WO2011029297A1 - System and method for providing a machine communication identity module to a machine to machine equipment - Google Patents

System and method for providing a machine communication identity module to a machine to machine equipment Download PDF

Info

Publication number
WO2011029297A1
WO2011029297A1 PCT/CN2010/071245 CN2010071245W WO2011029297A1 WO 2011029297 A1 WO2011029297 A1 WO 2011029297A1 CN 2010071245 W CN2010071245 W CN 2010071245W WO 2011029297 A1 WO2011029297 A1 WO 2011029297A1
Authority
WO
WIPO (PCT)
Prior art keywords
m2me
operator
network operator
home network
connection
Prior art date
Application number
PCT/CN2010/071245
Other languages
French (fr)
Chinese (zh)
Inventor
余万涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011029297A1 publication Critical patent/WO2011029297A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • the present invention relates to a machine to machine (M2M) communication technology, and in particular to a machine to a machine (Machine to Machine Equipmen, M2ME) providing a Machine Communication Identity Module (MCIM). System and method.
  • M2M machine to machine
  • M2ME Machine to Machine Equipmen
  • MCIM Machine Communication Identity Module
  • M2M communication is a general term for a series of technologies and combinations that implement wireless communication technology to realize data communication and communication between machines and machines, machines and people.
  • M2M has two meanings: The first layer is the machine itself, which is called smart device in the embedded field.
  • the second layer means the connection between the machine and the machine, connecting the machines together through the network.
  • Machine-based communication is used in a wide range of applications, such as intelligent measurement, remote monitoring, tracking, medical, etc., to make human life more intelligent.
  • M2M equipment M2M equipment (M2ME) has a large number of applications and a wide range of applications, which has great market prospects.
  • M2M In M2M communication, the main long-distance connection technologies include GSM/GPRS/UMTS, and the short-distance connection technologies mainly include 802.1 lb/g, Bluetooth, Zigbee, and RFID.
  • M2M is a device-oriented service. Because M2M integrates wireless communication and information technology, it can be used for two-way communication, such as collecting information, setting parameters and sending commands over long distances, thus enabling different application scenarios, such as security monitoring, vending, Cargo tracking, etc. Almost all the equipment involved in daily life is likely to become a potential customer. M2M provides a simple means of establishing real-time data between devices, between remote devices, or with individuals.
  • a MCIM application refers to a group of M2M security data and functions that are connected to a 3GPP network (which may also be an IMS network).
  • the MCIM can be located on the UICC (Universal Integrated Circuit Card) or in a TRE.
  • UICC Universal Integrated Circuit Card
  • TRE refers to the Trusted environment provided by M2ME.
  • a TRE can be authenticated by an authorized external agent whenever needed.
  • the MCIM can be installed in the TRE, and the M2ME provides hardware and software protection and isolation for the MCIM through the TRE.
  • M2ME provides M2M services in two ways: based on UICC or based on TRE functional entities.
  • the UICC determines the home network operator after the release
  • the initial provision of the MCIM to the UICC is a problem to be solved.
  • the operator can be changed by changing the IMSI (International Mobile Subscriber Identity) so that M2ME can be easily managed.
  • IMSI International Mobile Subscriber Identity
  • this solution involves the transmission of IMSI between different mobile operator networks, thereby increasing the security risk of M2ME subscription data.
  • UICC may interrupt the connection with any operator.
  • the technical problem to be solved by the present invention is to provide a system and method for providing MCIM to M2ME, which can provide MCIM remotely for M2ME and ensure secure storage of MCIM.
  • the present invention provides a method for providing a Machine Communication Identity Module (MCIM) to a Machine to Machine (M2ME), comprising:
  • the M2ME establishes a connection with the visited network operator through a trusted environment (TRE), and establishes a connection with the registered operator through the IP connection provided by the visited network operator, and the registration operator discovers the home network operation of the M2ME.
  • TRE trusted environment
  • the home network operator authorizes the registration operator to download the MCIM to the M2ME
  • the M2ME installs the downloaded MCIM to the universal integrated circuit card ( UICC); wherein, the TRE and the UICC are both located on the M2ME.
  • the step of establishing a connection between the M2ME and the visited network operator by using the TRE, and establishing a connection with the registered operator by using the IP connection provided by the visited network operator includes:
  • the M2ME sends an attach message to the visited network operator by using the TRE, and carries the temporary connection identity of the M2ME.
  • the visited network operator receives the temporary connection identity of the M2ME, connects to the registration operator, and connects the temporary connection identity.
  • Sending the identifier to the registration operator the registration operator generates a set of authentication vectors according to the temporary connection identity, and returns the generated authentication vector to the visited network operator, where the visited network operator uses the authentication vector and
  • the M2ME performs authentication. After the authentication succeeds, the M2ME is assigned an IP address.
  • the M2ME then connects to the registered carrier through the TRE using the IP connection provided by the visited network provider.
  • the method further includes: sending, by the M2ME, the home network operator information selected by the subscription user to the registration operator;
  • the registration operator In the step of the registration operator discovering the home network operator of the M2ME, the registration operator discovers the home network operator of the M2ME according to the home network operator information, and registers with the home network operator at the home network operator. Said M2ME.
  • the method further includes: the home network operator requesting the platform verification authority to verify the M2ME.
  • the present invention provides a machine to machine equipment (M2ME)
  • M2ME machine to machine equipment
  • a system providing a Machine Communication Identity Module (MCIM), including M2ME, a visited network operator, a registered carrier, a home network operator, and a platform verification authorization center;
  • M2ME Machine to machine equipment
  • MCIM Machine Communication Identity Module
  • the M2ME includes a Trusted Environment (TRE) and a Universal Integrated Circuit Card (UICC); the M2ME establishes a connection with the visited network operator through the TRE, and establishes a connection with the registered operator by visiting the IP connection provided by the network operator, Installing the downloaded MCIM to the UICC;
  • TRE Trusted Environment
  • UICC Universal Integrated Circuit Card
  • the visited network operator provides an IP connection to the registered operator for the M2ME after establishing a connection with the M2ME;
  • the registration operator after connecting with the M2ME, discovers the home network operator of the M2ME; and after the platform verification authorization center successfully authenticates the M2ME, downloads the MCIM to the M2ME by authorization of the home network operator. ;
  • the platform verifies the authorization center to verify the M2ME.
  • the M2ME also sends an attach message to the visited network operator by using the TRE, where the M2ME carries the temporary connection identity of the M2ME; and the M2ME also connects to the registered carrier by using the IP connection provided by the visited network operator through the TRE;
  • the visited network operator also connects to the registration operator after receiving the temporary connection identity of the M2ME, and sends the temporary connection identity to the registration operator; and receives a set of authentication vectors returned by the registration operator. Authenticate with M2ME, and assign IP address to M2ME after successful authentication;
  • the registration operator also generates a set of authentication vectors after receiving the temporary connection identity, and returns the generated authentication vector to the visited network operator.
  • the home network operator information selected by the subscription user is sent to the registration operator;
  • the registration operator also discovers the home network operator according to the home network operator information, and registers the M2ME with the home network operator.
  • the above system can also have the following characteristics:
  • the home network operator After the M2ME registers with the home network operator, the home network operator requests the platform verification authorization center to verify the M2ME;
  • the platform verification authorization center also verifies the authenticity and integrity of the M2ME after receiving the authentication request, and returns the authentication result to the home network operator.
  • the present invention provides a system and method for providing MCIM to M2ME, which can combine the function of TRE on M2ME with the security of UICC, and ensure remote provision and secure storage of MCIM.
  • FIG. 1 is a schematic diagram of a UICC-based M2ME architecture according to an embodiment of the present invention (the TRE is located on the M2ME);
  • FIG. 2 is a schematic diagram of a UICC-based M2M system architecture according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of remote initial provision of MCIM according to an embodiment of the present invention. Preferred embodiment of the invention
  • the present invention provides a system and method for providing MCIM to M2ME.
  • M2ME combines the initial connection provided by TRE on M2ME and the high security of UICC to remotely provide MCIM to M2ME and ensure the security of MCIM.
  • FIG. 1 is a schematic diagram of a UICC-based M2ME architecture in accordance with the present invention.
  • both TRE and UICC are located on the M2ME.
  • This embodiment provides a system for providing MCIM to an M2ME.
  • the system includes an M2ME, a Visited Network Operator (VNO), a Register Operator (RO, a Registration Operator), and a home network operator. (SHO, Selected Home Operator) and Platform Validation Authority (PVA, Platform Validation Authority);
  • VNO Visited Network Operator
  • RO Register Operator
  • PVA Platform Validation Authority
  • M2ME includes UICC and TRE (The Trusted environment). That is, both TRE and UICC are located on the M2ME.
  • the M2ME uses the Provisional Connectivity Identity (PICD) as its private identity.
  • PICD Provisional Connectivity Identity
  • the PCID needs to be installed by the vendor in the TRE on the M2ME.
  • the format of the PCID is the same as the IMSI.
  • TRE refers to the trusted environment provided by M2ME, which provides hardware and software-based protection and isolation for provisioning, storage, execution and management of MCIM.
  • the security of PCID is also guaranteed by TRE, such as secure storage, retrieval and use of PCID. It is implemented by the function of TRE.
  • a TRE can be authenticated by an authorized external agent whenever needed.
  • the M2ME establishes a connection with the visited network operator through the TRE, and establishes a connection with the registered operator by visiting the connection provided by the network operator, and also installs the downloaded MCIM to the UICC;
  • the M2ME After the M2ME is connected to the registration operator, the M2ME discovers the home network operator of the M2ME; and after the platform verification authority succeeds in verifying the M2ME, the MCIM is downloaded to the M2ME by the authorization of the home network operator; specifically,
  • the registered carrier includes the MCIM Download and Provisioning Function (DPF, MCIM Download and Provisioning Function), the Discovery and Registration Function (DRF), and the Initial Connectivity Function (ICF); that is: the registered carrier's
  • the ICF receives the attach message sent by the M2ME and establishes a connection with the M2ME; the DPF of the registered carrier downloads the MCIM to the M2ME.
  • the M2ME establishes a connection with the visited network operator through the TRE.
  • the M2ME sends an attach message to the visited network operator through the TRE, where the M2ME carries the temporary connection identity of the M2ME.
  • the visited network operator also connects to the registration operator after receiving the temporary connection identity of the M2ME, and sends the temporary connection identity to the registration operator; and receives the authentication certificate returned by the registration operator and authenticates with the M2ME. After the authentication succeeds, the M2ME is assigned an IP address; the registration operator also generates a set of authentication vectors after receiving the temporary connection identity, and returns the generated authentication vector to the visited network operator;
  • the M2ME connects to the registered carrier through the TRE using the IP connection provided by the visited network operation. After the M2ME is connected to the registration carrier, the home network operator information selected by the subscription user is sent to the registration operator;
  • the registration operator also discovers the home network operator according to the home network operator information, and registers the M2ME with the home network operator; the registered operator helps the M2ME to discover its home network operator or DRF for the M2ME to discover its home network operator through the DRF. .
  • the home network operator After the M2ME registers with the home network operator, the home network operator requests the platform verification authorization center to verify the M2ME, and after the verification succeeds, notifies the registration operator to verify the M2ME successfully, and authorizes the registration operator to provide the MCIM to the M2ME;
  • the registry operator downloads the MCIM to the M2ME upon receipt of the authorization notice.
  • the platform verification authority authenticates the M2ME; the platform verification authority verifies the authenticity and integrity of the M2ME after receiving the authentication request, and the platform verification authority returns the authentication result to the home network operator.
  • the MCIM refers to the USIM/ISIM.
  • the USIM/ISIM For convenience of description, in the present invention, for M2ME, whether or not the MCIM is located on the UICC, only the MCIM is used for description, and the USIM/ISIM is not described.
  • This embodiment provides a method for providing MCIM to the M2ME.
  • both the UICC and the TRE are located on the M2ME.
  • the M2ME needs to be passed.
  • the subscription user selects the M2M home carrier, and then the M2ME establishes an IP connection with the RO through the TRE, and the RO helps the M2ME to register with the SHO.
  • the SHO verifies the authenticity and integrity of the M2ME through the PVA
  • the RO is authorized to provide the MCIM to the M2ME.
  • M2ME downloads MCIM it supplies MCIM to UICC.
  • the specific supply process includes the following steps:
  • Step 301 Both the TRE and the UICC are located on the M2ME, and the M2ME decodes the network information through the standard GSM/UMTS principle and attaches to any VNO;
  • the M2ME establishes an initial connection with the visited network operator by using the TRE, that is, the M2ME sends an attach message to the VNO through the TRE, where the M2ME carries a temporary connection identity (PCID, Provisional Connectivity ID);
  • Step 302 After receiving the PCID of the M2ME, the VNO establishes a connection with the RO and sends the PCID to the RO (ICF function).
  • the RO can be located at the VNO.
  • Step 303 After receiving the PCID of the M2ME, the RO (ICF function) generates a set of authentication vectors (AVs) for the PCID.
  • AVs authentication vectors
  • Step 304 The RO sends the generated authentication vector (AVs) to the VNO.
  • Step 305 The VNO uses the authentication vector to authenticate the PCID/M2ME, which may be, but is not limited to, AKA (Authentication and Key Agreement) authentication.
  • AKA Authentication and Key Agreement
  • Step 306 After the authentication succeeds, the VNO provides the M2ME with an IP connection to the RO, that is, assigns an IP address to the M2ME, and sends the assigned IP address to the M2ME.
  • Step 307 The M2ME is connected to the RO through an IP connection provided by the VNO network.
  • Step 308 The RO helps the M2ME discover its SHO, or the RO itself discovers its SHO for the M2ME.
  • the RO needs to know the SHO of the M2ME before discovering the SHO of the M2ME.
  • the M2ME may send the information of the SHO selected by the signing user to the RO after establishing the connection with the RO (the information of the SHO may be the name of the SHO, etc.) .
  • SHO's discovery process can be, but is not limited to, the use of OMA (Open Mobile Alliance) BOOTSTRAP (Bootstrap Protocol).
  • Step 309 The RO establishes a connection with the SHO, and registers the M2ME to be connected to the SHO network at the SHO.
  • Step 310 The SHO requests the PVA (or the SHO to request the PVA through the RO) to verify the authenticity and integrity of the M2ME.
  • the SHO requests the PVA through the RO.
  • the SHO notifies the RO to verify the M2ME.
  • the RO requests the PVA to verify the authenticity and integrity of the M2ME.
  • Step 311 The PVA verifies the authenticity and integrity of the M2ME.
  • Step 312 The PVA sends the verification result to the SHO.
  • Step 313 If the verification is successful, the SHO notifies the RO (DPF function) that the M2ME is successfully authenticated, and authorizes the RO (DPF function) to provide the MCIM to the M2ME.
  • Step 314 RO (DPF function) Download MCIM to M2ME.
  • Step 315 The M2ME installs the downloaded MCIM to the UICC.
  • Step 316 The M2ME reports the MCIM success/failure status information to the RO (DPF function).
  • Step 317 The RO (DPF function) reports the MCIM success/failure status information to the SHO.
  • the invention provides a system and a method for providing a machine communication identity module to a machine to a machine device, which can combine the function of the TRE on the M2ME with the security of the UICC, and ensure the remote provision and secure storage of the MCIM. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Disclosed are a system and method for providing a Machine Communication Identity Module (MCIM) to a Machine to Machine Equipment (M2ME). The method includes that: the M2ME establishes a connection with a Visited Network Operator (VNO) through The Trusted Environment (TRE), and establishes a connection with a Registration Operator (RO) through an IP connection provided by the VNO; the RO discovers the Selected Home Operator (SHO) of the M2ME; after a successful validation on the M2ME performed by a platform validation authority center, the SHO authorizes the RO to download an MCIM to the M2ME; the M2ME installs the downloaded MCIM on a Universal Integrated Circuit Card (UICC); wherein, the TRE and the UICC are both located on the M2ME. The present invention can enable the functions of TRE on an M2ME to well integrate with the security of UICC and ensure the remote provision and safe storage of MCIM.

Description

向机器到机器设备提供机器通信身份模块的***及方法  System and method for providing machine communication identity module to machine to machine equipment
技术领域 Technical field
本发明涉及机器到机器(M2M, Machine to Machine )的通讯技术, 特别 地, 涉及一种向机器到机器设备(Machine to Machine Equipmen, M2ME )提 供机器通信身份模块( Machine Communication Identity Module , MCIM ) 的 ***及方法。  The present invention relates to a machine to machine (M2M) communication technology, and in particular to a machine to a machine (Machine to Machine Equipmen, M2ME) providing a Machine Communication Identity Module (MCIM). System and method.
背景技术 Background technique
M2M通信是指应用无线通信技术, 实现机器与机器、机器与人之间的数 据通信和交流的一系列技术及其组合的总称。 M2M有两层含义: 第一层是机 器本身, 在嵌入式领域称为智能设备。 第二层意思是机器和机器之间的连接, 通过网络把机器连接在一起。 机器类通信的应用范围非常广泛, 例如智能测 量、 远程监控、 跟踪、 医疗等, 使人类生活更加智能化。 与传统的人与人之 间的通信相比, M2M设备 ( M2ME )数量巨大, 应用领域广泛, 具有巨大的 市场前景。  M2M communication is a general term for a series of technologies and combinations that implement wireless communication technology to realize data communication and communication between machines and machines, machines and people. M2M has two meanings: The first layer is the machine itself, which is called smart device in the embedded field. The second layer means the connection between the machine and the machine, connecting the machines together through the network. Machine-based communication is used in a wide range of applications, such as intelligent measurement, remote monitoring, tracking, medical, etc., to make human life more intelligent. Compared with traditional communication between people, M2M equipment (M2ME) has a large number of applications and a wide range of applications, which has great market prospects.
在 M2M通信中, 主要的远距离连接技术包括 GSM/GPRS/UMTS, 近距 离连接技术主要有 802.1 lb/g、 蓝牙、 Zigbee、 RFID等。 M2M属于针对设备 的业务, 由于 M2M整合了无线通信和信息技术, 可用于双向通信, 如远距 离收集信息、 设置参数和发送指令, 因此可实现不同的应用方案, 如安全监 测、 自动售货、 货物跟踪等。 几乎所有日常生活中涉及到的设备都有可能成 为潜在的服务对象。 M2M提供了设备实时数据在***之间、 远程设备之间、 或与个人之间建立无线连接的简单手段。  In M2M communication, the main long-distance connection technologies include GSM/GPRS/UMTS, and the short-distance connection technologies mainly include 802.1 lb/g, Bluetooth, Zigbee, and RFID. M2M is a device-oriented service. Because M2M integrates wireless communication and information technology, it can be used for two-way communication, such as collecting information, setting parameters and sending commands over long distances, thus enabling different application scenarios, such as security monitoring, vending, Cargo tracking, etc. Almost all the equipment involved in daily life is likely to become a potential customer. M2M provides a simple means of establishing real-time data between devices, between remote devices, or with individuals.
M2M通信的一个挑战是部署的 M2M设备的远程安全管理。 为此, 需要 解决如何为 M2ME远程提供签约数据即 MCIM(机器通信身份模块, Machine Communication Identity Module ) , 并防止 MCIM在供应过程中被攻击者获得 并使用。 MCIM应用是指一组为接入 3GPP 网络(也可以是 IMS 网络) 的 M2M安全数据和功能。 MCIM可以位于 UICC (通用集成电路卡)上, 也可 以位于一个 TRE中。当 MCIM位于 UICC上时, MCIM即是指 USIM或 ISIM。 TRE是指 M2ME提供的可信环境(The Trusted environment ) , 一个 TRE可 以在任何需要的时候被授权的外部代理验证。 MCIM 可以安装在 TRE 中, M2ME通过 TRE为 MCIM提供软硬件保护和隔离。 One of the challenges of M2M communication is the remote security management of deployed M2M devices. To this end, it is necessary to solve how to provide the M2ME remote subscription data, MCIM (Machine Communication Identity Module), and prevent the MCIM from being obtained and used by the attacker during the provisioning process. A MCIM application refers to a group of M2M security data and functions that are connected to a 3GPP network (which may also be an IMS network). The MCIM can be located on the UICC (Universal Integrated Circuit Card) or in a TRE. When the MCIM is located on the UICC, the MCIM refers to the USIM or ISIM. TRE refers to the Trusted environment provided by M2ME. A TRE can be authenticated by an authorized external agent whenever needed. The MCIM can be installed in the TRE, and the M2ME provides hardware and software protection and isolation for the MCIM through the TRE.
目前, M2ME提供 M2M服务通常釆用两种方式:基于 UICC或基于 TRE 功能实体。  Currently, M2ME provides M2M services in two ways: based on UICC or based on TRE functional entities.
当 M2ME基于 UICC来提供 M2M服务时, 如何远程提供签约数据, 即 远程提供 MCIM给 UICC, ^^于 UICC的 M2ME需要解决的一个问题。  When M2ME provides M2M services based on UICC, how to remotely provide subscription data, that is, remotely provide MCIM to UICC, ^^ is a problem that UICC's M2ME needs to solve.
目前, 已经有的基于 UICC的 M2ME在提供 M2M服务时, 有两种解决 方案。 一种是不能改变远程提供和签约数据的 UICC解决方案, 另一种是可 以改变签约数据的基于 UICC的解决方案。 前一种解决方案可以很方便的为 M2ME提供 M2M服务, 但是, 当 M2M服务签约用户想改变 M2M服务的运 营商时, 必须更换 UICC, 这使得 M2M设备的维护非常困难, 即使可能, 也 是代价高昂, 因此这种方法无法实现对 M2M设备的 MCIM的远程管理。 第 二种方案, 当 UICC发布时就确定归属网络运营商的话, 不存在 MCIM的初 始提供问题, 但当 UICC 在发布后再确定归属网络运营商的话, 初始提供 MCIM给 UICC是需要解决的问题。 另外通过改变 IMSI ( International Mobile Subscriber Identity, 国际移动用户识别码)的方式来改变运营商, 这样可以方 便地管理 M2ME。 但这种方案涉及 IMSI在不同移动运营商网络之间的传递, 从而增加了 M2ME签约数据的安全风险。 同时在改变 IMSI的过程中, UICC 可能中断与任何运营商的连接。  At present, there are already two solutions based on UICC-based M2ME that provide M2M services. One is a UICC solution that cannot change remote provisioning and subscription data, and the other is a UICC-based solution that can change subscription data. The former solution can easily provide M2M services for M2ME. However, when the M2M service subscription user wants to change the operator of the M2M service, the UICC must be replaced, which makes the maintenance of the M2M device very difficult, if possible, costly. Therefore, this method cannot realize remote management of the MCIM of the M2M device. In the second scheme, when the UICC is determined to be the home network operator, there is no initial provision of the MCIM. However, when the UICC determines the home network operator after the release, the initial provision of the MCIM to the UICC is a problem to be solved. In addition, the operator can be changed by changing the IMSI (International Mobile Subscriber Identity) so that M2ME can be easily managed. However, this solution involves the transmission of IMSI between different mobile operator networks, thereby increasing the security risk of M2ME subscription data. At the same time, in the process of changing IMSI, UICC may interrupt the connection with any operator.
对于 MCIM远程提供给 M2ME上的 TRE的情形, 已经有解决方案。 在 基于 TRE的 MCIM远程提供方案中, 通过 TRE提供的初始连接, 将远程提 供的 MCIM安装在 TRE中。 这个方案的缺点是 MCIM的保护有赖于 TRE的 安全性, 由于 TRE是 M2ME上实现, 使得 TRE的安全性比 UICC要低。 因 此 MCIM在 TRE中的安全性并不高。  There is already a solution for the case where the MCIM is remotely provided to the TRE on the M2ME. In the TRE-based MCIM remote provisioning solution, the remotely provisioned MCIM is installed in the TRE through the initial connection provided by the TRE. The disadvantage of this scheme is that the protection of MCIM depends on the security of TRE. Since TRE is implemented on M2ME, the security of TRE is lower than that of UICC. Therefore, the security of MCIM in TRE is not high.
发明内容 Summary of the invention
本发明要解决的技术问题是提供一种向 M2ME提供 MCIM的***及方 法, 可实现为 M2ME远程提供 MCIM , 并保证了 MCIM的安全存储。 为了解决上述技术问题, 本发明提供一种向机器到机器设备 ( M2ME ) 提供机器通信身份模块(MCIM ) 的方法, 包括: The technical problem to be solved by the present invention is to provide a system and method for providing MCIM to M2ME, which can provide MCIM remotely for M2ME and ensure secure storage of MCIM. In order to solve the above technical problems, the present invention provides a method for providing a Machine Communication Identity Module (MCIM) to a Machine to Machine (M2ME), comprising:
所述 M2ME通过可信环境( TRE )与拜访网络运营商建立连接, 并通过 所述拜访网络运营商提供的 IP连接与注册运营商建立连接, 所述注册运营商 发现所述 M2ME的归属网络运营商, 当平台验证授权中心对所述 M2ME进 行验证成功后, 所述归属网络运营商授权所述注册运营商将 MCIM下载到所 述 M2ME, 所述 M2ME将下载的 MCIM安装至通用集成电路卡( UICC ) ; 其中, 所述 TRE及 UICC均位于 M2ME上。  The M2ME establishes a connection with the visited network operator through a trusted environment (TRE), and establishes a connection with the registered operator through the IP connection provided by the visited network operator, and the registration operator discovers the home network operation of the M2ME. After the platform verification authority successfully verifies the M2ME, the home network operator authorizes the registration operator to download the MCIM to the M2ME, and the M2ME installs the downloaded MCIM to the universal integrated circuit card ( UICC); wherein, the TRE and the UICC are both located on the M2ME.
上述方法还可具有以下特点:  The above method can also have the following characteristics:
所述 M2ME通过 TRE与拜访网络运营商建立连接, 并通过所述拜访网 络运营商提供的 IP连接与注册运营商建立连接的步骤包括:  The step of establishing a connection between the M2ME and the visited network operator by using the TRE, and establishing a connection with the registered operator by using the IP connection provided by the visited network operator includes:
M2ME通过 TRE向拜访网络运营商发送附着消息, 携带所述 M2ME的 临时连接身份标识, 所述拜访网络运营商收到 M2ME的临时连接身份标识后 连接到注册运营商, 并将所述临时连接身份标识发送至注册运营商, 所述注 册运营商根据所述临时连接身份标识生成一组认证向量, 并将生成的所述认 证向量返回至拜访网络运营商, 所述拜访网络运营商使用认证向量与 M2ME 进行认证, 认证成功后为 M2ME分配 IP地址, 之后所述 M2ME通过 TRE使 用拜访网络提供商提供的 IP连接与注册运营商连接。  The M2ME sends an attach message to the visited network operator by using the TRE, and carries the temporary connection identity of the M2ME. The visited network operator receives the temporary connection identity of the M2ME, connects to the registration operator, and connects the temporary connection identity. Sending the identifier to the registration operator, the registration operator generates a set of authentication vectors according to the temporary connection identity, and returns the generated authentication vector to the visited network operator, where the visited network operator uses the authentication vector and The M2ME performs authentication. After the authentication succeeds, the M2ME is assigned an IP address. The M2ME then connects to the registered carrier through the TRE using the IP connection provided by the visited network provider.
上述方法还可具有以下特点:  The above method can also have the following characteristics:
在所述 M2ME与注册运营商建立连接的步骤之后,还包括: 所述 M2ME 将签约用户选择的归属网络运营商信息发送至注册运营商;  After the step of establishing the connection between the M2ME and the registration operator, the method further includes: sending, by the M2ME, the home network operator information selected by the subscription user to the registration operator;
在所述注册运营商发现所述 M2ME的归属网络运营商的步骤中, 所述注 册运营商根据归属网络运营商信息发现所述 M2ME的归属网络运营商, 并在 所述归属网络运营商注册所述 M2ME。  In the step of the registration operator discovering the home network operator of the M2ME, the registration operator discovers the home network operator of the M2ME according to the home network operator information, and registers with the home network operator at the home network operator. Said M2ME.
上述方法还可具有以下特点:  The above method can also have the following characteristics:
在所述归属网络运营商注册所述 M2ME之后, 还包括: 所述归属网络运 营商请求平台验证授权中心对所述 M2ME进行验证。  After the home network operator registers the M2ME, the method further includes: the home network operator requesting the platform verification authority to verify the M2ME.
为了解决上述技术问题, 本发明提供一种向机器到机器设备 ( M2ME ) 提供机器通信身份模块(MCIM ) 的***, 包括 M2ME、 拜访网络运营商、 注册运营商、 归属网络运营商及平台验证授权中心; 其中: In order to solve the above technical problems, the present invention provides a machine to machine equipment (M2ME) A system providing a Machine Communication Identity Module (MCIM), including M2ME, a visited network operator, a registered carrier, a home network operator, and a platform verification authorization center;
所述 M2ME包括可信环境(TRE )及通用集成电路卡(UICC ) ; 所述 M2ME通过 TRE与拜访网络运营商建立连接, 以及通过拜访网络 运营商提供的 IP连接与注册运营商建立连接,还将下载的 MCIM安装至所述 UICC;  The M2ME includes a Trusted Environment (TRE) and a Universal Integrated Circuit Card (UICC); the M2ME establishes a connection with the visited network operator through the TRE, and establishes a connection with the registered operator by visiting the IP connection provided by the network operator, Installing the downloaded MCIM to the UICC;
所述拜访网络运营商, 在与所述 M2ME建立连接后为 M2ME提供到注 册运营商的 IP连接;  The visited network operator provides an IP connection to the registered operator for the M2ME after establishing a connection with the M2ME;
所述注册运营商, 在与所述 M2ME连接后, 发现所述 M2ME的归属网 络运营商; 以及当平台验证授权中心对 M2ME验证成功后, 经所述归属网络 运营商的授权, 向 M2ME下载 MCIM;  The registration operator, after connecting with the M2ME, discovers the home network operator of the M2ME; and after the platform verification authorization center successfully authenticates the M2ME, downloads the MCIM to the M2ME by authorization of the home network operator. ;
所述平台验证授权中心 , 对所述 M2ME进行验证。  The platform verifies the authorization center to verify the M2ME.
上述***还可具有以下特点:  The above system can also have the following characteristics:
所述 M2ME还通过 TRE向所述拜访网络运营商发送附着消息, 其中携 带所述 M2ME的临时连接身份标识; 以及, M2ME还通过 TRE使用拜访网 络运营商提供的 IP连接与注册运营商连接;  The M2ME also sends an attach message to the visited network operator by using the TRE, where the M2ME carries the temporary connection identity of the M2ME; and the M2ME also connects to the registered carrier by using the IP connection provided by the visited network operator through the TRE;
所述拜访网络运营商还在收到 M2ME的临时连接身份标识后连接到注册 运营商, 并将所述临时连接身份标识发送至注册运营商; 以及收到注册运营 商返回的一组认证向量后与 M2ME进行认证, 还在认证成功后为 M2ME分 配 IP地址;  The visited network operator also connects to the registration operator after receiving the temporary connection identity of the M2ME, and sends the temporary connection identity to the registration operator; and receives a set of authentication vectors returned by the registration operator. Authenticate with M2ME, and assign IP address to M2ME after successful authentication;
所述注册运营商还在收到临时连接身份标识后生成一组认证向量, 并将 生成的所述认证向量返回至拜访网络运营商。  The registration operator also generates a set of authentication vectors after receiving the temporary connection identity, and returns the generated authentication vector to the visited network operator.
上述***还可具有以下特点:  The above system can also have the following characteristics:
所述 M2ME还在连接至注册运营商后,将签约用户选择的归属网络运营 商信息发送至注册运营商;  After the M2ME is connected to the registration operator, the home network operator information selected by the subscription user is sent to the registration operator;
所述注册运营商还根据归属网络运营商信息发现该归属网络运营商, 并 在所述归属网络运营商注册所述 M2ME。 上述***还可具有以下特点: The registration operator also discovers the home network operator according to the home network operator information, and registers the M2ME with the home network operator. The above system can also have the following characteristics:
所述归属网络运营商还在所述 M2ME注册到归属网络运营商后,请求平 台验证授权中心对 M2ME进行验证;  After the M2ME registers with the home network operator, the home network operator requests the platform verification authorization center to verify the M2ME;
所述平台验证授权中心还在收到认证请求后验证所述 M2ME的真实性和 完整性, 以及, 还将认证结果返回至归属网络运营商。  The platform verification authorization center also verifies the authenticity and integrity of the M2ME after receiving the authentication request, and returns the authentication result to the home network operator.
综上所述,本发明提供了一种向 M2ME提供 MCIM的***及方法,可实 现将 M2ME上的 TRE的功能与 UICC的安全性很好的结合在一起, 保证了 MCIM的远程提供和安全存储。 附图概述 In summary, the present invention provides a system and method for providing MCIM to M2ME, which can combine the function of TRE on M2ME with the security of UICC, and ensure remote provision and secure storage of MCIM. . BRIEF abstract
图 1本发明实施例的基于 UICC的 M2ME架构示意图( TRE位于 M2ME 上) ;  FIG. 1 is a schematic diagram of a UICC-based M2ME architecture according to an embodiment of the present invention (the TRE is located on the M2ME);
图 2 本发明实施例的基于 UICC的 M2M***架构示意图;  2 is a schematic diagram of a UICC-based M2M system architecture according to an embodiment of the present invention;
图 3 本发明实施例的远程初始提供 MCIM的流程示意图。 本发明的较佳实施方式  FIG. 3 is a schematic flowchart of remote initial provision of MCIM according to an embodiment of the present invention. Preferred embodiment of the invention
本发明提出了一种向 M2ME提供 MCIM 的***及方法, M2ME结合 M2ME上的 TRE提供的初始连接和 UICC的高安全性,来实现将 MCIM远程 提供给 M2ME, 并保证 MCIM的安全性。  The present invention provides a system and method for providing MCIM to M2ME. M2ME combines the initial connection provided by TRE on M2ME and the high security of UICC to remotely provide MCIM to M2ME and ensure the security of MCIM.
图 1是根据本发明的基于 UICC的 M2ME架构示意图。在该架构中 TRE 与 UICC均位于 M2ME上。  1 is a schematic diagram of a UICC-based M2ME architecture in accordance with the present invention. In this architecture, both TRE and UICC are located on the M2ME.
本实施例提供一种向 M2ME提供 MCIM的***,如图 2所示,该***包 括 M2ME、 拜访网络运营商 (VNO, Visited Network Operator ) 、 注册运营 商 (RO , Registration Operator ) 、 归属网络运营商 ( SHO , Selected Home Operator )及平台验证授权中心 (PVA, Platform Validation Authority ) ;  This embodiment provides a system for providing MCIM to an M2ME. As shown in FIG. 2, the system includes an M2ME, a Visited Network Operator (VNO), a Register Operator (RO, a Registration Operator), and a home network operator. (SHO, Selected Home Operator) and Platform Validation Authority (PVA, Platform Validation Authority);
其中, M2ME包括 UICC及 TRE ( The Trusted environment, 可信环境), 即 TRE和 UICC都位于 M2ME上。 M2ME以临时连接身份标识(PICD, Provisional Connectivity Identity )作为其私有标识, 为了使 M2ME注册到与将 来选择的归属运营商无关的 3GPP网络, PCID需要通过供应商安装在 M2ME 上的 TRE中。 PCID的格式与 IMSI相同。 Among them, M2ME includes UICC and TRE (The Trusted environment). That is, both TRE and UICC are located on the M2ME. The M2ME uses the Provisional Connectivity Identity (PICD) as its private identity. In order to register the M2ME to the 3GPP network that is not related to the home carrier selected in the future, the PCID needs to be installed by the vendor in the TRE on the M2ME. The format of the PCID is the same as the IMSI.
TRE是指 M2ME提供的可信环境, 其为供应、 存储、 执行和管理 MCIM 提供了基于硬件和软件的保护和隔离, PCID的安全也由 TRE来保证,如 PCID 的安全存储、 检索和使用都由 TRE的功能实现。 一个 TRE可以在任何需要 的时候被授权的外部代理验证。  TRE refers to the trusted environment provided by M2ME, which provides hardware and software-based protection and isolation for provisioning, storage, execution and management of MCIM. The security of PCID is also guaranteed by TRE, such as secure storage, retrieval and use of PCID. It is implemented by the function of TRE. A TRE can be authenticated by an authorized external agent whenever needed.
M2ME通过 TRE与拜访网络运营商建立连接 ,以及通过拜访网络运营商 提供的连接与注册运营商建立连接, 还将下载的 MCIM安装至 UICC;  The M2ME establishes a connection with the visited network operator through the TRE, and establishes a connection with the registered operator by visiting the connection provided by the network operator, and also installs the downloaded MCIM to the UICC;
拜访网络运营商, 在与 M2ME建立连接后, 为 M2ME提供到注册运营 商的连接;  Visit the network operator to provide a connection to the registered carrier for the M2ME after establishing a connection with the M2ME;
注册运营商在 M2ME连接到注册运营商后, 发现 M2ME的归属网络运 营商; 以及当平台验证授权中心对 M2ME验证成功后, 经所述归属网络运营 商的授权, 向 M2ME下载 MCIM; 具体地,  After the M2ME is connected to the registration operator, the M2ME discovers the home network operator of the M2ME; and after the platform verification authority succeeds in verifying the M2ME, the MCIM is downloaded to the M2ME by the authorization of the home network operator; specifically,
注册运营商包括 MCIM的下载和提供功能( DPF , MCIM Download and Provisioning Function ) 、 发现和注册功能 ( DRF, Discovery and Registration Function )及初始连接功能 ( ICF, Initial Connectivity Function ); 即: 注册运 营商的 ICF接收 M2ME发来的附着消息并与 M2ME建立连接; 注册运营商 的 DPF向 M2ME下载 MCIM。  The registered carrier includes the MCIM Download and Provisioning Function (DPF, MCIM Download and Provisioning Function), the Discovery and Registration Function (DRF), and the Initial Connectivity Function (ICF); that is: the registered carrier's The ICF receives the attach message sent by the M2ME and establishes a connection with the M2ME; the DPF of the registered carrier downloads the MCIM to the M2ME.
M2ME通过 TRE与拜访网络运营商建立连接是指 , M2ME通过 TRE向 拜访网络运营商发送附着消息, 其中携带 M2ME的临时连接身份标识;  The M2ME establishes a connection with the visited network operator through the TRE. The M2ME sends an attach message to the visited network operator through the TRE, where the M2ME carries the temporary connection identity of the M2ME.
拜访网络运营商还在收到 M2ME的临时连接身份标识后连接到注册运营 商, 并将临时连接身份标识发送至注册运营商; 以及收到注册运营商返回的 一组认证向量后与 M2ME进行认证,还在认证成功后为 M2ME分配 IP地址; 注册运营商还在收到临时连接身份标识后生成一组认证向量, 并将生成 的认证向量返回至拜访网络运营商;  The visited network operator also connects to the registration operator after receiving the temporary connection identity of the M2ME, and sends the temporary connection identity to the registration operator; and receives the authentication certificate returned by the registration operator and authenticates with the M2ME. After the authentication succeeds, the M2ME is assigned an IP address; the registration operator also generates a set of authentication vectors after receiving the temporary connection identity, and returns the generated authentication vector to the visited network operator;
M2ME通过 TRE使用拜访网络运营提供的 IP连接与注册运营商连接。 M2ME还在连接至注册运营商后, 将签约用户选择的归属网络运营商信 息发送至注册运营商; The M2ME connects to the registered carrier through the TRE using the IP connection provided by the visited network operation. After the M2ME is connected to the registration carrier, the home network operator information selected by the subscription user is sent to the registration operator;
注册运营商还根据归属网络运营商信息发现该归属网络运营商, 并在归 属网络运营商注册 M2ME; 注册运营商是通过 DRF帮助 M2ME发现其归属 网络运营商或 DRF为 M2ME发现其归属网络运营商。  The registration operator also discovers the home network operator according to the home network operator information, and registers the M2ME with the home network operator; the registered operator helps the M2ME to discover its home network operator or DRF for the M2ME to discover its home network operator through the DRF. .
归属网络运营商还在 M2ME注册到归属网络运营商后,请求平台验证授 权中心对 M2ME进行验证, 以及当验证成功后通知注册运营商对 M2ME验 证成功 , 并授权注册运营商提供 MCIM给 M2ME;  After the M2ME registers with the home network operator, the home network operator requests the platform verification authorization center to verify the M2ME, and after the verification succeeds, notifies the registration operator to verify the M2ME successfully, and authorizes the registration operator to provide the MCIM to the M2ME;
注册运营商是在收到授权通知后将 MCIM下载至 M2ME。  The registry operator downloads the MCIM to the M2ME upon receipt of the authorization notice.
平台验证授权中心, 对 M2ME进行验证; 平台验证授权中心是在收到认 证请求后验证 M2ME的真实性和完整性, 平台验证授权中心还将认证结果返 回至归属网络运营商。  The platform verification authority authenticates the M2ME; the platform verification authority verifies the authenticity and integrity of the M2ME after receiving the authentication request, and the platform verification authority returns the authentication result to the home network operator.
当 MCIM位于 UICC上时, MCIM即是指 USIM/ISIM。 为了描述方便, 在本发明中, 针对 M2ME, 无论 MCIM是否位于 UICC上, 都只使用 MCIM 进行描述, 而不用 USIM/ISIM进行描述。  When the MCIM is on the UICC, the MCIM refers to the USIM/ISIM. For convenience of description, in the present invention, for M2ME, whether or not the MCIM is located on the UICC, only the MCIM is used for description, and the USIM/ISIM is not described.
本实施例提供一种向 M2ME提供 MCIM的方法, 如图 3所示, UICC和 TRE都位于 M2ME上,当 M2ME初次使用时,如果 UICC上没有预置 MCIM (机器通信身份模块) , 需要通过 M2ME签约用户选择 M2M归属运营商, 之后 M2ME通过 TRE与 RO建立 IP连接, RO帮助 M2ME在 SHO注册。 在 SHO通过 PVA验证 M2ME的真实性和完整性后, 授权 RO向 M2ME提供 MCIM。 M2ME下载 MCIM后将 MCIM供应给 UICC。 具体供应流程包括以 下步骤: This embodiment provides a method for providing MCIM to the M2ME. As shown in FIG. 3, both the UICC and the TRE are located on the M2ME. When the M2ME is used for the first time, if there is no preset MCIM (machine communication identity module) on the UICC, the M2ME needs to be passed. The subscription user selects the M2M home carrier, and then the M2ME establishes an IP connection with the RO through the TRE, and the RO helps the M2ME to register with the SHO. After the SHO verifies the authenticity and integrity of the M2ME through the PVA, the RO is authorized to provide the MCIM to the M2ME. After M2ME downloads MCIM, it supplies MCIM to UICC. The specific supply process includes the following steps:
步骤 301: TRE和 UICC都位于 M2ME上, M2ME通过标准的 GSM/UMTS 原则来解码网络信息并且附着到任意一个 VNO ;  Step 301: Both the TRE and the UICC are located on the M2ME, and the M2ME decodes the network information through the standard GSM/UMTS principle and attaches to any VNO;
具体为, M2ME通过 TRE与拜访网络运营商建立初始连接, 即, M2ME 通过 TRE向 VNO发送附着消息,其中携带 M2ME的一个临时连接身份标识 ( PCID , Provisional Connectivity ID ) ; 步骤 302: VNO收到 M2ME的 PCID后, 与 RO建立连接, 并将 PCID 发送给 RO ( ICF功能) 。 在某些情况下, RO可以位于 VNO。 Specifically, the M2ME establishes an initial connection with the visited network operator by using the TRE, that is, the M2ME sends an attach message to the VNO through the TRE, where the M2ME carries a temporary connection identity (PCID, Provisional Connectivity ID); Step 302: After receiving the PCID of the M2ME, the VNO establishes a connection with the RO and sends the PCID to the RO (ICF function). In some cases, the RO can be located at the VNO.
步骤 303: RO ( ICF功能)收到 M2ME的 PCID之后, 针对该 PCID生 成一组认证向量(AVs ) 。  Step 303: After receiving the PCID of the M2ME, the RO (ICF function) generates a set of authentication vectors (AVs) for the PCID.
步骤 304: RO将生成的认证向量(AVs )发送给 VNO。  Step 304: The RO sends the generated authentication vector (AVs) to the VNO.
步骤 305: VNO使用认证向量对 PCID/M2ME进行认证, 可以但不限于 釆用 AKA (认证和密钥协商 )认证。  Step 305: The VNO uses the authentication vector to authenticate the PCID/M2ME, which may be, but is not limited to, AKA (Authentication and Key Agreement) authentication.
步骤 306:认证成功后, VNO为 M2ME提供到 RO的 IP连接,即为 M2ME 分配 IP地址, 并将分配的 IP地址发送至 M2ME。  Step 306: After the authentication succeeds, the VNO provides the M2ME with an IP connection to the RO, that is, assigns an IP address to the M2ME, and sends the assigned IP address to the M2ME.
步骤 307: M2ME通过 VNO网络提供的 IP连接与 RO连接。  Step 307: The M2ME is connected to the RO through an IP connection provided by the VNO network.
步骤 308: RO帮助 M2ME发现其 SHO, 或者, RO自己为 M2ME发现 其 SHO。  Step 308: The RO helps the M2ME discover its SHO, or the RO itself discovers its SHO for the M2ME.
该步骤中 , RO在发现 M2ME的 SHO前需要先获知 M2ME的 SHO , M2ME 可以是在与 RO建立连接后将其签约用户选择的 SHO的信息发送至 RO( SHO 的信息可以是 SHO 的名称等) 。 SHO 的发现过程可以但不限于使用 OMA ( Open Mobile Alliance , 开放的移动联盟) BOOTSTRAP ( Bootstrap Protocol, 引导协议) 。  In this step, the RO needs to know the SHO of the M2ME before discovering the SHO of the M2ME. The M2ME may send the information of the SHO selected by the signing user to the RO after establishing the connection with the RO (the information of the SHO may be the name of the SHO, etc.) . SHO's discovery process can be, but is not limited to, the use of OMA (Open Mobile Alliance) BOOTSTRAP (Bootstrap Protocol).
步骤 309: RO与 SHO建立连接, 并在 SHO注册要连接 SHO 网络的 M2ME。  Step 309: The RO establishes a connection with the SHO, and registers the M2ME to be connected to the SHO network at the SHO.
步骤 310: SHO请求 PVA (或 SHO通过 RO请求 PVA )验证 M2ME的 真实性和完整性。  Step 310: The SHO requests the PVA (or the SHO to request the PVA through the RO) to verify the authenticity and integrity of the M2ME.
SHO通过 RO请求 PVA是指, SHO通知 RO对 M2ME进行验证, RO 收到该通知后请求 PVA验证 M2ME的真实性和完整性。  The SHO requests the PVA through the RO. The SHO notifies the RO to verify the M2ME. After receiving the notification, the RO requests the PVA to verify the authenticity and integrity of the M2ME.
步骤 311 : PVA验证 M2ME的真实性和完整性。  Step 311: The PVA verifies the authenticity and integrity of the M2ME.
步骤 312: PVA将验证结果发送给 SHO。  Step 312: The PVA sends the verification result to the SHO.
步骤 313: 如果验证成功, SHO通知 RO ( DPF功能)对 M2ME验证成 功, 并授权 RO ( DPF功能)提供 MCIM给 M2ME。 步骤 314: RO ( DPF功能) 下载 MCIM到 M2ME。 Step 313: If the verification is successful, the SHO notifies the RO (DPF function) that the M2ME is successfully authenticated, and authorizes the RO (DPF function) to provide the MCIM to the M2ME. Step 314: RO (DPF function) Download MCIM to M2ME.
步骤 315 : M2ME将下载的 MCIM安装到 UICC。  Step 315: The M2ME installs the downloaded MCIM to the UICC.
步骤 316: M2ME向 RO ( DPF功能 ) 告供应 MCIM成功 /失败状态信 息。  Step 316: The M2ME reports the MCIM success/failure status information to the RO (DPF function).
步骤 317: RO ( DPF功能)向 SHO报告供应 MCIM成功 /失败状态信息。  Step 317: The RO (DPF function) reports the MCIM success/failure status information to the SHO.
尽管本发明结合特定实施例进行了描述, 但是对于本领域的技术人员来 说, 可以在不背离本发明的精神或范围的情况下进行修改和变化。 这样的修 改和变化被视作在本发明的范围和附加的权利要求书范围之内。 While the invention has been described in connection with the specific embodiments, the modifications and variations may be Such modifications and variations are considered to be within the scope of the invention and the scope of the appended claims.
工业实用性 Industrial applicability
本发明提供一种向机器到机器设备提供机器通信身份模块的***及方 法, 可实现将 M2ME上的 TRE的功能与 UICC的安全性很好的结合在一起, 保证了 MCIM的远程提供和安全存储。  The invention provides a system and a method for providing a machine communication identity module to a machine to a machine device, which can combine the function of the TRE on the M2ME with the security of the UICC, and ensure the remote provision and secure storage of the MCIM. .

Claims

权 利 要 求 书 Claim
1、 一种向机器到机器设备 ( M2ME )提供机器通信身份模块 ( MCIM ) 的方法, 包括: 1. A method of providing a Machine Communication Identity Module (MCIM) to a Machine to Machine (M2ME), comprising:
所述 M2ME通过可信环境( TRE )与拜访网络运营商建立连接, 并通过 所述拜访网络运营商提供的 IP连接与注册运营商建立连接, 所述注册运营商 发现所述 M2ME的归属网络运营商, 当平台验证授权中心对所述 M2ME进 行验证成功后, 所述归属网络运营商授权所述注册运营商将 MCIM下载到所 述 M2ME, 所述 M2ME将下载的 MCIM安装至通用集成电路卡( UICC ) ; 其中, 所述 TRE及 UICC均位于 M2ME上。  The M2ME establishes a connection with the visited network operator through a trusted environment (TRE), and establishes a connection with the registered operator through the IP connection provided by the visited network operator, and the registration operator discovers the home network operation of the M2ME. After the platform verification authority successfully verifies the M2ME, the home network operator authorizes the registration operator to download the MCIM to the M2ME, and the M2ME installs the downloaded MCIM to the universal integrated circuit card ( UICC); wherein, the TRE and the UICC are both located on the M2ME.
2、 如权利要求 1所述的方法, 其中: 2. The method of claim 1 wherein:
所述 M2ME通过 TRE与拜访网络运营商建立连接, 并通过所述拜访网 络运营商提供的 IP连接与注册运营商建立连接的步骤包括:  The step of establishing a connection between the M2ME and the visited network operator by using the TRE, and establishing a connection with the registered operator by using the IP connection provided by the visited network operator includes:
M2ME通过 TRE向拜访网络运营商发送附着消息, 携带所述 M2ME的 临时连接身份标识, 所述拜访网络运营商收到 M2ME的临时连接身份标识后 连接到注册运营商, 并将所述临时连接身份标识发送至注册运营商, 所述注 册运营商根据所述临时连接身份标识生成一组认证向量, 并将生成的所述认 证向量返回至拜访网络运营商, 所述拜访网络运营商使用认证向量与 M2ME 进行认证, 认证成功后为 M2ME分配 IP地址, 之后所述 M2ME通过 TRE使 用拜访网络提供商提供的 IP连接与注册运营商连接。  The M2ME sends an attach message to the visited network operator by using the TRE, and carries the temporary connection identity of the M2ME. The visited network operator receives the temporary connection identity of the M2ME, connects to the registration operator, and connects the temporary connection identity. Sending the identifier to the registration operator, the registration operator generates a set of authentication vectors according to the temporary connection identity, and returns the generated authentication vector to the visited network operator, where the visited network operator uses the authentication vector and The M2ME performs authentication. After the authentication succeeds, the M2ME is assigned an IP address. The M2ME then connects to the registered carrier through the TRE using the IP connection provided by the visited network provider.
3、 如权利要求 1所述的方法, 其中: 3. The method of claim 1 wherein:
在所述 M2ME与注册运营商建立连接的步骤之后,还包括: 所述 M2ME 将签约用户选择的归属网络运营商信息发送至注册运营商;  After the step of establishing the connection between the M2ME and the registration operator, the method further includes: sending, by the M2ME, the home network operator information selected by the subscription user to the registration operator;
在所述注册运营商发现所述 M2ME的归属网络运营商的步骤中, 所述注 册运营商根据归属网络运营商信息发现所述 M2ME的归属网络运营商, 并在 所述归属网络运营商注册所述 M2ME。  In the step of the registration operator discovering the home network operator of the M2ME, the registration operator discovers the home network operator of the M2ME according to the home network operator information, and registers with the home network operator at the home network operator. Said M2ME.
4、 如权利要求 3所述的方法, 其中: 在所述归属网络运营商注册所述 M2ME之后, 还包括: 所述归属网络运 营商请求平台验证授权中心对所述 M2ME进行验证。 4. The method of claim 3, wherein: After the home network operator registers the M2ME, the method further includes: the home network operator requesting the platform verification authorization center to perform verification on the M2ME.
5、 一种向机器到机器设备 ( M2ME )提供机器通信身份模块 ( MCIM ) 的***, 包括 M2ME、 拜访网络运营商、 注册运营商、 归属网络运营商及平 台验证授权中心; 其中: 5. A system for providing Machine Communication Identity Module (MCIM) to Machine to Machine Equipment (M2ME), including M2ME, visited network operators, registered operators, home network operators, and platform verification and authorization centers;
所述 M2ME包括可信环境(TRE )及通用集成电路卡(UICC ) ; 所述 M2ME通过 TRE与拜访网络运营商建立连接, 以及通过拜访网络 运营商提供的 IP连接与注册运营商建立连接,还将下载的 MCIM安装至所述 UICC;  The M2ME includes a Trusted Environment (TRE) and a Universal Integrated Circuit Card (UICC); the M2ME establishes a connection with the visited network operator through the TRE, and establishes a connection with the registered operator by visiting the IP connection provided by the network operator, Installing the downloaded MCIM to the UICC;
所述拜访网络运营商, 在与所述 M2ME建立连接后为 M2ME提供到注 册运营商的 IP连接;  The visited network operator provides an IP connection to the registered operator for the M2ME after establishing a connection with the M2ME;
所述注册运营商, 在与所述 M2ME连接后, 发现所述 M2ME的归属网 络运营商; 以及当平台验证授权中心对 M2ME验证成功后, 经所述归属网络 运营商的授权, 向 M2ME下载 MCIM;  The registration operator, after connecting with the M2ME, discovers the home network operator of the M2ME; and after the platform verification authorization center successfully authenticates the M2ME, downloads the MCIM to the M2ME by authorization of the home network operator. ;
所述平台验证授权中心, 对所述 M2ME进行验证。  The platform verifies the authorization center to verify the M2ME.
6、 如权利要求 5所述的***, 其中: 6. The system of claim 5 wherein:
所述 M2ME还通过 TRE向所述拜访网络运营商发送附着消息, 其中携 带所述 M2ME的临时连接身份标识; 以及, M2ME还通过 TRE使用拜访网 络运营商提供的 IP连接与注册运营商连接;  The M2ME also sends an attach message to the visited network operator by using the TRE, where the M2ME carries the temporary connection identity of the M2ME; and the M2ME also connects to the registered carrier by using the IP connection provided by the visited network operator through the TRE;
所述拜访网络运营商还在收到 M2ME的临时连接身份标识后连接到注册 运营商, 并将所述临时连接身份标识发送至注册运营商; 以及收到注册运营 商返回的一组认证向量后与 M2ME进行认证, 还在认证成功后为 M2ME分 配 IP地址;  The visited network operator also connects to the registration operator after receiving the temporary connection identity of the M2ME, and sends the temporary connection identity to the registration operator; and receives a set of authentication vectors returned by the registration operator. Authenticate with M2ME, and assign IP address to M2ME after successful authentication;
所述注册运营商还在收到临时连接身份标识后生成一组认证向量, 并将 生成的所述认证向量返回至拜访网络运营商。  The registration operator also generates a set of authentication vectors after receiving the temporary connection identity, and returns the generated authentication vector to the visited network operator.
7、 如权利要求 5所述的***, 其中: 7. The system of claim 5 wherein:
所述 M2ME还在连接至注册运营商后,将签约用户选择的归属网络运营 商信息发送至注册运营商; After the M2ME is connected to the registration operator, the home network operation selected by the subscriber is selected. The business information is sent to the registered carrier;
所述注册运营商还根据归属网络运营商信息发现该归属网络运营商, 并 在所述归属网络运营商注册所述 M2ME。  The registration operator also discovers the home network operator according to the home network operator information, and registers the M2ME with the home network operator.
8、 如权利要求 7所述的***, 其中: 8. The system of claim 7 wherein:
所述归属网络运营商还在所述 M2ME注册到归属网络运营商后,请求平 台验证授权中心对 M2ME进行验证;  After the M2ME registers with the home network operator, the home network operator requests the platform verification authorization center to verify the M2ME;
所述平台验证授权中心还在收到认证请求后验证所述 M2ME的真实性和 完整性, 以及, 还将认证结果返回至归属网络运营商。  The platform verification authorization center also verifies the authenticity and integrity of the M2ME after receiving the authentication request, and returns the authentication result to the home network operator.
PCT/CN2010/071245 2009-09-14 2010-03-24 System and method for providing a machine communication identity module to a machine to machine equipment WO2011029297A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910176425.7 2009-09-14
CN200910176425.7A CN102025496B (en) 2009-09-14 2009-09-14 System and method for providing machine communication identity module for machine to machine equipment

Publications (1)

Publication Number Publication Date
WO2011029297A1 true WO2011029297A1 (en) 2011-03-17

Family

ID=43731961

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/071245 WO2011029297A1 (en) 2009-09-14 2010-03-24 System and method for providing a machine communication identity module to a machine to machine equipment

Country Status (2)

Country Link
CN (1) CN102025496B (en)
WO (1) WO2011029297A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012169945A1 (en) * 2011-06-08 2012-12-13 Telefonaktiebolaget L M Ericsson (Publ) Subscription information managing apparatus and control method therefor
JP2014158300A (en) * 2011-04-05 2014-08-28 Apple Inc Apparatus and methods for storing electronic access clients

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140351903A1 (en) * 2011-09-13 2014-11-27 Nokia Solutions And Networks Oy Authentication mechanism

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008126576A1 (en) * 2007-03-19 2008-10-23 Nec Corporation Method for providing a uicc with an operator dns ip address
WO2009092115A2 (en) * 2008-01-18 2009-07-23 Interdigital Patent Holdings, Inc. Method and apparatus for enabling machine to machine communication
WO2009103621A1 (en) * 2008-02-22 2009-08-27 Telefonaktiebolaget L M Ericsson (Publ) Methods and apparatus locating a device registration server in a wireless network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008126576A1 (en) * 2007-03-19 2008-10-23 Nec Corporation Method for providing a uicc with an operator dns ip address
WO2009092115A2 (en) * 2008-01-18 2009-07-23 Interdigital Patent Holdings, Inc. Method and apparatus for enabling machine to machine communication
WO2009103621A1 (en) * 2008-02-22 2009-08-27 Telefonaktiebolaget L M Ericsson (Publ) Methods and apparatus locating a device registration server in a wireless network

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014158300A (en) * 2011-04-05 2014-08-28 Apple Inc Apparatus and methods for storing electronic access clients
US9332012B2 (en) 2011-04-05 2016-05-03 Apple Inc. Apparatus and methods for storing electronic access clients
KR101730689B1 (en) * 2011-04-05 2017-04-26 애플 인크. Apparatus and methods for storing electronic access clients
US9686076B2 (en) 2011-04-05 2017-06-20 Apple Inc. Apparatus and methods for storing electronic access clients
WO2012169945A1 (en) * 2011-06-08 2012-12-13 Telefonaktiebolaget L M Ericsson (Publ) Subscription information managing apparatus and control method therefor

Also Published As

Publication number Publication date
CN102025496A (en) 2011-04-20
CN102025496B (en) 2015-06-03

Similar Documents

Publication Publication Date Title
WO2011035572A1 (en) Method and system for changing selected home operator of machine to machine equipment
EP2466759B1 (en) Method and system for changing a selected home operator of a machine to machine equipment
US20180091978A1 (en) Universal Integrated Circuit Card Having A Virtual Subscriber Identity Module Functionality
US8578153B2 (en) Method and arrangement for provisioning and managing a device
US11184769B2 (en) Method and apparatus for discussing digital certificate by ESIM terminal and server
US9826335B2 (en) Method and apparatus for enabling machine to machine communication
WO2020117903A1 (en) Security lifecycle management of devices in a communications network
US20090253409A1 (en) Method of Authenticating Home Operator for Over-the-Air Provisioning of a Wireless Device
US20160301529A1 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
CN107873137A (en) For managing the technology of the profile in communication system
US11838752B2 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
US11422786B2 (en) Method for interoperating between bundle download process and eSIM profile download process by SSP terminal
CN104871511A (en) Device authentication by tagging
WO2013067772A1 (en) Method, device and system for binding mtc device and uicc
KR20180039061A (en) Verify authorization for use of a set of features of the device
WO2011029296A1 (en) System and method for providing machine-to-machine equipment with machine communication identity module
US20120102207A1 (en) Registration of ad-hoc group members into an infrastructure network
WO2013071707A1 (en) Method and apparatus for binding universal integrated circuit card and machine type communication device
CN107332817B (en) Mobile device supporting multiple access control clients and corresponding method
WO2011029308A1 (en) Method for altering selected home operator of machine-to-machine equipment and system thereof
WO2011029297A1 (en) System and method for providing a machine communication identity module to a machine to machine equipment
WO2015100874A1 (en) Home gateway access management method and system
CN113455025A (en) Method for SSP terminal to interoperate between bundle downloading process and ESIM configuration file downloading process
WO2013113185A1 (en) Method and device for processing service subscription information

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10814899

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10814899

Country of ref document: EP

Kind code of ref document: A1