[go: up one dir, main page]

WO2012171283A1 - Method and system for third-party authentication and method for managing authentication state of terminal device - Google Patents

Method and system for third-party authentication and method for managing authentication state of terminal device Download PDF

Info

Publication number
WO2012171283A1
WO2012171283A1 PCT/CN2011/080783 CN2011080783W WO2012171283A1 WO 2012171283 A1 WO2012171283 A1 WO 2012171283A1 CN 2011080783 W CN2011080783 W CN 2011080783W WO 2012171283 A1 WO2012171283 A1 WO 2012171283A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
smart card
terminal
state
binding relationship
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2011/080783
Other languages
French (fr)
Chinese (zh)
Inventor
吴传喜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2012171283A1 publication Critical patent/WO2012171283A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and system for three-party authentication and a method for managing authentication status of a terminal device.
  • the Internet of Things has been regarded as one of the key technologies for coping with the economic crisis and revitalizing the economy.
  • the IoT business can be widely applied to many industries, such as vehicles, electricity, finance, environmental protection, petroleum, personal and corporate security, hydrology, military, fire, weather, coal, agriculture, forestry, elevators, etc.
  • industries such as vehicles, electricity, finance, environmental protection, petroleum, personal and corporate security, hydrology, military, fire, weather, coal, agriculture, forestry, elevators, etc.
  • the Internet of Things business will quickly enter many industries, and its number of users will also grow rapidly. It is estimated that by the end of 2012, the number of Internet of Things users based on mobile cellular communication technology in China will reach 30-40 million.
  • IoT applications will become one of the core applications of Long Term Evolution (LTE) technology in a few years, and have broad development prospects.
  • LTE Long Term Evolution
  • the IoT service many services require high security of the device devices of the terminal and the smart card, for example: environmental monitoring, by deploying various environmental monitoring devices in the cell, for monitoring the environmental quality of the community, including Community pollutants, noise, garbage, sewage, etc., to create a quiet, healthy and harmonious living environment for the residents of the community; and community security, because personal safety and property safety are the top priority of the community residents, the community needs to install video surveillance equipment , anti-theft alarm equipment, home security equipment, home video intercom, building access control, etc., and realize the information of the owners, property, security, neighborhood committee, public security bureau to jointly build a harmonious and safe living environment; In addition, it also includes intelligence In applications such as home, coal mine safety production and monitoring, and medical health, the requirements for application safety management are also very high.
  • the technical problem to be solved by the present invention is to provide a method and system for three-party authentication and a method for managing authentication status of a terminal device, which can ensure security problems in various application environments.
  • the present invention provides a method for three-party authentication, the method comprising:
  • the two-way authentication is performed between the terminal and the smart card. If the two-way authentication is passed, the terminal reports the binding relationship between the terminal and the smart card to the management platform, and requests the management platform to perform the binding relationship. Certification
  • the management platform authenticates the binding relationship between the terminal and the smart card, and if the binding relationship authentication passes, it determines that the three-party authentication passes.
  • the method further includes:
  • binding relationship authentication fails, it is determined that the three-party authentication fails.
  • the step of performing mutual authentication between the terminal and the smart card includes:
  • the smart card obtains the smart card side authentication result according to the authentication information using the algorithm 1 and encrypts the smart card side authentication result by using the algorithm 2, and sends the authentication information and the encrypted smart card side authentication result to the terminal;
  • the terminal obtains the terminal side authentication result according to the authentication information sent by the smart card, and decrypts the encrypted smart card side authentication result by using the third algorithm, and decrypts the obtained smart card side authentication result with the The terminal side authentication results are compared. If they are the same, the terminal side authentication result is sent to the smart card. If they are inconsistent, the authentication fails, and the current authentication process ends.
  • the smart card compares the received terminal-side authentication result with the obtained smart card-side authentication result. If the smart card is consistent, the authentication succeeds. If not, the authentication fails.
  • the algorithm 3 is an inverse operation of the algorithm 2.
  • the binding relationship refers to a combination of terminal information and smart card information
  • the terminal information includes one of the following information or any combination thereof: International Mobile Equipment Identity (IMEI), Electronic Serial Numbers (ESN), parameter information stored in the terminal;
  • IMEI International Mobile Equipment Identity
  • ESN Electronic Serial Numbers
  • the smart card information includes one of the following information or any combination thereof: an International Mobile Subscriber Identity Number (IMSI), an Integrated Circuit Card Identity (ICCID), and a smart card. Parameter information.
  • IMSI International Mobile Subscriber Identity Number
  • ICCID Integrated Circuit Card Identity
  • the step of the management platform for authenticating the binding relationship between the terminal and the smart card includes:
  • the management platform searches for a binding relationship between the terminal and the smart card in a local binding relation database, and if yes, determines that the binding relationship is authenticated, and if not, determines the binding relationship. The certification failed.
  • the method further includes:
  • the management platform sets the state of the terminal device to a three-party authentication pass state or a security state; when it is determined that the three-party authentication fails, the state of the terminal device is set to a three-party authentication fail state. Or unsafe state.
  • the method further includes:
  • the terminal and the smart card are set to a machine card authentication pass state or a two-way authentication pass state;
  • the terminal and the smart card are set to a card lock state or a two-way authentication fail state, and the authentication information of the smart card is set to invalid information.
  • the setting the authentication information of the smart card to invalid information comprises: changing the IMSI of the smart card to a blank, a random number, or an error message.
  • the present invention further provides a method for managing an authentication state of a terminal device, where the terminal device includes a terminal and a smart card, and the authentication state management method includes:
  • the state of the terminal device is the uncertified state of the machine card; the pass status of the card; when the two-way authentication fails, the terminal device changes to the card lock state or double To the failed state of certification;
  • the terminal device When the management platform passes the authentication relationship between the terminal and the smart card, the terminal device is converted into a three-party authentication pass state or a security state; when the binding relationship authentication fails, the terminal device is converted into a three-party authentication. Failed state or non-secure state.
  • the terminal device is changed from the initial state to the uncertified state of the card after the terminal is powered on and the smart card is reset.
  • the present invention further provides a system for three-party authentication, the system comprising: a two-way authentication module and a binding relationship authentication request module on the terminal side, a two-way authentication module on the smart card side, and a three-party authentication module in the management platform, wherein :
  • the two-way authentication module on the terminal side is configured to: perform mutual authentication with the smart card;
  • the binding relationship authentication request module is configured to: report the terminal and the smart card to the management platform if the two-way authentication is passed Binding the relationship, and requesting the management platform to authenticate the binding relationship;
  • the two-way authentication module on the smart card side is configured to: perform mutual authentication with the terminal; the three-party authentication module is configured to: set the binding relationship authentication request module request, and bind the terminal to the smart card
  • the relationship is authenticated. If the binding relationship is authenticated, the three-party authentication is determined to pass. If the binding relationship fails, the three-party authentication is determined to have failed.
  • the two-way authentication module on the smart card side is configured to: after obtaining the smart card side authentication result according to the authentication information using the algorithm 1 and encrypting the smart card side authentication result by using the algorithm 2, the authentication information and the authentication information
  • the encrypted smart card side authentication result is sent to the terminal; and after receiving the terminal side authentication result, comparing with the obtained smart card side authentication result, if the matching is successful, the authentication is successful, and if not, the authentication fails;
  • the two-way authentication module on the terminal side is configured to: obtain the terminal side authentication result according to the authentication information sent by the smart card, and decrypt the encrypted smart card side authentication result by using the third algorithm, and decrypt the encrypted smart card side authentication result.
  • the obtained smart card side authentication result is compared with the terminal side authentication result, and if the agreement is the same, the terminal side authentication result is sent to the smart card. If not, the authentication fails, and the current authentication process is ended;
  • the algorithm 3 is an inverse operation of the algorithm 2.
  • the three-party authentication module is configured to: determine whether a binding relationship between the terminal and the smart card exists in a binding relationship database local to the management platform, and if yes, determine that the binding relationship is authenticated, If not, determining that the binding relationship authentication fails;
  • the binding relationship refers to a combination of terminal information and smart card information
  • the terminal information includes one of the following information or any combination thereof: IMEI, ESN, parameter information stored in the terminal;
  • the smart card information includes one or any combination of the following information: IMSI, ICCID, parameter information stored in the smart card.
  • the system further includes a two-way authentication result implementation module on the smart card side,
  • the authentication result implementation module is configured to: when the two-way authentication process passes, set the terminal and the smart card to a machine card authentication pass state or a two-way authentication pass state; when the two-way authentication fails, The terminal and the smart card are set to a card lock state or a two-way authentication fail state, and the authentication information of the smart card is set to invalid information.
  • the two-way authentication result implementation module is configured to set the authentication information of the smart card to invalid information by changing the IMSI of the smart card to a blank, a random number, or an error message.
  • the security of the terminal and the smart card are ensured.
  • the terminal uses the forged smart card, the terminal is locked, and the security of the terminal is ensured.
  • the terminal cannot be logged into the network, and the terminal is illegally used.
  • the terminal can be locked in time.
  • the binding relationship can be dynamically authenticated, and the management and management rights of the terminal and the card device are controlled on the management platform side, which facilitates the operator to carry out his own business and truly guarantees the development.
  • FIG. 1 is a schematic diagram of a general process of a three-party authentication method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of interaction between a terminal, a smart card, and a management platform according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a two-way authentication of a terminal and a smart card according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a process for authenticating a binding relationship between a terminal and a smart card by a management platform according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of various authentication states of a terminal device according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of successful three-party authentication of a terminal, a smart card, and a management platform according to Embodiment 1 of the present invention
  • FIG. 7 is a schematic diagram of a failure of a three-party authentication of a terminal, a smart card, and a management platform according to Embodiment 2 of the present invention.
  • Preferred embodiment of the invention
  • an embodiment of the present invention provides a method for three-party authentication of a mobile terminal, a smart card, and a management platform. As shown in FIG. 1, the method includes the following processes:
  • Step 101 The terminal device is powered on, and after the smart card is reset, the terminal device is changed from the initial state to the uncertified state of the card.
  • the terminal device refers to a device composed of a terminal and a smart card.
  • Step 102 First, perform two-party authentication between the mobile terminal and the smart card. If the two-party authentication between the mobile terminal and the smart card is passed, go to step 103. If the authentication of both the terminal and the smart card fails, go to step 104.
  • Step 103 If the terminal and the smart card pass the two-way mutual authentication, the state is set to the machine card authentication pass state, and the mobile terminal reports the binding relationship between the terminal and the smart card to the management platform, and requests the management platform to authenticate the binding relationship.
  • step 104 the state is set to the card lock state (the terminal can be locked, the terminal is invalid, etc.), and the authentication information (especially IMSI) of the smart card is modified to be invalid information, such as changing the IMSI to blank. Random numbers, error messages, etc., to ensure that the smart card is not available, the authentication is over.
  • the authentication information especially IMSI
  • Step 105 The management platform performs a three-party authentication process of the mobile terminal, the smart card, and the management platform.
  • Step 107 After receiving the authentication pass sign of the management platform, the terminal sets the state of the terminal device to a security state (or a three-party authentication pass state), and allows the terminal device to run the related IoT application.
  • a security state or a three-party authentication pass state
  • Step 108 The terminal receives the authentication failure sign of the management platform, and sets the state of the terminal device to an unsafe state (or a three-party authentication failure state), and prohibits the terminal device from running the related Internet of Things application.
  • the related IoT application Before the terminal device runs the related IoT application and judges that the state is the security state (the three-party authentication pass state), the related IoT application can be run, and the state is determined to be in an unsafe state (the three-party authentication fails the state), and the related matter is prohibited. Networked applications.
  • the binding relationship refers to a combination of terminal information and smart card information
  • the terminal information includes one of the following information or any combination thereof: IMEI, ESN, parameter information stored in the terminal, and the like;
  • the smart card information includes one of the following information or any combination thereof: IMSI, ICCID, parameter information stored in the smart card, and the like.
  • the two-way authentication process of the terminal and the smart card is performed by using the terminal and the smart card authentication protocol.
  • the algorithm 1 and the algorithm 2 are respectively stored in the smart card and the terminal, and the inverse of the algorithm 2 is additionally stored in the terminal.
  • Algorithm 1 - Algorithm 3 wherein algorithm 1 is used to obtain an authentication result according to the authentication information, algorithm 2 is used to encrypt the authentication result, and algorithm 3 is used to decrypt the result of the algorithm 2.
  • the management platform includes a card binding correspondence database for storing corresponding information of the card binding relationship.
  • the management platform may be a network authentication platform, an application management platform, a security management platform, or the like.
  • Step 301 The smart card uses the agreed calculation according to the authentication information (including the authentication parameter and the like).
  • the first method obtains the smart card side operation result (hereinafter also referred to as the authentication result), and after encrypting using the algorithm 2, sends an allowable authentication command to the terminal, and carries the authentication information such as the authentication parameter, and the encrypted authentication calculated according to the authentication information. result;
  • the authentication information includes one or more of a random number, an International Mobile Equipment Identity (IMSI), a user authentication key, and other information stored in the smart card.
  • IMSI International Mobile Equipment Identity
  • Step 302 The terminal performs an algorithm three operation (the inverse operation of the algorithm 2) on the encrypted operation result transmitted by the smart card, that is, performs the decryption process of the algorithm 2, and obtains the smart card side authentication result; meanwhile, the terminal uses the same information according to the information sent by the smart card.
  • the algorithm performs an operation to obtain a terminal side authentication result.
  • Step 303 Determine whether the authentication result of the smart card is the same as the authentication result of the terminal. If the same, perform step 304. If not, perform step 305.
  • Step 304 If the terminal side operation result is consistent with the decrypted smart card operation result, the terminal side transmits the operation result to the smart card, and the process goes to step 306.
  • Step 305 If the terminal side operation result is inconsistent with the decrypted smart card operation result, the authentication fails, and the process goes to step 308.
  • Step 306 After obtaining the operation result of the terminal, the smart card compares with the result obtained by the self operation. If the same, the process proceeds to step 307. If not, the process proceeds to step 308.
  • Step 307 the two-way authentication is passed, the authentication is ended, and the subsequent process is continued.
  • Step 308 The authentication fails, the authentication ends, and the set terminal is in an abnormal use state (such as locking the terminal, the terminal is invalid, etc.), and the authentication information of the smart card is modified to be invalid information (such as blank, random number, error information, etc.).
  • an abnormal use state such as locking the terminal, the terminal is invalid, etc.
  • the authentication information of the smart card is modified to be invalid information (such as blank, random number, error information, etc.).
  • the foregoing algorithm 1 and algorithm 2 are currently known algorithms, including but not limited to the following symmetric and asymmetric algorithms and any combination thereof: data encryption algorithm (DES), 3 data encryption algorithm ( 3DES), hash algorithm (HASH), IMSI authentication algorithm A3, RSA algorithm and error checking and correction algorithm (ECC), encryption key generation algorithm A5, user key generation algorithm A8, and so on.
  • DES data encryption algorithm
  • 3DES 3 data encryption algorithm
  • HASH hash algorithm
  • ECC error checking and correction algorithm
  • encryption key generation algorithm A5 user key generation algorithm A8, and so on.
  • the combination between the algorithms includes: first, using one of the algorithms, and then using the other algorithm, and the like, and so on.
  • the management platform authenticates the binding relationship between the smart card and the terminal. Only this binding is passed. For the authentication of the relationship, the management platform allows the device based on the terminal and the smart card to run the IoT application, otherwise the device of the terminal and the smart card is prohibited from running the Internet of Things application.
  • Step 401 After the two-party authentication between the mobile terminal and the smart card is passed, the mobile terminal reports the binding to the smart card to the management platform 4. Relationship, and request management to authenticate the binding relationship.
  • Step 402 The management platform verifies whether the binding relationship between the smart card and the terminal passes. If yes, step 403 is performed. If not, step 404 is performed.
  • the binding relationship database between the smart card and the terminal is stored in the binding relational database local to the management platform.
  • the management platform verifies whether the binding relationship between the smart card and the terminal passes by verifying whether the binding relationship between the smart card and the terminal exists.
  • Step 403 If the binding relationship is verified, the management platform returns a three-party authentication pass indication to the terminal, and step 405 is performed.
  • Step 404 If the binding relationship fails to pass the verification, the management platform returns the three-party authentication to the terminal, and the process proceeds to step 406.
  • Step 405 If the terminal receives the three-party authentication pass indication returned by the management platform, the state of the terminal device is set to a security state (three-party authentication pass status).
  • Step 406 If the terminal receives the three-party authentication failure indication returned by the management platform, the status of the terminal device is in an unsecured state (the three-party authentication fails the state).
  • the terminal device Before the IoT application is run, the terminal device first determines whether the state is a security state (three-party authentication pass state), and if it is a security state (three-party authentication pass state), the application is run, otherwise the application is not run.
  • a security state three-party authentication pass state
  • the embodiment of the present invention further provides a method for managing the authentication status of the terminal device.
  • FIG. 5 shows various authentication states of the terminal device in a specific application. As shown in FIG. 5, the status of the terminal device may be classified into the following types:
  • the default state of the terminal device is the initial state;
  • the state of the terminal device is the uncertified state of the machine card; specifically, the terminal device is powered on, and after the smart card is reset, the terminal device is changed from the initial state to the uncertified state of the machine card;
  • the terminal device When the authentication relationship between the terminal and the smart card is passed, the terminal device changes to the three-party authentication pass state or security state. When the binding relationship fails, the terminal device changes to the three-party authentication fail state or non-secure state.
  • the random number and the IMSI are used as the authentication information
  • the smart card and the terminal respectively store the algorithm 1 and the algorithm 2
  • the terminal additionally stores the inverse algorithm 1 of the algorithm 2
  • the algorithm 1 is used to obtain the authentication result according to the authentication information.
  • Algorithm 2 is used to encrypt the authentication result
  • Algorithm 3 is used to decrypt the result of Algorithm 2.
  • the IoT terminal is powered on, and after the smart card is reset, the two-way authentication process of the mobile terminal and the smart card is performed.
  • the terminal, the smart card, and the management platform of the embodiment successfully perform the three-party authentication process, which specifically includes:
  • Step 602 The smart card sends an instruction to the terminal to notify the terminal to obtain the authentication parameter.
  • Step 603 The terminal receives the command status word, identifies the permission to be authenticated, and sends a command to the smart card, requesting the smart card to send the encrypted authentication result.
  • Step 604 The smart card performs an operation by using a pair of authentication parameters according to the terminal request, and performs encryption by using the algorithm 2, and transmits the encrypted authentication result to the terminal by using the command status word.
  • Step 605 The terminal performs an operation on the encrypted authentication result transmitted by the smart card by using algorithm three.
  • Step 606 The terminal compares and finds that the two authentication results are consistent, and sends a command to the smart card, and sends the unencrypted authentication result of the terminal to the smart card.
  • Step 607 After obtaining the authentication result of the terminal, the smart card compares with the authentication result obtained by the smart card.
  • Step 608 The smart card comparison finds that the two authentication results are the same, and notifies the terminal that the two-way authentication succeeds.
  • Step 609 After receiving the notification, the terminal sets the state to the card authentication pass status, and sends the terminal device identification number and the information such as the IMSI to identify the mobile terminal and the smart card to the management platform, and report the binding relationship between the terminal and the smart card to the management platform.
  • Communication means can use existing technologies, such as short messages, BIP, etc.), and send request information to the management platform to request authentication of the binding relationship.
  • Step 610 When the management platform receives the terminal device identification number and the IMSI pair of the binding relationship, the corresponding binding relationship database is used to find out whether the binding relationship between the terminal and the smart card exists. If there is a corresponding relationship, the three-party authentication is performed. Returns the binding relationship authentication pass flag to the terminal.
  • the terminal device After receiving the authentication pass sign, the terminal device sets the terminal device status to a safe state (three-party authentication pass status). Before the terminal device runs the related IoT application, it determines that the device status is a safe state (three-party authentication pass status), and starts to run related. Internet of Things applications.
  • the IMSI is used as the authentication information
  • the smart card and the terminal respectively store the algorithm 1 and the algorithm 2
  • the terminal additionally stores the inverse algorithm 1 of the algorithm 2
  • the algorithm 1 is used to obtain the authentication result according to the authentication information
  • the algorithm 2 Used to encrypt the authentication result
  • algorithm 3 is used to decrypt the result of algorithm 2.
  • the terminal After the terminal is powered on and the smart card is reset, the two-way authentication process of the mobile terminal and the smart card is performed.
  • the terminal, the smart card, and the management platform perform a process of failing the three-party authentication, as shown in FIG. 7, the process is specifically described as follows:
  • Step 702 The smart card simultaneously sends an instruction to the terminal to notify the terminal to obtain the authentication parameter.
  • Step 703 The terminal receives the command status word, identifies that the authentication is allowed, and sends a command to the smart card. Order, the smart card is required to send its encrypted authentication result.
  • Step 704 The smart card performs an operation by using a pair of authentication parameters according to the terminal request, and performs encryption using algorithm 2, and transmits the encrypted authentication result to the terminal by using the command status word.
  • Step 705 The terminal performs an operation on the encrypted authentication result transmitted by the smart card by using algorithm 3 (the decryption process of algorithm 2), and obtains the authentication result of the smart card, and the terminal simultaneously performs the operation according to the authentication information sent by the smart card, using the same algorithm.
  • the terminal side operation result is obtained. Terminal comparison Whether the two authentication results are consistent.
  • Step 706 The terminal compares and finds that the two authentication results are inconsistent, and sends a command to notify the smart card that the authentication fails, the terminal and the smart card end the authentication, the terminal is locked, cannot be used, and the IMSI information of the smart card is changed to a random number, even if stolen, Used for network access, the terminal device is locked in the machine card.
  • the embodiment of the present invention further provides a method for managing an authentication state of a terminal device, where the terminal device includes a terminal and a smart card, and the authentication state management method includes:
  • the status of the terminal device is the uncertified state of the machine card
  • the terminal device When the authentication relationship between the terminal and the smart card is passed, the terminal device changes to the three-party authentication pass state or security state. When the binding relationship fails, the terminal device changes to the three-party authentication fail state or non-secure state.
  • the terminal device is changed from the initial state to the uncertified state of the card.
  • the embodiment of the present invention further provides a three-party authentication system (not shown), which mainly includes: a bidirectional authentication module and a binding relationship authentication request module on the terminal side, a two-way authentication module on the smart card side, and management A three-party authentication module in the platform, where:
  • the two-way authentication module on the terminal side is configured to perform mutual authentication with the smart card;
  • the binding relationship authentication request module is configured to report the binding relationship between the terminal and the smart card to the management platform, and request the management platform to authenticate the binding relationship, where the two-way authentication module passes, and the two-way authentication module on the smart card side is set to Two-way authentication with the terminal;
  • the three-party authentication module is configured to authenticate the binding relationship between the terminal and the smart card according to the request of the binding relationship authentication request module. If the binding relationship authentication is passed, the three-party authentication is determined to pass, otherwise, the three-party authentication is determined to have failed.
  • the two-way authentication module on the smart card side is configured to: after the smart card side authentication result is obtained according to the authentication information using the algorithm 1 and the smart card side authentication result is encrypted by using the algorithm 2, the authentication information and the encrypted smart card side authentication are performed.
  • the result is sent to the terminal; and after receiving the authentication result of the terminal side, the result is compared with the obtained smart card side authentication result. If the agreement is consistent, the authentication is successful, otherwise, the authentication fails;
  • the two-way authentication module on the terminal side is configured to obtain the terminal side authentication result according to the authentication information sent by the smart card, and decrypt the encrypted smart card side authentication result by using the algorithm three, and decrypt the obtained smart card side authentication result with The terminal side authentication result is compared. If the result is the same, the terminal side authentication result is sent to the smart card. Otherwise, the authentication fails, and the current authentication process is ended.
  • the algorithm 3 is the inverse operation of the algorithm 2.
  • the three-party authentication module is configured to: determine whether the binding relationship between the terminal and the smart card exists in the binding relationship database local to the management platform, and if yes, determine that the binding relationship authentication passes; otherwise, determine that the binding relationship authentication fails. ;
  • Binding relationship refers to the combination of terminal information and smart card information
  • the terminal information includes one of the following information or any combination thereof: IMEI, ESN, parameter information stored in the terminal;
  • the smart card information includes one of the following information or any combination thereof: IMSI, ICCID, parameter information stored in the smart card.
  • the system further comprises a two-way authentication result implementation module on the smart card side,
  • the authentication result implementation module is configured to set the terminal and the smart card to the machine card authentication pass state or the two-way authentication pass state when the two-way authentication process passes; when the two-way authentication fails, the terminal and the smart card are set to the machine card lock state or two-way.
  • the authentication fails the status and the authentication information of the smart card is set. Invalid information.
  • the two-way authentication result implementation module is configured to set the authentication information of the smart card to invalid information by: changing the IMSI of the smart card to a blank, a random number, or an error message.
  • modules or steps can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device for execution by the computing device and, in some cases, may be performed in a different order than that illustrated herein.
  • the steps are described or described, either separately as individual integrated circuit modules, or as a plurality of modules or steps in a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
  • the security of the terminal and the smart card are ensured.
  • the terminal uses the forged smart card, the terminal is locked, and the security of the terminal is ensured.
  • the terminal cannot be logged into the network, and the terminal is illegally used.
  • the terminal can be locked in time.
  • the binding relationship can be dynamically authenticated, and the management and management rights of the terminal and the card device are controlled on the management platform side, which facilitates the operator to carry out his own business and truly guarantees the development.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Telephone Function (AREA)

Abstract

Disclosed are a method and system for third-party authentication and a method for managing an authentication state of a terminal device. The method for managing the authentication state comprises: when the terminal and a smart card have yet to perform a bidirectional authentication, the state of the terminal device is in a machine-and-card unauthenticated state; when the bidirectional authentication passes, the terminal device converts into a machine-and-card authentication passed state or a bidirectional authentication passed state; when the bidirectional authentication fails, the terminal device converts into a machine-and-card locked state or a bidirectional authentication failed state; when a management platform passes a binding relationship authentication for the terminal and the smart card, the terminal device converts into a third-party authentication passed state or a secured state; and when the binding relationship authentication fails, the terminal device converts into a third-party authentication failed state or an unsecured state.

Description

三方认证的方法、 系统及终端设备的认证状态管理方法  Method, system and authentication status management method for three-party authentication

技术领域 Technical field

本发明涉及通信技术领域, 尤其涉及一种三方认证的方法、 系统及终端 设备的认证状态管理方法。  The present invention relates to the field of communications technologies, and in particular, to a method and system for three-party authentication and a method for managing authentication status of a terminal device.

背景技术 Background technique

物联网作为新兴高技术产业的重要组成部分, 已被世界各国当作应对经 济危机、 振兴经济的重点技术之一。 物联网业务可以广泛地应用到众多的行 业中, 例如车辆、 电力、 金融、 环保、 石油、 个人与企业安防、 水文、 军事、 消防、 气象、 煤炭、 农林业、 电梯等。 根据专家预计, 未来几年间, 物联网 业务将快速地进入很多行业, 其用户数也将快速成长, 预计至 2012年底, 中 国国内基于移动蜂窝通信技术的物联网用户数将可能达到 3000 ~ 4000万,物 联网应用也会在若干年后成为长期演进(Long Term Evolution, LTE )技术的 核心应用之一, 具有广阔的发展前景。  As an important part of the emerging high-tech industry, the Internet of Things has been regarded as one of the key technologies for coping with the economic crisis and revitalizing the economy. The IoT business can be widely applied to many industries, such as vehicles, electricity, finance, environmental protection, petroleum, personal and corporate security, hydrology, military, fire, weather, coal, agriculture, forestry, elevators, etc. According to experts, in the next few years, the Internet of Things business will quickly enter many industries, and its number of users will also grow rapidly. It is estimated that by the end of 2012, the number of Internet of Things users based on mobile cellular communication technology in China will reach 30-40 million. IoT applications will become one of the core applications of Long Term Evolution (LTE) technology in a few years, and have broad development prospects.

目前物联网业务的应用类型中, 很多业务都要求终端和智能卡的设备装 置具备较高的安全性, 例如: 环境监控, 通过在小区内部署各种环境监测设 备, 用于监控小区环境质量, 包括小区污染物、 噪音、 垃圾、 污水等, 为小 区居民营造安静、 健康、 和谐的居住环境; 以及社区安保, 由于人身安全、 财物安全是小区居民关注的重中之重, 小区需安装视频监控设备、 防盗报警 设备、 家庭安防设备、 家庭可视对讲、 楼宇门禁等, 并实现业主、 物业、 保 安、 居委会、 公安局的信息联互, 共同构建和谐安全的居住环境; 此外, 还 包括在智能家居、 煤矿安全生产及监测、 医疗健康等应用中, 对于应用安全 管理要求也非常高。  Among the application types of the IoT service, many services require high security of the device devices of the terminal and the smart card, for example: environmental monitoring, by deploying various environmental monitoring devices in the cell, for monitoring the environmental quality of the community, including Community pollutants, noise, garbage, sewage, etc., to create a quiet, healthy and harmonious living environment for the residents of the community; and community security, because personal safety and property safety are the top priority of the community residents, the community needs to install video surveillance equipment , anti-theft alarm equipment, home security equipment, home video intercom, building access control, etc., and realize the information of the owners, property, security, neighborhood committee, public security bureau to jointly build a harmonious and safe living environment; In addition, it also includes intelligence In applications such as home, coal mine safety production and monitoring, and medical health, the requirements for application safety management are also very high.

为避免智能卡被挪作他用或物理被盗, 需考虑智能卡的应用安全管理, 如釆取机卡绑定、 第三方合法性认证等手段等管理方式, 实现专卡专用。 但 是, 目前已有的机卡绑定方案、 第三方合法性认证等手段或者绑定效果不佳, 容易破解, 或者安全性不高, 或者无法解决在新应用环境下的问题。 发明内容 In order to prevent the smart card from being used for other purposes or being physically stolen, it is necessary to consider the application security management of the smart card, such as the method of capturing the card binding, third-party legality authentication, etc., to realize the special card. However, the existing card binding scheme, third-party legality authentication, etc., or the binding effect is not good, it is easy to crack, or the security is not high, or the problem in the new application environment cannot be solved. Summary of the invention

本发明解决的技术问题是提供一种三方认证的方法、 系统及终端设备的 认证状态管理方法, 能够保证在多种应用环境下的安全性问题。  The technical problem to be solved by the present invention is to provide a method and system for three-party authentication and a method for managing authentication status of a terminal device, which can ensure security problems in various application environments.

为解决上述技术问题, 本发明提供了一种三方认证的方法, 所述方法包 括:  In order to solve the above technical problem, the present invention provides a method for three-party authentication, the method comprising:

终端和智能卡之间进行双向认证, 若所述双向认证通过, 则所述终端向 管理平台报告所述终端与所述智能卡的绑定关系, 并向所述管理平台请求对 所述绑定关系进行认证;  The two-way authentication is performed between the terminal and the smart card. If the two-way authentication is passed, the terminal reports the binding relationship between the terminal and the smart card to the management platform, and requests the management platform to perform the binding relationship. Certification

所述管理平台对所述终端与所述智能卡的绑定关系进行认证, 若所述绑 定关系认证通过, 则判定三方认证通过。  The management platform authenticates the binding relationship between the terminal and the smart card, and if the binding relationship authentication passes, it determines that the three-party authentication passes.

优选的, 所述方法还包括:  Preferably, the method further includes:

若所述绑定关系认证未通过, 则判定三方认证未通过。  If the binding relationship authentication fails, it is determined that the three-party authentication fails.

优选的, 所述终端和智能卡之间进行双向认证的步骤包括:  Preferably, the step of performing mutual authentication between the terminal and the smart card includes:

智能卡根据认证信息使用算法一得出智能卡侧认证结果, 并使用算法二 对所述智能卡侧认证结果进行加密后, 将所述认证信息以及加密后的智能卡 侧认证结果发送给所述终端;  The smart card obtains the smart card side authentication result according to the authentication information using the algorithm 1 and encrypts the smart card side authentication result by using the algorithm 2, and sends the authentication information and the encrypted smart card side authentication result to the terminal;

所述终端根据所述智能卡发送的认证信息使用算法一得出终端侧认证结 果, 同时使用算法三对所述加密后的智能卡侧认证结果进行解密, 并将解密 得到的智能卡侧认证结果与所述终端侧认证结果进行比较, 若一致, 则将所 述终端侧认证结果发送给所述智能卡, 若不一致, 则认证失败, 结束本次认 证过程;  The terminal obtains the terminal side authentication result according to the authentication information sent by the smart card, and decrypts the encrypted smart card side authentication result by using the third algorithm, and decrypts the obtained smart card side authentication result with the The terminal side authentication results are compared. If they are the same, the terminal side authentication result is sent to the smart card. If they are inconsistent, the authentication fails, and the current authentication process ends.

所述智能卡将收到的所述终端侧认证结果与得出的智能卡侧认证结果进 行比较, 若一致, 则认证成功, 若不一致, 则认证失败;  The smart card compares the received terminal-side authentication result with the obtained smart card-side authentication result. If the smart card is consistent, the authentication succeeds. If not, the authentication fails.

其中, 所述算法三为所述算法二的逆运算。  The algorithm 3 is an inverse operation of the algorithm 2.

优选的, 所述绑定关系, 是指终端信息与智能卡信息的组合;  Preferably, the binding relationship refers to a combination of terminal information and smart card information;

其中, 所述终端信息包括以下信息中的一种或其任意组合: 国际移动设 备身份标识 (International Mobile Equipment Identity, IMEI ) 、 电子序列号 ( Electronic Serial Numbers, ESN ) 、 存储在终端中的参数信息; The terminal information includes one of the following information or any combination thereof: International Mobile Equipment Identity (IMEI), Electronic Serial Numbers (ESN), parameter information stored in the terminal;

所述智能卡信息包括以下信息中的一种或其任意组合: 国际移动用户识 另 ll号 ( International Mobile Subscriberldentification Number, IMSI )、 集成电路 卡识别号 ( Integrate Circuit Card Identity, ICCID ) 、 存储在智能卡中的参数 信息。  The smart card information includes one of the following information or any combination thereof: an International Mobile Subscriber Identity Number (IMSI), an Integrated Circuit Card Identity (ICCID), and a smart card. Parameter information.

优选的, 所述管理平台对所述终端与所述智能卡的绑定关系进行认证的 步骤包括:  Preferably, the step of the management platform for authenticating the binding relationship between the terminal and the smart card includes:

所述管理平台查找本地的绑定关系数据库中是否存在所述终端与所述智 能卡的绑定关系, 若存在, 则判定所述绑定关系认证通过, 若不存在, 则判 定所述绑定关系认证未通过。  The management platform searches for a binding relationship between the terminal and the smart card in a local binding relation database, and if yes, determines that the binding relationship is authenticated, and if not, determines the binding relationship. The certification failed.

优选的, 所述方法还包括:  Preferably, the method further includes:

所述管理平台在判定三方认证通过时, 将所述终端设备的状态置为三方 认证通过状态或安全状态; 在判定三方认证未通过时, 将所述终端设备的状 态置为三方认证未通过状态或非安全状态。  When the third platform authentication is passed, the management platform sets the state of the terminal device to a three-party authentication pass state or a security state; when it is determined that the three-party authentication fails, the state of the terminal device is set to a three-party authentication fail state. Or unsafe state.

优选的, 所述方法还包括:  Preferably, the method further includes:

所述双向认证通过时, 将所述终端及所述智能卡置为机卡认证通过状态 或双向认证通过状态;  When the two-way authentication is passed, the terminal and the smart card are set to a machine card authentication pass state or a two-way authentication pass state;

所述双向认证未通过时, 将所述终端及所述智能卡置为机卡锁定状态或 双向认证未通过状态, 并将所述智能卡的认证信息置为无效信息。  When the two-way authentication fails, the terminal and the smart card are set to a card lock state or a two-way authentication fail state, and the authentication information of the smart card is set to invalid information.

优选的, 所述将智能卡的认证信息置为无效信息, 包括: 将所述智能卡 的 IMSI改为空白、 随机数、 或错误信息。  Preferably, the setting the authentication information of the smart card to invalid information comprises: changing the IMSI of the smart card to a blank, a random number, or an error message.

本发明还提供了一种终端设备的认证状态管理方法, 所述终端设备包括 终端和智能卡, 所述认证状态管理方法包括:  The present invention further provides a method for managing an authentication state of a terminal device, where the terminal device includes a terminal and a smart card, and the authentication state management method includes:

在所述终端与所述智能卡尚未进行双向认证时, 所述终端设备的状态为 机卡未认证状态; 证通过状态; 所述双向认证未通过时, 所述终端设备转为机卡锁定状态或双 向认证未通过 态; When the terminal and the smart card have not been authenticated by the smart card, the state of the terminal device is the uncertified state of the machine card; the pass status of the card; when the two-way authentication fails, the terminal device changes to the card lock state or double To the failed state of certification;

管理平台对所述终端与所述智能卡的绑定关系认证通过时 , 所述终端设 备转为三方认证通过状态或安全状态; 所述绑定关系认证未通过时, 所述终 端设备转为三方认证未通过状态或非安全状态。  When the management platform passes the authentication relationship between the terminal and the smart card, the terminal device is converted into a three-party authentication pass state or a security state; when the binding relationship authentication fails, the terminal device is converted into a three-party authentication. Failed state or non-secure state.

优选的, 终端设备是在所述终端开机、 所述智能卡刚复位后, 由起始状 态转为机卡未认证状态。  Preferably, the terminal device is changed from the initial state to the uncertified state of the card after the terminal is powered on and the smart card is reset.

此外, 本发明还提供了一种三方认证的系统, 所述系统包括: 终端侧的 双向认证模块和绑定关系认证请求模块, 智能卡侧的双向认证模块, 和管理 平台中的三方认证模块, 其中:  In addition, the present invention further provides a system for three-party authentication, the system comprising: a two-way authentication module and a binding relationship authentication request module on the terminal side, a two-way authentication module on the smart card side, and a three-party authentication module in the management platform, wherein :

所述终端侧的双向认证模块设置为: 和智能卡之间进行双向认证; 所述绑定关系认证请求模块设置为: 若所述双向认证通过, 则向管理平 台报告所述终端与所述智能卡的绑定关系, 并向所述管理平台请求对所述绑 定关系进行认证;  The two-way authentication module on the terminal side is configured to: perform mutual authentication with the smart card; the binding relationship authentication request module is configured to: report the terminal and the smart card to the management platform if the two-way authentication is passed Binding the relationship, and requesting the management platform to authenticate the binding relationship;

所述智能卡侧的双向认证模块设置为: 和终端之间进行双向认证; 所述三方认证模块用于设置为: 所述绑定关系认证请求模块的请求, 对 所述终端与所述智能卡的绑定关系进行认证, 若所述绑定关系认证通过, 则 判定三方认证通过, 若所述绑定关系认证不通过, 则判定三方认证未通过。  The two-way authentication module on the smart card side is configured to: perform mutual authentication with the terminal; the three-party authentication module is configured to: set the binding relationship authentication request module request, and bind the terminal to the smart card The relationship is authenticated. If the binding relationship is authenticated, the three-party authentication is determined to pass. If the binding relationship fails, the three-party authentication is determined to have failed.

优选的, 所述智能卡侧的双向认证模块是设置为: 根据认证信息使用算 法一得出智能卡侧认证结果后 , 并使用算法二对所述智能卡侧认证结果进行 加密后, 将所述认证信息以及加密后的智能卡侧认证结果发送给所述终端; 并在收到终端侧认证结果后, 与得出的所述智能卡侧认证结果进行比较, 若 一致, 则认证成功, 若不一致, 则认证失败;  Preferably, the two-way authentication module on the smart card side is configured to: after obtaining the smart card side authentication result according to the authentication information using the algorithm 1 and encrypting the smart card side authentication result by using the algorithm 2, the authentication information and the authentication information The encrypted smart card side authentication result is sent to the terminal; and after receiving the terminal side authentication result, comparing with the obtained smart card side authentication result, if the matching is successful, the authentication is successful, and if not, the authentication fails;

所述终端侧的双向认证模块是设置为: 根据所述智能卡发送的认证信息 使用算法一得出终端侧认证结果, 同时使用算法三对所述加密后的智能卡侧 认证结果进行解密, 并将解密得到的智能卡侧认证结果与所述终端侧认证结 果进行比较, 若一致, 则将所述终端侧认证结果发送给所述智能卡, 若不一 致, 则认证失败, 结束本次认证过程;  The two-way authentication module on the terminal side is configured to: obtain the terminal side authentication result according to the authentication information sent by the smart card, and decrypt the encrypted smart card side authentication result by using the third algorithm, and decrypt the encrypted smart card side authentication result. The obtained smart card side authentication result is compared with the terminal side authentication result, and if the agreement is the same, the terminal side authentication result is sent to the smart card. If not, the authentication fails, and the current authentication process is ended;

其中, 所述算法三为所述算法二的逆运算。 优选的, 所述三方认证模块用于, 查找所述管理平台本地的绑定关系数 据库中是否存在所述终端与所述智能卡的绑定关系, 若存在, 则判定所述绑 定关系认证通过, 若不存在, 则判定所述绑定关系认证未通过; The algorithm 3 is an inverse operation of the algorithm 2. Preferably, the three-party authentication module is configured to: determine whether a binding relationship between the terminal and the smart card exists in a binding relationship database local to the management platform, and if yes, determine that the binding relationship is authenticated, If not, determining that the binding relationship authentication fails;

所述绑定关系, 是指终端信息与智能卡信息的组合;  The binding relationship refers to a combination of terminal information and smart card information;

其中, 所述终端信息包括以下信息中的一种或其任意组合: IMEI、 ESN、 存储在终端中的参数信息;  The terminal information includes one of the following information or any combination thereof: IMEI, ESN, parameter information stored in the terminal;

所述智能卡信息包括以下信息中的一种或其任意组合: IMSI、 ICCID、 存储在智能卡中的参数信息。  The smart card information includes one or any combination of the following information: IMSI, ICCID, parameter information stored in the smart card.

优选的, 所述系统还包括智能卡侧的双向认证结果实施模块,  Preferably, the system further includes a two-way authentication result implementation module on the smart card side,

所述认证结果实施模块设置为: 当所述双向认证过程通过时, 将所述终 端及所述智能卡置为机卡认证通过状态或双向认证通过状态; 当所述双向认 证未通过时, 将所述终端及所述智能卡置为机卡锁定状态或双向认证未通过 状态, 并将所述智能卡的认证信息置为无效信息。  The authentication result implementation module is configured to: when the two-way authentication process passes, set the terminal and the smart card to a machine card authentication pass state or a two-way authentication pass state; when the two-way authentication fails, The terminal and the smart card are set to a card lock state or a two-way authentication fail state, and the authentication information of the smart card is set to invalid information.

优选的, 所述双向认证结果实施模块是设置为通过以下方式将所述将智 能卡的认证信息置为无效信息: 将所述智能卡的 IMSI改为空白、 随机数、 或 错误信息。  Preferably, the two-way authentication result implementation module is configured to set the authentication information of the smart card to invalid information by changing the IMSI of the smart card to a blank, a random number, or an error message.

通过上述认证方法, 使得终端和智能卡的安全都得到了保证, 终端使用 伪造的智能卡时, 锁定终端, 保证了终端的安全, 智能卡在被盗或者非法使 用时将无法登录网络使用, 终端在使用非法智能卡时, 也能及时锁定终端, 同时这种绑定关系能够被动态的认证, 在管理平台侧具有对终端和卡设备的 控制管理权, 便于运营商开展自己的业务, 也真正保证了开展物联网业务的 终端和智能卡的专用性和安全性。 附图概述  Through the above authentication method, the security of the terminal and the smart card are ensured. When the terminal uses the forged smart card, the terminal is locked, and the security of the terminal is ensured. When the smart card is stolen or illegally used, the terminal cannot be logged into the network, and the terminal is illegally used. When the smart card is used, the terminal can be locked in time. At the same time, the binding relationship can be dynamically authenticated, and the management and management rights of the terminal and the card device are controlled on the management platform side, which facilitates the operator to carry out his own business and truly guarantees the development. The specificity and security of terminals and smart cards for networked services. BRIEF abstract

此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部 分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的 不当限定。 在附图中:  The drawings are intended to provide a further understanding of the invention, and are intended to be illustrative of the invention. In the drawing:

图 1为本发明实施例的三方认证方法的总体流程示意图; 图 2为本发明实施例的终端、 智能卡和管理平台的交互示意图; 图 3为本发明实施例的终端和智能卡双向认证的流程示意图; FIG. 1 is a schematic diagram of a general process of a three-party authentication method according to an embodiment of the present invention; FIG. 2 is a schematic diagram of interaction between a terminal, a smart card, and a management platform according to an embodiment of the present invention; FIG. 3 is a schematic flowchart of a two-way authentication of a terminal and a smart card according to an embodiment of the present invention;

图 4为本发明实施例的管理平台对终端和智能卡的绑定关系的认证流程 示意图;  4 is a schematic diagram of a process for authenticating a binding relationship between a terminal and a smart card by a management platform according to an embodiment of the present invention;

图 5为本发明实施例的终端设备各种认证状态的示意图;  FIG. 5 is a schematic diagram of various authentication states of a terminal device according to an embodiment of the present invention; FIG.

图 6为本发明实施例一中终端、 智能卡、 管理平台进行三方认证成功的 示意图;  6 is a schematic diagram of successful three-party authentication of a terminal, a smart card, and a management platform according to Embodiment 1 of the present invention;

图 7为本发明实施例二中终端、 智能卡、 管理平台进行三方认证失败的 示意图。 本发明的较佳实施方式  FIG. 7 is a schematic diagram of a failure of a three-party authentication of a terminal, a smart card, and a management platform according to Embodiment 2 of the present invention. Preferred embodiment of the invention

下文中将结合附图对本发明的实施方式进行详细说明。 需要说明的是, 在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。  Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.

为使物联网应用能够有一个更加安全、 可靠的运行环境本发明实施方式 提出一种移动终端和智能卡、 管理平台三方认证的方法, 如图 1所示, 该方 法包括如下流程:  In order to enable the Internet of Things application to have a safer and more reliable operating environment, an embodiment of the present invention provides a method for three-party authentication of a mobile terminal, a smart card, and a management platform. As shown in FIG. 1, the method includes the following processes:

步骤 101 , 终端设备开机, 智能卡复位后, 终端设备从初始状态转为机 卡未认证状态。  Step 101: The terminal device is powered on, and after the smart card is reset, the terminal device is changed from the initial state to the uncertified state of the card.

其中, 终端设备是指由终端和智能卡组成的设备。  The terminal device refers to a device composed of a terminal and a smart card.

步骤 102, 首先进行移动终端和智能卡之间的两方认证, 如果通过了移 动终端和智能卡之间的两方认证, 转步骤 103 , 如果终端、 智能卡双方认证 不通过, 转步骤 104。  Step 102: First, perform two-party authentication between the mobile terminal and the smart card. If the two-party authentication between the mobile terminal and the smart card is passed, go to step 103. If the authentication of both the terminal and the smart card fails, go to step 104.

步骤 103 , 如果终端和智能卡通过了两方双向认证, 则将状态置为机卡 认证通过状态, 移动终端向管理平台上报其和智能卡的绑定关系, 并请求管 理平台对绑定关系进行认证。  Step 103: If the terminal and the smart card pass the two-way mutual authentication, the state is set to the machine card authentication pass state, and the mobile terminal reports the binding relationship between the terminal and the smart card to the management platform, and requests the management platform to authenticate the binding relationship.

步骤 104,将状态置为机卡锁定状态 (可以锁定终端、设置终端无效等), 同时修改智能卡的认证信息(尤其 IMSI )为无效信息, 如将 IMSI改为空白、 随机数、 错误信息等, 确保智能卡无法使用, 认证结束。 In step 104, the state is set to the card lock state (the terminal can be locked, the terminal is invalid, etc.), and the authentication information (especially IMSI) of the smart card is modified to be invalid information, such as changing the IMSI to blank. Random numbers, error messages, etc., to ensure that the smart card is not available, the authentication is over.

步骤 105, 管理平台执行移动终端和智能卡、 管理平台三方认证过程。 步骤 106, 如果管理平台通过了终端和智能卡的绑定关系认证, 则三方 认证通过, 管理平台向终端返回绑定关系认证通过标志, 并执行步骤 107, 如果管理平台没有通过终端和智能卡的绑定关系认证, 则向终端返回绑定关 系认证不通过标志, 执行步骤 108。  Step 105: The management platform performs a three-party authentication process of the mobile terminal, the smart card, and the management platform. Step 106: If the management platform passes the binding relationship authentication between the terminal and the smart card, the three-party authentication is passed, the management platform returns a binding relationship authentication pass sign to the terminal, and step 107 is performed, if the management platform does not pass the binding of the terminal and the smart card. If the relationship is authenticated, the binding relationship authentication failure flag is returned to the terminal, and step 108 is performed.

步骤 107 , 终端收到管理平台的认证通过标志, 则置终端设备的状态为 安全状态 (或三方认证通过状态) , 允许终端设备运行相关物联网应用。  Step 107: After receiving the authentication pass sign of the management platform, the terminal sets the state of the terminal device to a security state (or a three-party authentication pass state), and allows the terminal device to run the related IoT application.

步骤 108, 终端收到管理平台的认证不通过标志, 置终端设备的状态为 不安全状态(或三方认证不通过状态), 禁止终端设备运行相关物联网应用。  Step 108: The terminal receives the authentication failure sign of the management platform, and sets the state of the terminal device to an unsafe state (or a three-party authentication failure state), and prohibits the terminal device from running the related Internet of Things application.

其中, 终端设备运行相关物联网应用前, 判断状态为安全状态 (三方认 证通过状态) , 则可以运行相关物联网应用, 判断状态为不安全状态 (三方 认证不通过状态) , 则禁止运行相关物联网应用。  Before the terminal device runs the related IoT application and judges that the state is the security state (the three-party authentication pass state), the related IoT application can be run, and the state is determined to be in an unsafe state (the three-party authentication fails the state), and the related matter is prohibited. Networked applications.

其中, 所述的绑定关系, 是指终端信息与智能卡信息的组合;  The binding relationship refers to a combination of terminal information and smart card information;

所述终端信息包括以下信息中的一种或其任意组合: IMEI、 ESN、 存储 在终端中的参数信息等;  The terminal information includes one of the following information or any combination thereof: IMEI, ESN, parameter information stored in the terminal, and the like;

所述智能卡信息包括以下信息中的一种或其任意组合: IMSI、 ICCID、 存储在智能卡中的参数信息等。  The smart card information includes one of the following information or any combination thereof: IMSI, ICCID, parameter information stored in the smart card, and the like.

本发明实施方式中, 终端和智能卡的双向认证过程是釆用终端、 智能卡 认证协议进行认证, 如图 2所示, 智能卡和终端内分别存储算法一和算法二, 终端中另外存储算法二的逆算法一一算法三, 其中, 算法一用于根据认证信 息获得认证结果, 算法二用于对认证结果进行加密, 算法三用于对算法二的 结果进行解密。 管理平台中包括机卡绑定对应关系数据库, 用于保存机卡绑 定关系的相应信息。 其中, 所述的管理平台可以是网络认证平台, 应用管理 平台, 安全管理平台等。 In the embodiment of the present invention, the two-way authentication process of the terminal and the smart card is performed by using the terminal and the smart card authentication protocol. As shown in FIG. 2, the algorithm 1 and the algorithm 2 are respectively stored in the smart card and the terminal, and the inverse of the algorithm 2 is additionally stored in the terminal. Algorithm 1 - Algorithm 3, wherein algorithm 1 is used to obtain an authentication result according to the authentication information, algorithm 2 is used to encrypt the authentication result, and algorithm 3 is used to decrypt the result of the algorithm 2. The management platform includes a card binding correspondence database for storing corresponding information of the card binding relationship. The management platform may be a network authentication platform, an application management platform, a security management platform, or the like.

如图 3所示, 本发明实施方式的认证协议流程具体描述如下:  As shown in FIG. 3, the process of the authentication protocol in the embodiment of the present invention is specifically described as follows:

步骤 301 , 智能卡根据认证信息 (包括认证参数等信息)使用约定的算 法一得出智能卡侧运算结果(下文中也称作认证结果) , 并使用算法二进行 加密后, 向终端发送允许认证指令, 并携带认证参数等认证信息, 以及根据 认证信息运算的加密的认证结果; Step 301: The smart card uses the agreed calculation according to the authentication information (including the authentication parameter and the like). The first method obtains the smart card side operation result (hereinafter also referred to as the authentication result), and after encrypting using the algorithm 2, sends an allowable authentication command to the terminal, and carries the authentication information such as the authentication parameter, and the encrypted authentication calculated according to the authentication information. result;

其中, 认证信息包括: 随机数、 国际移动设备识别号 (IMSI ) 、 用户鉴 权密钥、 存于智能卡内的其他信息等其中一个或多个。  The authentication information includes one or more of a random number, an International Mobile Equipment Identity (IMSI), a user authentication key, and other information stored in the smart card.

步骤 302, 终端对智能卡传送的加密过的运算结果进行算法三运算(算 法二的逆运算), 即进行算法二的解密过程, 获得智能卡侧认证结果; 同时, 终端根据智能卡发送的信息, 使用同样的算法一进行运算, 得到终端侧认证 结果。  Step 302: The terminal performs an algorithm three operation (the inverse operation of the algorithm 2) on the encrypted operation result transmitted by the smart card, that is, performs the decryption process of the algorithm 2, and obtains the smart card side authentication result; meanwhile, the terminal uses the same information according to the information sent by the smart card. The algorithm performs an operation to obtain a terminal side authentication result.

步骤 303 , 判断智能卡的认证结果是否与终端的认证结果相同, 如果相 同, 则执行步骤 304, 如果不相同, 则执行步骤 305。  Step 303: Determine whether the authentication result of the smart card is the same as the authentication result of the terminal. If the same, perform step 304. If not, perform step 305.

步骤 304, 如果终端侧运算结果与解密得到的智能卡运算结果一致, 则 终端侧将自己的运算结果传送给智能卡, 转步骤 306。  Step 304: If the terminal side operation result is consistent with the decrypted smart card operation result, the terminal side transmits the operation result to the smart card, and the process goes to step 306.

步骤 305 , 如果终端侧运算结果与解密得到的智能卡运算结果不一致, 则认证失败, 转步骤 308。  Step 305: If the terminal side operation result is inconsistent with the decrypted smart card operation result, the authentication fails, and the process goes to step 308.

步骤 306, 智能卡得到终端的运算结果后, 和自己运算得到的结果进行 比较, 如果相同, 则转步骤 307, 如果不相同, 则转步骤 308。  Step 306: After obtaining the operation result of the terminal, the smart card compares with the result obtained by the self operation. If the same, the process proceeds to step 307. If not, the process proceeds to step 308.

步骤 307, 双向认证通过, 结束认证, 继续后续流程。  Step 307, the two-way authentication is passed, the authentication is ended, and the subsequent process is continued.

步骤 308, 认证失败, 结束认证, 置位终端为非正常使用状态 (如锁定 终端、 终端无效等), 修改智能卡的认证信息为无效信息(如空白、 随机数、 错误信息等 ) 。  Step 308: The authentication fails, the authentication ends, and the set terminal is in an abnormal use state (such as locking the terminal, the terminal is invalid, etc.), and the authentication information of the smart card is modified to be invalid information (such as blank, random number, error information, etc.).

其中, 上述所述算法一和算法二为目前已知的各类算法, 包括但不限于 如下对称和非对称算法及其之间的任意组合: 数据加密算法(DES ) , 3重数 据加密算法(3DES ) , 哈希算法(HASH ) , IMSI认证算法 A3 , RSA算法 和错误检查和纠正算法(ECC ) , 加密密匙生成算法 A5, 用户密匙生成算法 A8, 等。 其中, 所述的算法之间的组合包括, 先用其中一个算法后运算后, 将得到的结果再用另外一个算法进行运算等, 依此类推。  The foregoing algorithm 1 and algorithm 2 are currently known algorithms, including but not limited to the following symmetric and asymmetric algorithms and any combination thereof: data encryption algorithm (DES), 3 data encryption algorithm ( 3DES), hash algorithm (HASH), IMSI authentication algorithm A3, RSA algorithm and error checking and correction algorithm (ECC), encryption key generation algorithm A5, user key generation algorithm A8, and so on. The combination between the algorithms includes: first, using one of the algorithms, and then using the other algorithm, and the like, and so on.

管理平台认证的是智能卡和终端之间的绑定关系, 只有通过了这个绑定 关系的认证, 管理平台才允许基于该终端和智能卡的设备运行物联网应用, 否则禁止该终端和智能卡的设备运行物联网应用。 The management platform authenticates the binding relationship between the smart card and the terminal. Only this binding is passed. For the authentication of the relationship, the management platform allows the device based on the terminal and the smart card to run the IoT application, otherwise the device of the terminal and the smart card is prohibited from running the Internet of Things application.

如图 4所示, 管理平台对绑定关系的认证的具体过程描述如下: 步骤 401 , 移动终端和智能卡之间的两方认证通过后, 移动终端向管理 平台 4艮告其和智能卡的绑定关系, 并请求管理对绑定关系进行认证。 As shown in FIG. 4, the specific process of the authentication of the binding relationship by the management platform is as follows: Step 401: After the two-party authentication between the mobile terminal and the smart card is passed, the mobile terminal reports the binding to the smart card to the management platform 4. Relationship, and request management to authenticate the binding relationship.

步骤 402 , 管理平台验证智能卡和终端的绑定关系是否通过, 若通过, 则执行步骤 403 , 若不通过, 则执行步骤 404。  Step 402: The management platform verifies whether the binding relationship between the smart card and the terminal passes. If yes, step 403 is performed. If not, step 404 is performed.

其中, 管理平台本地的绑定关系数据库中保存有智能卡和终端的绑定关 系对应表。 管理平台通过验证该智能卡和终端的绑定关系是否存在, 来验证 智能卡和终端的绑定关系是否通过。  The binding relationship database between the smart card and the terminal is stored in the binding relational database local to the management platform. The management platform verifies whether the binding relationship between the smart card and the terminal passes by verifying whether the binding relationship between the smart card and the terminal exists.

步骤 403 , 如果绑定关系通过验证, 则管理平台给终端返回三方认证通 过标示, 并执行步骤 405。  Step 403: If the binding relationship is verified, the management platform returns a three-party authentication pass indication to the terminal, and step 405 is performed.

步骤 404 , 如果绑定关系未通过验证, 则管理平台给终端返回三方认证 不通过标示, 转步骤 406。  Step 404: If the binding relationship fails to pass the verification, the management platform returns the three-party authentication to the terminal, and the process proceeds to step 406.

步骤 405 , 如果终端收到管理平台返回的三方认证通过标示, 则置终端 设备的状态为安全状态 (三方认证通过状态) 。  Step 405: If the terminal receives the three-party authentication pass indication returned by the management platform, the state of the terminal device is set to a security state (three-party authentication pass status).

步骤 406 , 如果终端收到管理平台返回的三方认证不通过标示, 则置终 端设备的状态为不安全状态 (三方认证不通过状态) 。  Step 406: If the terminal receives the three-party authentication failure indication returned by the management platform, the status of the terminal device is in an unsecured state (the three-party authentication fails the state).

其中,物联网应用被运行前,终端设备首先判断状态是否为安全状态(三 方认证通过状态) , 如果为安全状态 (三方认证通过状态)则运行该应用, 否则不运行该应用。  Before the IoT application is run, the terminal device first determines whether the state is a security state (three-party authentication pass state), and if it is a security state (three-party authentication pass state), the application is run, otherwise the application is not run.

本发明实施方式还提供了一种终端设备的认证状态管理方法, 图 5示出 了终端设备在具体应用中各种认证状态, 如图 5所示, 终端设备的状态可分 为如下几种: The embodiment of the present invention further provides a method for managing the authentication status of the terminal device. FIG. 5 shows various authentication states of the terminal device in a specific application. As shown in FIG. 5, the status of the terminal device may be classified into the following types:

终端设备的默认状态为起始状态; 在终端与智能卡尚未进行双向认证时, 终端设备的状态为机卡未认证状 态; 具体可以是: 终端开机、 智能卡刚复位后, 终端设备由起始状态转为机 卡未认证状态;

Figure imgf000012_0001
The default state of the terminal device is the initial state; When the terminal and the smart card have not been authenticated in both directions, the state of the terminal device is the uncertified state of the machine card; specifically, the terminal device is powered on, and after the smart card is reset, the terminal device is changed from the initial state to the uncertified state of the machine card;
Figure imgf000012_0001

状态; State

管理平台对终端与智能卡的绑定关系认证通过时, 终端设备转为三方认 证通过状态或安全状态; 绑定关系认证未通过时, 终端设备转为三方认证未 通过状态或非安全状态。  When the authentication relationship between the terminal and the smart card is passed, the terminal device changes to the three-party authentication pass state or security state. When the binding relationship fails, the terminal device changes to the three-party authentication fail state or non-secure state.

实施例一 Embodiment 1

本实施例中,使用随机数和 IMSI作为认证信息, 智能卡和终端内分别存 储算法一和算法二, 终端中另外存储算法二的逆算法一一算法三, 算法一用 于根据认证信息获得认证结果, 算法二用于对认证结果进行加密, 算法三用 于对算法二的结果进行解密。  In this embodiment, the random number and the IMSI are used as the authentication information, and the smart card and the terminal respectively store the algorithm 1 and the algorithm 2, and the terminal additionally stores the inverse algorithm 1 of the algorithm 2, and the algorithm 1 is used to obtain the authentication result according to the authentication information. Algorithm 2 is used to encrypt the authentication result, and Algorithm 3 is used to decrypt the result of Algorithm 2.

物联网终端开机, 智能卡进行复位后, 执行移动终端和智能卡双向认证 过程。 如图 6所示, 本实施例的终端、 智能卡、 管理平台成功进行三方认证 过程, 具体包括:  The IoT terminal is powered on, and after the smart card is reset, the two-way authentication process of the mobile terminal and the smart card is performed. As shown in FIG. 6, the terminal, the smart card, and the management platform of the embodiment successfully perform the three-party authentication process, which specifically includes:

步骤 602, 智能卡向终端发送指令通知终端获取认证参数。 Step 602: The smart card sends an instruction to the terminal to notify the terminal to obtain the authentication parameter.

步骤 603 , 终端接收到命令状态字, 识别允许认证, 则向智能卡发送命 令, 要求智能卡发送其加过密的认证结果。  Step 603: The terminal receives the command status word, identifies the permission to be authenticated, and sends a command to the smart card, requesting the smart card to send the encrypted authentication result.

步骤 604, 智能卡根据终端请求, 使用算法一对认证参数进行运算, 并 使用算法二进行加密, 将加密的认证结果使用命令状态字传给终端。  Step 604: The smart card performs an operation by using a pair of authentication parameters according to the terminal request, and performs encryption by using the algorithm 2, and transmits the encrypted authentication result to the terminal by using the command status word.

步骤 605 , 终端对智能卡传送的加密过的认证结果使用算法三进行运算 Step 605: The terminal performs an operation on the encrypted authentication result transmitted by the smart card by using algorithm three.

(进行算法二的解密过程),获得智能卡的认证结果,终端同时根据智能卡发送 的认证信息, 使用同样的算法一进行运算, 得到终端侧认证结果。 终端比较 两个认证结果是否一致。 步骤 606, 终端比较发现两个认证结果一致, 则发送命令给智能卡, 将 终端的未加密的认证结果发送给智能卡。 (The decryption process of algorithm 2 is performed), and the authentication result of the smart card is obtained, and the terminal simultaneously performs the operation according to the authentication information sent by the smart card, and obtains the terminal side authentication result. The terminal compares the two authentication results. Step 606: The terminal compares and finds that the two authentication results are consistent, and sends a command to the smart card, and sends the unencrypted authentication result of the terminal to the smart card.

步骤 607 , 智能卡得到终端的认证结果后, 和自己运算得到的认证结果 进行比较。  Step 607: After obtaining the authentication result of the terminal, the smart card compares with the authentication result obtained by the smart card.

步骤 608, 智能卡比较发现两个认证结果相同, 则通知终端双向认证成 功。  Step 608: The smart card comparison finds that the two authentication results are the same, and notifies the terminal that the two-way authentication succeeds.

步骤 609, 终端收到通知后则将状态置为机卡认证通过状态, 同时向管 理平台发送终端设备识别号和 IMSI等标识移动终端和智能卡的信息,向管理 平台报告其和智能卡的绑定关系 (通讯手段可以釆用现有技术, 如短信息, BIP等方式) , 并发送请求信息给管理平台, 请求对绑定关系进行认证。  Step 609: After receiving the notification, the terminal sets the state to the card authentication pass status, and sends the terminal device identification number and the information such as the IMSI to identify the mobile terminal and the smart card to the management platform, and report the binding relationship between the terminal and the smart card to the management platform. (Communication means can use existing technologies, such as short messages, BIP, etc.), and send request information to the management platform to request authentication of the binding relationship.

步骤 610, 管理平台收到绑定关系的终端设备识别号和 IMSI对时, 去对 应的绑定关系数据库查找终端和智能卡的绑定关系是否存在, 如果存在对应 关系, 则通过三方认证, 管理平台向终端返回绑定关系认证通过标志。  Step 610: When the management platform receives the terminal device identification number and the IMSI pair of the binding relationship, the corresponding binding relationship database is used to find out whether the binding relationship between the terminal and the smart card exists. If there is a corresponding relationship, the three-party authentication is performed. Returns the binding relationship authentication pass flag to the terminal.

终端设备接收到认证通过标志后, 则置终端设备状态为安全状态 (三方 认证通过状态) , 终端设备运行相关物联网应用前, 判断设备的状态为安全 状态 (三方认证通过状态) , 开始运行相关物联网应用。  After receiving the authentication pass sign, the terminal device sets the terminal device status to a safe state (three-party authentication pass status). Before the terminal device runs the related IoT application, it determines that the device status is a safe state (three-party authentication pass status), and starts to run related. Internet of Things applications.

实施例二 Embodiment 2

本实施例中,使用 IMSI作为认证信息, 智能卡和终端内分别存储算法一 和算法二, 终端中另外存储算法二的逆算法一一算法三, 算法一用于根据认 证信息获得认证结果, 算法二用于对认证结果进行加密, 算法三用于对算法 二的结果进行解密。  In this embodiment, the IMSI is used as the authentication information, and the smart card and the terminal respectively store the algorithm 1 and the algorithm 2, and the terminal additionally stores the inverse algorithm 1 of the algorithm 2, and the algorithm 1 is used to obtain the authentication result according to the authentication information, and the algorithm 2 Used to encrypt the authentication result, and algorithm 3 is used to decrypt the result of algorithm 2.

终端开机, 智能卡进行复位后, 执行移动终端和智能卡双向认证过程。 本实施例中, 终端、 智能卡、 管理平台进行三方认证失败的过程, 如图 7所 示, 该过程具体描述如下:  After the terminal is powered on and the smart card is reset, the two-way authentication process of the mobile terminal and the smart card is performed. In this embodiment, the terminal, the smart card, and the management platform perform a process of failing the three-party authentication, as shown in FIG. 7, the process is specifically described as follows:

步骤 702, 智能卡同时向终端发送指令通知终端获取认证参数。 Step 702: The smart card simultaneously sends an instruction to the terminal to notify the terminal to obtain the authentication parameter.

步骤 703 , 终端接收到命令状态字, 识别允许认证, 则向智能卡发送命 令, 要求智能卡发送其加过密的认证结果。 Step 703: The terminal receives the command status word, identifies that the authentication is allowed, and sends a command to the smart card. Order, the smart card is required to send its encrypted authentication result.

步骤 704, 智能卡根据终端请求, 使用算法一对认证参数进行运算, 并 使用算法二进行加密, 将加密的认证结果使用命令状态字传给终端。  Step 704: The smart card performs an operation by using a pair of authentication parameters according to the terminal request, and performs encryption using algorithm 2, and transmits the encrypted authentication result to the terminal by using the command status word.

步骤 705 , 终端对智能卡传送的加密过的认证结果使用算法三进行运算 (进行算法二的解密过程),获得智能卡的认证结果,终端同时根据智能卡发送 的认证信息, 使用同样的算法一进行运算, 得到终端侧运算结果。 终端比较 两个认证结果是否一致。  Step 705: The terminal performs an operation on the encrypted authentication result transmitted by the smart card by using algorithm 3 (the decryption process of algorithm 2), and obtains the authentication result of the smart card, and the terminal simultaneously performs the operation according to the authentication information sent by the smart card, using the same algorithm. The terminal side operation result is obtained. Terminal comparison Whether the two authentication results are consistent.

步骤 706, 终端比较发现两个认证结果不一致, 则发送指令通知智能卡 未通过认证,终端和智能卡结束认证,终端被锁定,无法使用,智能卡的 IMSI 信息被改为随机数, 即使被盗, 也无法登网使用, 终端设备处于机卡锁定状 态。  Step 706: The terminal compares and finds that the two authentication results are inconsistent, and sends a command to notify the smart card that the authentication fails, the terminal and the smart card end the authentication, the terminal is locked, cannot be used, and the IMSI information of the smart card is changed to a random number, even if stolen, Used for network access, the terminal device is locked in the machine card.

此外, 本发明实施例中还提供了一种终端设备的认证状态管理方法, 所 述终端设备包括终端和智能卡, 该认证状态管理方法包括: In addition, the embodiment of the present invention further provides a method for managing an authentication state of a terminal device, where the terminal device includes a terminal and a smart card, and the authentication state management method includes:

在终端与智能卡尚未进行双向认证时, 终端设备的状态为机卡未认证状 态;

Figure imgf000014_0001
When the terminal and the smart card have not been authenticated in both directions, the status of the terminal device is the uncertified state of the machine card;
Figure imgf000014_0001

管理平台对终端与智能卡的绑定关系认证通过时, 终端设备转为三方认 证通过状态或安全状态; 绑定关系认证未通过时, 终端设备转为三方认证未 通过状态或非安全状态。  When the authentication relationship between the terminal and the smart card is passed, the terminal device changes to the three-party authentication pass state or security state. When the binding relationship fails, the terminal device changes to the three-party authentication fail state or non-secure state.

较佳地, 终端开机、 智能卡刚复位后, 所述的终端设备由起始状态转为 机卡未认证状态。  Preferably, after the terminal is powered on and the smart card is reset, the terminal device is changed from the initial state to the uncertified state of the card.

此外, 本发明实施例中还提供了一种三方认证的系统(未图示) , 该系 统主要包括: 终端侧的双向认证模块和绑定关系认证请求模块, 智能卡侧的 双向认证模块, 和管理平台中的三方认证模块, 其中: In addition, the embodiment of the present invention further provides a three-party authentication system (not shown), which mainly includes: a bidirectional authentication module and a binding relationship authentication request module on the terminal side, a two-way authentication module on the smart card side, and management A three-party authentication module in the platform, where:

终端侧的双向认证模块设置为, 和智能卡之间进行双向认证; 绑定关系认证请求模块设置为, 若所述双向认证通过, 则向管理平台报 告终端与智能卡的绑定关系, 并向管理平台请求对绑定关系进行认证; 智能卡侧的双向认证模块设置为, 和终端之间进行双向认证; The two-way authentication module on the terminal side is configured to perform mutual authentication with the smart card; The binding relationship authentication request module is configured to report the binding relationship between the terminal and the smart card to the management platform, and request the management platform to authenticate the binding relationship, where the two-way authentication module passes, and the two-way authentication module on the smart card side is set to Two-way authentication with the terminal;

三方认证模块设置为, 根据绑定关系认证请求模块的请求, 对终端与智 能卡的绑定关系进行认证, 若绑定关系认证通过, 则判定三方认证通过, 否 则, 判定三方认证未通过。  The three-party authentication module is configured to authenticate the binding relationship between the terminal and the smart card according to the request of the binding relationship authentication request module. If the binding relationship authentication is passed, the three-party authentication is determined to pass, otherwise, the three-party authentication is determined to have failed.

较佳地, 智能卡侧的双向认证模块设置为, 根据认证信息使用算法一得 出智能卡侧认证结果后, 并使用算法二对智能卡侧认证结果进行加密后, 将 认证信息以及加密后的智能卡侧认证结果发送给终端; 并在收到终端侧认证 结果后, 与得出的智能卡侧认证结果进行比较, 若一致, 则认证成功, 否则, 认证失败;  Preferably, the two-way authentication module on the smart card side is configured to: after the smart card side authentication result is obtained according to the authentication information using the algorithm 1 and the smart card side authentication result is encrypted by using the algorithm 2, the authentication information and the encrypted smart card side authentication are performed. The result is sent to the terminal; and after receiving the authentication result of the terminal side, the result is compared with the obtained smart card side authentication result. If the agreement is consistent, the authentication is successful, otherwise, the authentication fails;

终端侧的双向认证模块设置为, 根据智能卡发送的认证信息使用算法一 得出终端侧认证结果, 同时使用算法三对加密后的智能卡侧认证结果进行解 密, 并将解密得到的智能卡侧认证结果与终端侧认证结果进行比较, 若一致, 则将终端侧认证结果发送给智能卡, 否则, 认证失败, 结束本次认证过程; 其中, 算法三为算法二的逆运算。  The two-way authentication module on the terminal side is configured to obtain the terminal side authentication result according to the authentication information sent by the smart card, and decrypt the encrypted smart card side authentication result by using the algorithm three, and decrypt the obtained smart card side authentication result with The terminal side authentication result is compared. If the result is the same, the terminal side authentication result is sent to the smart card. Otherwise, the authentication fails, and the current authentication process is ended. The algorithm 3 is the inverse operation of the algorithm 2.

较佳地, 三方认证模块设置为, 查找管理平台本地的绑定关系数据库中 是否存在终端与智能卡的绑定关系, 若存在, 则判定绑定关系认证通过, 否 则, 判定绑定关系认证未通过;  Preferably, the three-party authentication module is configured to: determine whether the binding relationship between the terminal and the smart card exists in the binding relationship database local to the management platform, and if yes, determine that the binding relationship authentication passes; otherwise, determine that the binding relationship authentication fails. ;

绑定关系, 是指终端信息与智能卡信息的组合;  Binding relationship refers to the combination of terminal information and smart card information;

其中, 终端信息包括以下信息中的一种或其任意组合: IMEI、 ESN、 存 储在终端中的参数信息;  The terminal information includes one of the following information or any combination thereof: IMEI, ESN, parameter information stored in the terminal;

智能卡信息包括以下信息中的一种或其任意组合: IMSI、 ICCID、 存储 在智能卡中的参数信息。  The smart card information includes one of the following information or any combination thereof: IMSI, ICCID, parameter information stored in the smart card.

较佳地, 系统还包括智能卡侧的双向认证结果实施模块,  Preferably, the system further comprises a two-way authentication result implementation module on the smart card side,

认证结果实施模块设置为, 当双向认证过程通过时, 将终端及智能卡置 为机卡认证通过状态或双向认证通过状态; 当双向认证未通过时, 将终端及 智能卡置为机卡锁定状态或双向认证未通过状态, 并将智能卡的认证信息置 为无效信息。 The authentication result implementation module is configured to set the terminal and the smart card to the machine card authentication pass state or the two-way authentication pass state when the two-way authentication process passes; when the two-way authentication fails, the terminal and the smart card are set to the machine card lock state or two-way. The authentication fails the status and the authentication information of the smart card is set. Invalid information.

较佳地, 双向认证结果实施模块设置为, 通过以下方式将将智能卡的认 证信息置为无效信息: 将智能卡的 IMSI改为空白、 随机数、 或错误信息。  Preferably, the two-way authentication result implementation module is configured to set the authentication information of the smart card to invalid information by: changing the IMSI of the smart card to a blank, a random number, or an error message.

以上仅为本发明的优选实施案例而已, 并不用于限制本发明, 本发明还 可有其他多种实施例, 在不背离本发明精神及其实质的情况下, 熟悉本领域 的技术人员可根据本发明做出各种相应的改变和变形, 但这些相应的改变和 变形都应属于本发明所附的权利要求的保护范围。 The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention. The present invention may be embodied in various other embodiments without departing from the spirit and scope of the invention. Various changes and modifications may be made to the invention, and such changes and modifications are intended to be included within the scope of the appended claims.

显然, 本领域的技术人员应该明白, 上述的各模块或各步骤可以用通用 的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布在多个计 算装置所组成的网络上, 可选地, 它们可以用计算装置可执行的程序代码来 实现, 从而, 可以将它们存储在存储装置中由计算装置来执行, 并且在某些 情况下, 可以以不同于此处的顺序执行所示出或描述的步骤, 或者将它们分 别制作成各个集成电路模块, 或者将它们中的多个模块或步骤制作成单个集 成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软件结合。  Obviously, those skilled in the art should understand that the above modules or steps can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device for execution by the computing device and, in some cases, may be performed in a different order than that illustrated herein. The steps are described or described, either separately as individual integrated circuit modules, or as a plurality of modules or steps in a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.

工业实用性 Industrial applicability

通过上述认证方法, 使得终端和智能卡的安全都得到了保证, 终端使用 伪造的智能卡时, 锁定终端, 保证了终端的安全, 智能卡在被盗或者非法使 用时将无法登录网络使用, 终端在使用非法智能卡时, 也能及时锁定终端, 同时这种绑定关系能够被动态的认证, 在管理平台侧具有对终端和卡设备的 控制管理权, 便于运营商开展自己的业务, 也真正保证了开展物联网业务的 终端和智能卡的专用性和安全性。  Through the above authentication method, the security of the terminal and the smart card are ensured. When the terminal uses the forged smart card, the terminal is locked, and the security of the terminal is ensured. When the smart card is stolen or illegally used, the terminal cannot be logged into the network, and the terminal is illegally used. When the smart card is used, the terminal can be locked in time. At the same time, the binding relationship can be dynamically authenticated, and the management and management rights of the terminal and the card device are controlled on the management platform side, which facilitates the operator to carry out his own business and truly guarantees the development. The specificity and security of terminals and smart cards for networked services.

Claims

权 利 要 求 书 Claim 1、 一种三方认证的方法, 所述方法包括:  A method for three-party authentication, the method comprising: 终端和智能卡之间进行双向认证, 若所述双向认证通过, 则所述终端向 管理平台报告所述终端与所述智能卡的绑定关系, 并向所述管理平台请求对 所述绑定关系进行认证;  The two-way authentication is performed between the terminal and the smart card. If the two-way authentication is passed, the terminal reports the binding relationship between the terminal and the smart card to the management platform, and requests the management platform to perform the binding relationship. Certification 所述管理平台对所述终端与所述智能卡的绑定关系进行认证, 若所述绑 定关系认证通过, 则判定三方认证通过。  The management platform authenticates the binding relationship between the terminal and the smart card, and if the binding relationship authentication passes, it determines that the three-party authentication passes. 2、 如权利要求 1所述的方法, 所述方法还包括:  2. The method of claim 1 further comprising: 若所述绑定关系认证未通过, 则判定三方认证未通过。  If the binding relationship authentication fails, it is determined that the three-party authentication fails. 3、 如权利要求 1所述的方法, 其中, 所述终端和智能卡之间进行双向认 证的步骤包括: 所述智能卡根据认证信息使用算法一得出智能卡侧认证结果, 并使用算 法二对所述智能卡侧认证结果进行加密后, 将所述认证信息以及加密后的智 能卡侧认证结果发送给所述终端;  3. The method according to claim 1, wherein the step of performing mutual authentication between the terminal and the smart card comprises: the smart card obtaining a smart card side authentication result according to the authentication information using algorithm 1 and using the algorithm two After the smart card side authentication result is encrypted, the authentication information and the encrypted smart card side authentication result are sent to the terminal; 所述终端根据所述智能卡发送的认证信息使用算法一得出终端侧认证结 果, 同时使用算法三对所述加密后的智能卡侧认证结果进行解密, 并将解密 得到的智能卡侧认证结果与所述终端侧认证结果进行比较, 若一致, 则将所 述终端侧认证结果发送给所述智能卡, 若不一致, 则认证失败, 结束本次认 证过程;  The terminal obtains the terminal side authentication result according to the authentication information sent by the smart card, and decrypts the encrypted smart card side authentication result by using the third algorithm, and decrypts the obtained smart card side authentication result with the The terminal side authentication results are compared. If they are the same, the terminal side authentication result is sent to the smart card. If they are inconsistent, the authentication fails, and the current authentication process ends. 所述智能卡将收到的所述终端侧认证结果与得出的智能卡侧认证结果进 行比较, 若一致, 则认证成功, 若不一致, 则认证失败;  The smart card compares the received terminal-side authentication result with the obtained smart card-side authentication result. If the smart card is consistent, the authentication succeeds. If not, the authentication fails. 其中, 所述算法三为所述算法二的逆运算。  The algorithm 3 is an inverse operation of the algorithm 2. 4、 如权利要求 1所述的方法, 其中,  4. The method of claim 1, wherein 所述绑定关系, 是指终端信息与智能卡信息的组合;  The binding relationship refers to a combination of terminal information and smart card information; 其中, 所述终端信息包括以下信息中的一种或其任意组合: 国际移动设 备身份标识(IMEI ) 、 电子序列号 (ESN ) 、 存储在终端中的参数信息; 所述智能卡信息包括以下信息中的一种或其任意组合: 国际移动用户识 别号(IMSI ) 、 集成电路卡识别号(ICCID ) 、 存储在智能卡中的参数信息。The terminal information includes one of the following information or any combination thereof: an International Mobile Equipment Identity (IMEI), an Electronic Serial Number (ESN), and parameter information stored in the terminal; the smart card information includes the following information. One or any combination of them: International Mobile User Knowledge Alias (IMSI), Integrated Circuit Card Identification Number (ICCID), parameter information stored in the smart card. 5、 如权利要求 1或 4所述的方法, 其中, 所述管理平台对所述终端与所 述智能卡的绑定关系进行认证的步骤包括: The method according to claim 1 or 4, wherein the step of the management platform authenticating the binding relationship between the terminal and the smart card comprises: 所述管理平台查找本地的绑定关系数据库中是否存在所述终端与所述智 能卡的绑定关系, 若存在, 则判定所述绑定关系认证通过, 若不存在, 则判 定所述绑定关系认证未通过。  The management platform searches for a binding relationship between the terminal and the smart card in a local binding relation database, and if yes, determines that the binding relationship is authenticated, and if not, determines the binding relationship. The certification failed. 6、 如权利要求 5所述的方法, 所述方法还包括:  6. The method of claim 5, the method further comprising: 所述管理平台在判定三方认证通过时, 将所述终端设备的状态置为三方 认证通过状态或安全状态; 在判定三方认证未通过时, 将所述终端设备的状 态置为三方认证未通过状态或非安全状态。  When the third platform authentication is passed, the management platform sets the state of the terminal device to a three-party authentication pass state or a security state; when it is determined that the three-party authentication fails, the state of the terminal device is set to a three-party authentication fail state. Or unsafe state. 7、 如权利要求 1所述的方法, 所述方法还包括:  7. The method of claim 1, the method further comprising: 所述双向认证通过时, 将所述终端及所述智能卡置为机卡认证通过状态 或双向认证通过状态;  When the two-way authentication is passed, the terminal and the smart card are set to a machine card authentication pass state or a two-way authentication pass state; 所述双向认证未通过时, 将所述终端及所述智能卡置为机卡锁定状态或 双向认证未通过状态, 并将所述智能卡的认证信息置为无效信息。  When the two-way authentication fails, the terminal and the smart card are set to a card lock state or a two-way authentication fail state, and the authentication information of the smart card is set to invalid information. 8、 如权利要求 7所述的方法, 其中,  8. The method of claim 7, wherein 所述将智能卡的认证信息置为无效信息的步骤包括: 将所述智能卡的 IMSI改为空白、 随机数或错误信息。  The step of setting the authentication information of the smart card as invalid information includes: changing the IMSI of the smart card to a blank, a random number or an error message. 9、一种终端设备的认证状态管理方法,所述终端设备包括终端和智能卡, 所述认证状态管理方法包括:  A method for managing an authentication state of a terminal device, where the terminal device includes a terminal and a smart card, and the authentication state management method includes: 在所述终端与所述智能卡尚未进行双向认证时, 所述终端设备的状态为 机卡未认证状态; 证通过状态; 所述双向认证未通过时, 所述终端设备转为机卡锁定状态或双 向认证未通过状态;  When the terminal and the smart card have not been authenticated by the smart card, the state of the terminal device is the uncertified state of the machine card; the pass status of the card; when the two-way authentication fails, the terminal device changes to the card lock state or The two-way authentication fails the status; 管理平台对所述终端与所述智能卡的绑定关系认证通过时 , 所述终端设 备转为三方认证通过状态或安全状态; 所述绑定关系认证未通过时, 所述终 端设备转为三方认证未通过状态或非安全状态。 When the management platform passes the authentication relationship between the terminal and the smart card, the terminal device transits to a three-party authentication pass state or a security state; when the binding relationship authentication fails, the terminal The end device is switched to a three-party authentication failure state or non-security state. 10、 如权利要求 9所述的方法, 其中,  10. The method of claim 9, wherein 所述终端设备是在所述终端开机、 所述智能卡刚复位后, 由起始状态转 为机卡未认证状态。  The terminal device is changed from the initial state to the uncertified state of the machine card after the terminal is powered on and the smart card is just reset. 11、 一种三方认证的系统, 所述系统包括: 终端侧的双向认证模块和绑 定关系认证请求模块, 智能卡侧的双向认证模块, 和管理平台中的三方认证 模块, 其中:  A three-party authentication system, the system comprising: a two-way authentication module and a binding relationship authentication request module on the terminal side, a two-way authentication module on the smart card side, and a three-party authentication module in the management platform, wherein: 所述终端侧的双向认证模块设置为: 和智能卡之间进行双向认证; 所述绑定关系认证请求模块设置为: 若所述双向认证通过, 则向管理平 台报告所述终端与所述智能卡的绑定关系, 并向所述管理平台请求对所述绑 定关系进行认证;  The two-way authentication module on the terminal side is configured to: perform mutual authentication with the smart card; the binding relationship authentication request module is configured to: report the terminal and the smart card to the management platform if the two-way authentication is passed Binding the relationship, and requesting the management platform to authenticate the binding relationship; 所述智能卡侧的双向认证模块设置为: 和终端之间进行双向认证; 所述三方认证模块设置为: 根据所述绑定关系认证请求模块的请求, 对 所述终端与所述智能卡的绑定关系进行认证, 若所述绑定关系认证通过, 则 判定三方认证通过, 若所述绑定关系认证不通过, 则判定三方认证未通过。  The two-way authentication module on the smart card side is configured to: perform mutual authentication with the terminal; the three-party authentication module is configured to: bind the terminal to the smart card according to the request of the binding relationship authentication request module The relationship is authenticated. If the binding relationship authentication is passed, it is determined that the three-party authentication is passed. If the binding relationship authentication fails, it is determined that the three-party authentication fails. 12、 如权利要求 11所述的系统, 其中,  12. The system of claim 11 wherein: 所述智能卡侧的双向认证模块是设置为: 根据认证信息使用算法一得出 智能卡侧认证结果后, 并使用算法二对所述智能卡侧认证结果进行加密后, 将所述认证信息以及加密后的智能卡侧认证结果发送给所述终端; 并在收到 终端侧认证结果后, 与得出的所述智能卡侧认证结果进行比较, 若一致, 则 认证成功, 若不一致, 则认证失败;  The two-way authentication module on the smart card side is configured to: after obtaining the smart card side authentication result according to the authentication information using the algorithm 1 and encrypting the smart card side authentication result by using the algorithm 2, the authentication information and the encrypted The smart card side authentication result is sent to the terminal; and after receiving the terminal side authentication result, comparing with the obtained smart card side authentication result, if the matching is successful, the authentication is successful, and if not, the authentication fails; 所述终端侧的双向认证模块是设置为: 根据所述智能卡发送的认证信息 使用算法一得出终端侧认证结果, 同时使用算法三对所述加密后的智能卡侧 认证结果进行解密, 并将解密得到的智能卡侧认证结果与所述终端侧认证结 果进行比较, 若一致, 则将所述终端侧认证结果发送给所述智能卡, 若不一 致, 则认证失败, 结束本次认证过程;  The two-way authentication module on the terminal side is configured to: obtain the terminal side authentication result according to the authentication information sent by the smart card, and decrypt the encrypted smart card side authentication result by using the third algorithm, and decrypt the encrypted smart card side authentication result. The obtained smart card side authentication result is compared with the terminal side authentication result, and if the agreement is the same, the terminal side authentication result is sent to the smart card. If not, the authentication fails, and the current authentication process is ended; 其中, 所述算法三为所述算法二的逆运算。  The algorithm 3 is an inverse operation of the algorithm 2. 13、 如权利要求 11或 12所述的系统, 其中, 所述三方认证模块是设置为: 查找所述管理平台本地的绑定关系数据库 中是否存在所述终端与所述智能卡的绑定关系, 若存在, 则判定所述绑定关 系认证通过, 若不存在, 则判定所述绑定关系认证未通过; 13. The system of claim 11 or 12, wherein The three-party authentication module is configured to: determine whether a binding relationship between the terminal and the smart card exists in a binding relationship database local to the management platform, and if yes, determine that the binding relationship is authenticated, if not If yes, it is determined that the binding relationship authentication fails; 所述绑定关系, 是指终端信息与智能卡信息的组合;  The binding relationship refers to a combination of terminal information and smart card information; 其中, 所述终端信息包括以下信息中的一种或其任意组合: 国际移动设 备身份标识(IMEI ) 、 电子序列号 (ESN ) 、 存储在终端中的参数信息; 所述智能卡信息包括以下信息中的一种或其任意组合: 国际移动用户识 别号(IMSI ) 、 集成电路卡识别号(ICCID ) 、 存储在智能卡中的参数信息。  The terminal information includes one of the following information or any combination thereof: an International Mobile Equipment Identity (IMEI), an Electronic Serial Number (ESN), and parameter information stored in the terminal; the smart card information includes the following information. One or any combination thereof: International Mobile Subscriber Identity (IMSI), Integrated Circuit Card Identification Number (ICCID), parameter information stored in the smart card. 14、 如权利要求 11或 12所述的系统, 所述系统还包括智能卡侧的双向 认证结果实施模块,  14. The system of claim 11 or 12, the system further comprising a two-way authentication result implementation module on the smart card side, 所述认证结果实施模块是设置为: 当所述双向认证过程通过时, 将所述 终端及所述智能卡置为机卡认证通过状态或双向认证通过状态; 当所述双向 认证未通过时, 将所述终端及所述智能卡置为机卡锁定状态或双向认证未通 过状态, 并将所述智能卡的认证信息置为无效信息。  The authentication result implementation module is configured to: when the two-way authentication process passes, set the terminal and the smart card to a machine card authentication pass state or a two-way authentication pass state; when the two-way authentication fails, The terminal and the smart card are set to a card lock state or a two-way authentication fail state, and the authentication information of the smart card is set to invalid information. 15、 如权利要求 14所述的系统, 其中,  15. The system of claim 14 wherein 所述双向认证结果实施模块是设置为通过以下方式将所述将智能卡的认 证信息置为无效信息: 将所述智能卡的 IMSI改为空白、 随机数或错误信息。  The two-way authentication result implementation module is configured to set the authentication information of the smart card to invalid information by changing the IMSI of the smart card to a blank, a random number or an error message.
PCT/CN2011/080783 2011-06-15 2011-10-14 Method and system for third-party authentication and method for managing authentication state of terminal device Ceased WO2012171283A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110160890.9 2011-06-15
CN201110160890.9A CN102833067B (en) 2011-06-15 2011-06-15 Trilateral authentication method and system and authentication state management method of terminal equipment

Publications (1)

Publication Number Publication Date
WO2012171283A1 true WO2012171283A1 (en) 2012-12-20

Family

ID=47336047

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/080783 Ceased WO2012171283A1 (en) 2011-06-15 2011-10-14 Method and system for third-party authentication and method for managing authentication state of terminal device

Country Status (2)

Country Link
CN (1) CN102833067B (en)
WO (1) WO2012171283A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243152B (en) * 2013-06-06 2018-01-12 中国银联股份有限公司 Security information interaction system, apparatus and method
CN104244227A (en) * 2013-06-09 2014-12-24 中国移动通信集团公司 Terminal access authentication method and device in internet of things system
CN104715533B (en) * 2015-04-10 2017-03-08 电子科技大学 A kind of method of use mobile terminal dynamic fingerprint to code door lock
CN105959189B (en) * 2016-06-08 2019-09-13 美的集团股份有限公司 Household appliance and its with the communication system and method for Cloud Server and terminal, terminal
CN111092820B (en) * 2018-10-23 2023-04-07 中国移动通信有限公司研究院 Equipment node authentication method, device and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6367009B1 (en) * 1998-12-17 2002-04-02 International Business Machines Corporation Extending SSL to a multi-tier environment using delegation of authentication and authority
CN101542965A (en) * 2006-12-01 2009-09-23 微软公司 Authentication delegation based on re-verification of cryptographic evidence
CN101931941A (en) * 2010-09-26 2010-12-29 联通兴业科贸有限公司 Method and system for authentication/binding of telecom smart card and mobile terminal

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2224850B1 (en) * 2003-05-12 2005-12-01 Vodafone España, S.A. MODULE AND METHOD OF DETECTION OF AT LEAST ONE EVENT IN A MOBILE CELL PHONE USER EQUIPMENT, COMPUTER PROGRAM TO CARRY OUT THE METHOD, AND CARD AND TERMINAL WITH THE MODULE.
CN101686572B (en) * 2008-09-26 2012-07-04 中国移动通信集团公司 Method and system for interlocking wireless terminal cards, and management platform
CN101511083B (en) * 2008-12-25 2011-02-16 北京握奇数据系统有限公司 Authentication method and terminal for telecom smart card

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6367009B1 (en) * 1998-12-17 2002-04-02 International Business Machines Corporation Extending SSL to a multi-tier environment using delegation of authentication and authority
CN101542965A (en) * 2006-12-01 2009-09-23 微软公司 Authentication delegation based on re-verification of cryptographic evidence
CN101931941A (en) * 2010-09-26 2010-12-29 联通兴业科贸有限公司 Method and system for authentication/binding of telecom smart card and mobile terminal

Also Published As

Publication number Publication date
CN102833067B (en) 2017-05-17
CN102833067A (en) 2012-12-19

Similar Documents

Publication Publication Date Title
EP2887576B1 (en) Software key updating method and device
CN102833066B (en) Three-party authentication method and device as well as intelligent card supporting two-way authentication
CN106034028B (en) A terminal equipment authentication method, device and system
CN103517273B (en) Authentication method, managing platform and Internet-of-Things equipment
CN102833068B (en) Method for bidirectional authentication of terminal and smart card, protocol and smart card
CN110545252B (en) A method, terminal, control function entity and application server for authentication and information protection
CN102638468A (en) Method, sending end, receiving end and system for protecting information transmission safety
WO2017185913A1 (en) Method for improving wireless local area network authentication mechanism
CN107483415A (en) A kind of mutual authentication method of shared electricity consumption interactive system
WO2014015759A1 (en) Terminal identity verification and service authentication method, system, and terminal
CN104754571A (en) User authentication realizing method, device and system thereof for multimedia data transmission
CN105323754A (en) Distributed authentication method based on pre-shared key
KR101281099B1 (en) An Authentication method for preventing damages from lost and stolen smart phones
WO2012171283A1 (en) Method and system for third-party authentication and method for managing authentication state of terminal device
CN105578464A (en) Enhanced WLAN certificate authentication method, device and system
CN105828330B (en) Access method and device
WO2014177106A1 (en) Network access control method and system
CN115695053A (en) A power distribution Internet of things access system
KR101745482B1 (en) Communication method and apparatus in smart-home system
WO2022110688A1 (en) Field bus-based data transmission method and system, and field bus-based identity verification method and system
KR20130046781A (en) System and method for access authentication for wireless network
CN113141327A (en) Information processing method, device and equipment
CN111274570A (en) Encryption authentication method and device, server, readable storage medium and air conditioner
CN112995140B (en) Safety management system and method
CN117527339B (en) A method for transmitting public keys and a method for transmitting diagnostic messages.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11867837

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11867837

Country of ref document: EP

Kind code of ref document: A1