其中,  9. The system of claim 8 wherein
所述智能卡还设置成通过所述移动终端与所述空中下载服务器建立空中 下载连接; The smart card is further configured to establish an air connection with the air download server by the mobile terminal Download connection
所述空中下载服务器设置成通过安全连接与所述卡发行商管理平台进行 通信, 以及通过所述空中下载连接传输所述智能卡与所述卡发行商管理平台 之间的通讯数据。  The over-the-air server is configured to communicate with the card issuer management platform over a secure connection and to communicate communication data between the smart card and the card issuer management platform over the over-the-air connection.
10、 如权利要求 9所述的***, 其中,  10. The system of claim 9, wherein
所述智能卡还设置成提供向所述卡发行商管理平台提交应用下载请求的 支持, 与所述卡发行商管理平台进行互认证及建立临时会话密钥, 解密获得 的从安全域初始密钥, 以及对从安全域进行初始化;  The smart card is further configured to provide support for submitting an application download request to the card issuer management platform, perform mutual authentication with the card issuer management platform, establish a temporary session key, and decrypt the obtained slave domain initial key. And initializing the slave security domain;
所述卡发行商管理平台还设置成与所述智能卡进行互认证及建立临时会 话密钥, 根据应用下载请求或智能卡状态信息判断是否为所述智能卡建立从 安全域, 为所述智能卡建立从安全域, 以及生成并向所述智能卡分发从安全 域初始密钥。  The card issuer management platform is further configured to perform mutual authentication with the smart card and establish a temporary session key, determine whether to establish a slave security domain for the smart card according to an application download request or smart card status information, and establish a slave security for the smart card. The domain, as well as the initial key generated and distributed to the smart card from the secure domain.
11、 如权利要求 10所述的***, 其中, 所述***还包括应用提供商管理 平台,  11. The system of claim 10, wherein the system further comprises an application provider management platform,
所述应用提供商管理平台设置成通过安全连接与所述卡发行商管理平台 和所述空中下载服务器进行通信;  The application provider management platform is configured to communicate with the card issuer management platform and the over-the-air server over a secure connection;
所述智能卡还设置成通过所述移动终端及、 所述空中下载服务器及所述  The smart card is further configured to pass the mobile terminal and the over-the-air download server and the
所述卡发行商管理平台还设置成通过所述应用提供商管理平台、 所述空 中下载服务器以及所述移动终端向所述智能卡分发从安全域初始密钥; The card issuer management platform is further configured to distribute the slave security domain initial key to the smart card by the application provider management platform, the air download server, and the mobile terminal;
所述空中下载服务器还设置成通过所述空中下载连接传输所述智能卡与 所述应用提供商管理平台之间的通讯数据。  The over-the-air server is further configured to transmit communication data between the smart card and the application provider management platform over the over-the-air connection.
12、 一种移动终端, 所述移动终端包括具有电子支付应用功能的智能卡, 其中, 所述智能卡的从安全域初始密钥由卡发行商管理平台通过空中下载服 务器和移动终端分发; 或者所述智能卡的从安全域初始密钥由卡发行商管理 平台通过应用提供商管理平台、 空中下载服务器和所述移动终端分发。  12. A mobile terminal, the mobile terminal comprising a smart card having an electronic payment application function, wherein the slave security domain initial key of the smart card is distributed by the card issuer management platform through an over-the-air server and a mobile terminal; or The slave security domain initial key of the smart card is distributed by the card issuer management platform through the application provider management platform, the over-the-air server, and the mobile terminal.
PCT/CN2009/073489 2008-11-10 2009-08-25 Method, system and mobile terminal for distributing the initial key of security sub-domain of a smart card WO2010051715A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810177015.X 2008-11-10
CN200810177015.XA CN101742480B (en) 2008-11-10 2008-11-10 Method and system for distributing initial key of slave security domain of intelligent card and mobile terminal

Publications (1)

Publication Number Publication Date
WO2010051715A1 true WO2010051715A1 (en) 2010-05-14

Family

ID=42152478

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/073489 WO2010051715A1 (en) 2008-11-10 2009-08-25 Method, system and mobile terminal for distributing the initial key of security sub-domain of a smart card

Country Status (2)

Country Link
CN (1) CN101742480B (en)
WO (1) WO2010051715A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8898769B2 (en) 2012-11-16 2014-11-25 At&T Intellectual Property I, Lp Methods for provisioning universal integrated circuit cards
US8959331B2 (en) 2012-11-19 2015-02-17 At&T Intellectual Property I, Lp Systems for provisioning universal integrated circuit cards
US9036820B2 (en) 2013-09-11 2015-05-19 At&T Intellectual Property I, Lp System and methods for UICC-based secure communication
US9124573B2 (en) 2013-10-04 2015-09-01 At&T Intellectual Property I, Lp Apparatus and method for managing use of secure tokens
US9208300B2 (en) 2013-10-23 2015-12-08 At&T Intellectual Property I, Lp Apparatus and method for secure authentication of a communication device
US9240989B2 (en) 2013-11-01 2016-01-19 At&T Intellectual Property I, Lp Apparatus and method for secure over the air programming of a communication device
US9240994B2 (en) 2013-10-28 2016-01-19 At&T Intellectual Property I, Lp Apparatus and method for securely managing the accessibility to content and applications
US9313660B2 (en) 2013-11-01 2016-04-12 At&T Intellectual Property I, Lp Apparatus and method for secure provisioning of a communication device
US9413759B2 (en) 2013-11-27 2016-08-09 At&T Intellectual Property I, Lp Apparatus and method for secure delivery of data from a communication device
US9967247B2 (en) 2014-05-01 2018-05-08 At&T Intellectual Property I, L.P. Apparatus and method for managing security domains for a universal integrated circuit card

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102630083B (en) * 2012-02-29 2015-02-11 中国工商银行股份有限公司 System for using mobile terminal to carry out card operation and method thereof
CN105825134A (en) * 2016-03-16 2016-08-03 中国联合网络通信集团有限公司 Intelligent card processing method, intelligent card management server and terminal
CN105976008B (en) * 2016-05-11 2019-04-05 新智数字科技有限公司 A kind of intelligent card data encryption method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1926836A (en) * 2004-02-25 2007-03-07 诺基亚公司 Electronic payment schemes in a mobile environment for short-range transactions
US20080058014A1 (en) * 2006-09-01 2008-03-06 Vivotech, Inc. Methods, systems and computer program products for over the air (OTA) provisioning of soft cards on devices with wireless communications capabilities
CN101140649A (en) * 2007-10-22 2008-03-12 中兴通讯股份有限公司 Method and system for realizing electric commerce by mobile phones integrating RFID chip mobile phones
CN101164086A (en) * 2005-03-07 2008-04-16 诺基亚公司 Methods, system and mobile device capable of enabling credit card personalization using a wireless network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1926836A (en) * 2004-02-25 2007-03-07 诺基亚公司 Electronic payment schemes in a mobile environment for short-range transactions
CN101164086A (en) * 2005-03-07 2008-04-16 诺基亚公司 Methods, system and mobile device capable of enabling credit card personalization using a wireless network
US20080058014A1 (en) * 2006-09-01 2008-03-06 Vivotech, Inc. Methods, systems and computer program products for over the air (OTA) provisioning of soft cards on devices with wireless communications capabilities
CN101140649A (en) * 2007-10-22 2008-03-12 中兴通讯股份有限公司 Method and system for realizing electric commerce by mobile phones integrating RFID chip mobile phones

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10015665B2 (en) 2012-11-16 2018-07-03 At&T Intellectual Property I, L.P. Methods for provisioning universal integrated circuit cards
US10834576B2 (en) 2012-11-16 2020-11-10 At&T Intellectual Property I, L.P. Methods for provisioning universal integrated circuit cards
US8898769B2 (en) 2012-11-16 2014-11-25 At&T Intellectual Property I, Lp Methods for provisioning universal integrated circuit cards
US10681534B2 (en) 2012-11-16 2020-06-09 At&T Intellectual Property I, L.P. Methods for provisioning universal integrated circuit cards
US8959331B2 (en) 2012-11-19 2015-02-17 At&T Intellectual Property I, Lp Systems for provisioning universal integrated circuit cards
US9886690B2 (en) 2012-11-19 2018-02-06 At&T Mobility Ii Llc Systems for provisioning universal integrated circuit cards
US9185085B2 (en) 2012-11-19 2015-11-10 At&T Intellectual Property I, Lp Systems for provisioning universal integrated circuit cards
US9036820B2 (en) 2013-09-11 2015-05-19 At&T Intellectual Property I, Lp System and methods for UICC-based secure communication
US10735958B2 (en) 2013-09-11 2020-08-04 At&T Intellectual Property I, L.P. System and methods for UICC-based secure communication
US10091655B2 (en) 2013-09-11 2018-10-02 At&T Intellectual Property I, L.P. System and methods for UICC-based secure communication
US11368844B2 (en) 2013-09-11 2022-06-21 At&T Intellectual Property I, L.P. System and methods for UICC-based secure communication
US9461993B2 (en) 2013-09-11 2016-10-04 At&T Intellectual Property I, L.P. System and methods for UICC-based secure communication
US10122534B2 (en) 2013-10-04 2018-11-06 At&T Intellectual Property I, L.P. Apparatus and method for managing use of secure tokens
US9419961B2 (en) 2013-10-04 2016-08-16 At&T Intellectual Property I, Lp Apparatus and method for managing use of secure tokens
US9124573B2 (en) 2013-10-04 2015-09-01 At&T Intellectual Property I, Lp Apparatus and method for managing use of secure tokens
US10778670B2 (en) 2013-10-23 2020-09-15 At&T Intellectual Property I, L.P. Apparatus and method for secure authentication of a communication device
US10104062B2 (en) 2013-10-23 2018-10-16 At&T Intellectual Property I, L.P. Apparatus and method for secure authentication of a communication device
US9208300B2 (en) 2013-10-23 2015-12-08 At&T Intellectual Property I, Lp Apparatus and method for secure authentication of a communication device
US11477211B2 (en) 2013-10-28 2022-10-18 At&T Intellectual Property I, L.P. Apparatus and method for securely managing the accessibility to content and applications
US11005855B2 (en) 2013-10-28 2021-05-11 At&T Intellectual Property I, L.P. Apparatus and method for securely managing the accessibility to content and applications
US10375085B2 (en) 2013-10-28 2019-08-06 At&T Intellectual Property I, L.P. Apparatus and method for securely managing the accessibility to content and applications
US9813428B2 (en) 2013-10-28 2017-11-07 At&T Intellectual Property I, L.P. Apparatus and method for securely managing the accessibility to content and applications
US10104093B2 (en) 2013-10-28 2018-10-16 At&T Intellectual Property I, L.P. Apparatus and method for securely managing the accessibility to content and applications
US9240994B2 (en) 2013-10-28 2016-01-19 At&T Intellectual Property I, Lp Apparatus and method for securely managing the accessibility to content and applications
US9313660B2 (en) 2013-11-01 2016-04-12 At&T Intellectual Property I, Lp Apparatus and method for secure provisioning of a communication device
US10200367B2 (en) 2013-11-01 2019-02-05 At&T Intellectual Property I, L.P. Apparatus and method for secure provisioning of a communication device
US9942227B2 (en) 2013-11-01 2018-04-10 At&T Intellectual Property I, L.P. Apparatus and method for secure over the air programming of a communication device
US9882902B2 (en) 2013-11-01 2018-01-30 At&T Intellectual Property I, L.P. Apparatus and method for secure provisioning of a communication device
US10567553B2 (en) 2013-11-01 2020-02-18 At&T Intellectual Property I, L.P. Apparatus and method for secure over the air programming of a communication device
US9628587B2 (en) 2013-11-01 2017-04-18 At&T Intellectual Property I, L.P. Apparatus and method for secure over the air programming of a communication device
US10701072B2 (en) 2013-11-01 2020-06-30 At&T Intellectual Property I, L.P. Apparatus and method for secure provisioning of a communication device
US9240989B2 (en) 2013-11-01 2016-01-19 At&T Intellectual Property I, Lp Apparatus and method for secure over the air programming of a communication device
US9413759B2 (en) 2013-11-27 2016-08-09 At&T Intellectual Property I, Lp Apparatus and method for secure delivery of data from a communication device
US9729526B2 (en) 2013-11-27 2017-08-08 At&T Intellectual Property I, L.P. Apparatus and method for secure delivery of data from a communication device
US9560025B2 (en) 2013-11-27 2017-01-31 At&T Intellectual Property I, L.P. Apparatus and method for secure delivery of data from a communication device
US10476859B2 (en) 2014-05-01 2019-11-12 At&T Intellectual Property I, L.P. Apparatus and method for managing security domains for a universal integrated circuit card
US9967247B2 (en) 2014-05-01 2018-05-08 At&T Intellectual Property I, L.P. Apparatus and method for managing security domains for a universal integrated circuit card

Also Published As

Publication number Publication date
CN101742480B (en) 2013-05-08
CN101742480A (en) 2010-06-16

Similar Documents

Publication Publication Date Title
WO2010051715A1 (en) Method, system and mobile terminal for distributing the initial key of security sub-domain of a smart card
JP5508428B2 (en) Key distribution method and system
WO2010051714A1 (en) Method, system and mobile terminal for updating and distributing the subordinate security domain key of a smart card
EP1856671B1 (en) Methods, system and mobile device capable of enabling credit card personalization using a wireless network
US8781131B2 (en) Key distribution method and system
JP6185152B2 (en) Method of accessing services, device and system for accessing
CN102202307B (en) Mobile terminal identity authentication system and method based on digital certificate
WO2010045807A1 (en) Key distribution method and system
KR20160124648A (en) Method and apparatus for downloading and installing a profile
TW201004394A (en) Method of authenticating home operator for over-the-air provisioning of a wireless device
WO2010096991A1 (en) An application downloading system and method
WO2018107718A1 (en) Method and device for assigning number to intelligent card over air
WO2010051713A1 (en) Method, system and mobile terminal for distributing the initial key of security sub-domain of a smart card
WO2010045823A1 (en) Cryptographic-key updating method and system
CN202696901U (en) Mobile terminal identity authentication system based on digital certificate
WO2010045824A1 (en) A method and system for key distributing
US20160366137A1 (en) Installation of a secure-element-related service application in a secure element in a communication device, system and telecommunications
WO2018107723A1 (en) Method and device for switching remote subscription management platform for intelligent card, intelligent card, and sm-sr
WO2010045821A1 (en) Cryptographic-key updating method and system
WO2010051716A1 (en) Method, system and mobile terminal for updating and distributing the secondary security domain key of smart card
WO2010045825A1 (en) Method and system for key distribution
WO2010045777A1 (en) Electronic payment system and method of updating mobile phone user number corresponding to ic card
KR20130102642A (en) System and method for managing ota provisioning applications through use of profiles and data preparation
US20220278985A1 (en) Method and device for transferring bundle between devices
KR20100078612A (en) System and method for setting of session cipher key based on smart card, and smart card applied to the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09824370

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09824370

Country of ref document: EP

Kind code of ref document: A1