[go: up one dir, main page]

CN105873045B - Method for security protection, device, system and the terminal of soft SIM card - Google Patents

Method for security protection, device, system and the terminal of soft SIM card Download PDF

Info

Publication number
CN105873045B
CN105873045B CN201510031137.8A CN201510031137A CN105873045B CN 105873045 B CN105873045 B CN 105873045B CN 201510031137 A CN201510031137 A CN 201510031137A CN 105873045 B CN105873045 B CN 105873045B
Authority
CN
China
Prior art keywords
sim card
soft sim
terminal
request
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510031137.8A
Other languages
Chinese (zh)
Other versions
CN105873045A (en
Inventor
郑庆国
王小旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201510031137.8A priority Critical patent/CN105873045B/en
Publication of CN105873045A publication Critical patent/CN105873045A/en
Application granted granted Critical
Publication of CN105873045B publication Critical patent/CN105873045B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种软SIM卡的安全保护方法,包括:收到访问存储在eMMC回放保护内存块(RPMB)区域的软SIM卡相关信息的请求后,软SIM卡验证所述请求的合法性;验证通过后,所述软SIM卡允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息。本发明同时还公开一种软SIM卡的安全保护装置、系统及终端。

The invention discloses a security protection method for a soft SIM card. After the verification is passed, the soft SIM card allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area. The invention also discloses a safety protection device, system and terminal of the soft SIM card.

Description

软SIM卡的安全保护方法、装置、系统及终端Security protection method, device, system and terminal of soft SIM card

技术领域technical field

本发明涉及无线通信领域,尤其涉及一种软用户身份模块(SIM,SubscriberIdentity Module)卡的安全保护方法、装置、系统及终端。The present invention relates to the field of wireless communication, and in particular, to a security protection method, device, system and terminal for a Soft Subscriber Identity Module (SIM, SubscriberIdentity Module) card.

背景技术Background technique

目前,物联网领域对全球用户身份模块(USIM,Universal Subscriber IdentityModule)卡有特殊要求,比如工业领域需要适应高温、低温特殊环境要求,穿戴式设备要求USIM卡的体积尽可能小,这些要求使得通过软件实现USIM卡功能的软SIM卡方案是非常可行的,但软SIM卡方案的软硬件环境的安全性会比芯片式的USIM卡降低很多。At present, the Internet of Things field has special requirements for the Universal Subscriber Identity Module (USIM, Universal Subscriber Identity Module) card. For example, the industrial field needs to adapt to the special environmental requirements of high temperature and low temperature, and the wearable device requires the USIM card to be as small as possible. A soft SIM card solution in which software implements the function of a USIM card is very feasible, but the security of the software and hardware environment of the soft SIM card solution is much lower than that of a chip-type USIM card.

为了提高软SIM卡的安全性,目前出现了一系列解决方案,比如:基于ARMTrustZone的软SIM卡方案、基于内置专用闪存(Flash)方式的软SIM卡方案等,但这些方案都是需要基带芯片支持TrustZone或芯片修改支持内置专用Flash,即需要对基带芯片进行改动,而这些改动会大大增加芯片的成本。In order to improve the security of soft SIM cards, a series of solutions have emerged, such as: soft SIM card solutions based on ARM TrustZone, soft SIM card solutions based on built-in dedicated flash memory (Flash), etc., but these solutions all require baseband chips Support TrustZone or chip modification to support built-in dedicated Flash, that is, the baseband chip needs to be modified, and these modifications will greatly increase the cost of the chip.

发明内容SUMMARY OF THE INVENTION

为解决现有存在的技术问题,本发明实施例提供一种软SIM卡的安全保护方法、装置、系统及终端。In order to solve the existing technical problems, the embodiments of the present invention provide a security protection method, device, system and terminal for a soft SIM card.

本发明实施例提供了一种软SIM卡的安全保护方法,法包括:An embodiment of the present invention provides a security protection method for a soft SIM card, the method comprising:

收到访问存储在eMMC(Embedded Multi Media Card)回放保护内存块(RPMB,Replay Protected Memory Block)区域的软SIM卡相关信息的请求后,软SIM卡验证所述请求的合法性;After receiving the request for accessing the soft SIM card-related information stored in the eMMC (Embedded Multi Media Card) playback protection memory block (RPMB, Replay Protected Memory Block) area, the soft SIM card verifies the legitimacy of the request;

验证通过后,所述软SIM卡允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息。After the verification is passed, the soft SIM card allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area.

上述方案中,收到所述请求之前,所述方法还包括:In the above solution, before receiving the request, the method further includes:

所述终端接入网络时,所述软SIM卡将所述终端的硬件标识及自身标识发送至网络侧,以验证所述终端的合法性;When the terminal accesses the network, the soft SIM card sends the hardware identification of the terminal and its own identification to the network side to verify the legitimacy of the terminal;

所述软SIM卡收到所述网络侧所述终端合法的指示后,使所述终端通过所述软SIM卡进行网络通信。After the soft SIM card receives the legal instruction of the terminal on the network side, the terminal enables the terminal to perform network communication through the soft SIM card.

上述方案中,所述验证所述请求的合法性之前,所述方法还包括:In the above solution, before verifying the validity of the request, the method further includes:

所述软SIM卡根据存储的所述软SIM卡所在终端与所述软SIM卡的绑定关系,确定所述终端合法时,验证所述请求的合法性。The soft SIM card verifies the legality of the request when it is determined that the terminal is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card.

上述方案中,所述确定所述终端合法,为:In the above solution, the determining that the terminal is legal is:

所述软SIM卡将绑定关系对应的终端标识,与所述请求对应的终端标识进行比较,二者相同时,确定所述终端合法。The soft SIM card compares the terminal identifier corresponding to the binding relationship with the terminal identifier corresponding to the request, and when the two are the same, it is determined that the terminal is legitimate.

上述方案中,所述验证所述请求的合法性,包括:In the above solution, the verification of the validity of the request includes:

所述软SIM卡根据自身所在eMMC的计数器(Counter)值和密钥(key)值,利用安全哈希算法(SHA,Secure Hash Algorithm)计算消息鉴权码(MAC,Message AuthenticationCode)值;The soft SIM card utilizes a secure hash algorithm (SHA, Secure Hash Algorithm) to calculate a message authentication code (MAC, Message Authentication Code) value according to the counter (Counter) value and the key (key) value of the eMMC where it is located;

所述软SIM卡将计算出的MAC值与所述请求中携带的MAC值进行比较;The soft SIM card compares the calculated MAC value with the MAC value carried in the request;

所述软SIM卡根据比较结果确定所述请求的合法性。The soft SIM card determines the validity of the request according to the comparison result.

本发明实施例还提供了一种软SIM卡的安全保护方法,包括:The embodiment of the present invention also provides a security protection method for a soft SIM card, including:

接入网络时,终端将自身的硬件标识及对应的软SIM卡标识发送至网络侧;When accessing the network, the terminal sends its own hardware identifier and the corresponding soft SIM card identifier to the network side;

所述网络侧将收到的终端硬件标识和对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配,确定匹配时,允许所述终端通过对应的软SIM卡进行网络通信。The network side matches the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier stored by itself and the corresponding soft SIM card identifier, and when the matching is determined, the terminal is allowed to use the corresponding soft SIM card for Telecommunication.

上述方案中,所述将收到的终端硬件标识和对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配,包括:In the above scheme, the described matching of the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification, including:

基站将收到的终端硬件标识及对应的软SIM卡标识发送至移动管理实体(MME,Mobility Management Entity);The base station sends the received terminal hardware identifier and the corresponding soft SIM card identifier to a mobility management entity (MME, Mobility Management Entity);

所述MME将收到的终端硬件标识及对应的软SIM卡标识发送至归属用户服务器(HSS,Home Subscriber Server);The MME sends the received terminal hardware identifier and the corresponding soft SIM card identifier to a Home Subscriber Server (HSS, Home Subscriber Server);

所述HSS将收到的终端硬件标识及对应的软SIM卡标识发送至验证服务器;The HSS sends the received terminal hardware identification and the corresponding soft SIM card identification to the verification server;

所述验证服务器将收到的终端硬件标识及对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配。The verification server matches the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification.

上述方案中,所述确定匹配时,允许所述终端通过对应的软SIM卡进行网络通信,包括:In the above solution, when the matching is determined, the terminal is allowed to perform network communication through the corresponding soft SIM card, including:

所述验证服务器确定收到的终端硬件标识及对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识匹配时,向所述HSS反馈匹配成功;When the verification server determines that the received terminal hardware identifier and the corresponding soft SIM card identifier match the terminal hardware identifier stored by itself and the corresponding soft SIM card identifier, it reports to the HSS that the matching is successful;

所述HSS向所述MME反馈匹配成功;所述MME向所述基站反馈匹配成功;The HSS feeds back the matching success to the MME; the MME feeds back the matching success to the base station;

收到所述MME反馈的匹配成功后,所述基站允许所述终端通过对应的软SIM卡进行网络通信。After receiving the successful matching feedback from the MME, the base station allows the terminal to perform network communication through the corresponding soft SIM card.

本发明实施例还提供了一种软SIM卡的安全保护装置,包括:第一验证单元及访问单元;其中,The embodiment of the present invention also provides a security protection device for a soft SIM card, including: a first verification unit and an access unit; wherein,

所述第一验证单元,用于收到访问存储在eMMC RPMB区域的软SIM卡相关信息的请求后,验证所述请求的合法性;The first verification unit is used to verify the legitimacy of the request after receiving a request for accessing the relevant information of the soft SIM card stored in the eMMC RPMB area;

所述访问单元,用于验证通过后,允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息。The access unit is configured to allow the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area after the verification is passed.

上述方案中,所述装置还包括:第二验证单元,用于所述终端接入网络时,将所述终端的硬件标识及所述软SIM卡的标识发送至网络侧,以验证所述终端的合法性;并收到所述网络侧所述终端合法的指示后,使所述终端通过所述软SIM卡进行网络通信。In the above solution, the device further includes: a second verification unit, configured to send the hardware identification of the terminal and the identification of the soft SIM card to the network side to verify the terminal when the terminal accesses the network and after receiving the legal instruction of the terminal on the network side, make the terminal perform network communication through the soft SIM card.

上述方案中,所述装置还包括:第三验证单元,用于根据存储的所述软SIM卡所在终端与所述软SIM卡的绑定关系,确定所述终端合法时,触发所述第一验证单元验证所述请求的合法性。In the above solution, the device further includes: a third verification unit, configured to trigger the first verification when it is determined that the terminal is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card The verification unit verifies the validity of the request.

上述方案中,第一验证单元,具体用于:根据自身所在eMMC的Counter值和key值,利用SHA计算MAC值;将计算出的MAC值与所述请求中携带的MAC值进行比较;并根据比较结果确定所述请求的合法性。In the above scheme, the first verification unit is specifically used to: calculate the MAC value by using SHA according to the Counter value and the key value of the eMMC where it is located; compare the calculated MAC value with the MAC value carried in the request; and according to The result of the comparison determines the legitimacy of the request.

本发明实施例又提供一种终端,所述电子设备包括上述的软SIM卡的安全保护装置。An embodiment of the present invention further provides a terminal, where the electronic device includes the above-mentioned security protection device for a soft SIM card.

本发明实施例还提供了一种终端,包括:存储单元及发送单元;其中,An embodiment of the present invention further provides a terminal, including: a storage unit and a sending unit; wherein,

所述存储单元,用于存储所述终端的硬件标识及对应的软SIM卡标识;The storage unit is used to store the hardware identification of the terminal and the corresponding soft SIM card identification;

所述发送单元,用于所述终端接入网络时,将存储的所述终端的硬件标识及对应的软SIM卡标识发送至网络侧。The sending unit is configured to send the stored hardware identifier of the terminal and the corresponding soft SIM card identifier to the network side when the terminal accesses the network.

本发明实施例又提供了一种软SIM卡的安全保护系统,包括:终端及网络侧设备;其中,An embodiment of the present invention further provides a security protection system for a soft SIM card, including: a terminal and a network side device; wherein,

所述终端,用于接入网络时,将自身的硬件标识及对应的软SIM卡标识发送至所述网络侧设备;The terminal, when used to access the network, sends its own hardware identification and the corresponding soft SIM card identification to the network side device;

所述网络侧设备,用于将收到的终端硬件标识和对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配,确定匹配时,允许所述终端通过对应的软SIM卡进行网络通信。The network side device is used to match the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification, and when the matching is determined, the terminal is allowed to pass the corresponding software SIM card identification. Soft SIM card for network communication.

上述方案中,所述网络侧设备包括:基站、MME、HSS及验证服务器;其中,In the above solution, the network side equipment includes: a base station, an MME, an HSS, and a verification server; wherein,

所述基站,用于将收到的终端硬件标识及对应的软SIM卡标识发送至所述MME;并在收到所述MME反馈的匹配成功后,允许所述终端通过对应的软SIM卡进行网络通信;The base station is configured to send the received terminal hardware identification and the corresponding soft SIM card identification to the MME; and after receiving the successful matching feedback from the MME, allow the terminal to perform a corresponding soft SIM card for the terminal. Telecommunication;

所述MME,用于将收到的终端硬件标识及对应的软SIM卡标识发送至所述HSS;并在收到所述HSS反馈的匹配成功后,向所述基站反馈匹配成功;The MME is configured to send the received terminal hardware identifier and the corresponding soft SIM card identifier to the HSS; and after receiving the successful matching feedback from the HSS, feedback the successful matching to the base station;

所述HSS,用于将收到的终端硬件标识及对应的软SIM卡标识发送至所述验证服务器;并在收到所述验证服务器反馈的匹配成功后,向所述MME反馈匹配成功;The HSS is used to send the received terminal hardware identification and the corresponding soft SIM card identification to the verification server; and after receiving the successful matching feedback from the verification server, feedback the matching success to the MME;

所述验证服务器,用于将收到的终端硬件标识及对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配;并在匹配时,向所述HSS反馈匹配成功。The verification server is used to match the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification; and when matching, feedback the matching success to the HSS .

本发明实施例提供的软SIM卡的安全保护方法、装置、系统及终端,收到访问存储在eMMC RPMB区域的软SIM卡相关信息的请求后,软SIM卡验证所述请求的合法性;验证通过后,所述软SIM卡允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息,由于软SIM卡需要存储的用户数据和SIM卡信息存储在RPMB区域,如此,能有效地防止恶意对敏感数据的窃取,提高了软SIM卡应用的安全性,且不需要对硬件设备进行改造,实现成本低;接入网络时,终端将自身的硬件标识及对应的软SIM卡标识发送至网络侧;所述网络侧将收到的终端硬件标识和对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配,确定匹配时,允许所述终端通过对应的软SIM卡进行网络通信,如此,能有效地防止恶意对敏感数据的窃取,提高了软SIM卡应用的安全性,且不需要对硬件设备进行改造,实现成本低。In the security protection method, device, system and terminal for a soft SIM card provided by the embodiments of the present invention, after receiving a request for accessing information related to the soft SIM card stored in the eMMC RPMB area, the soft SIM card verifies the validity of the request; After passing, the soft SIM card allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area. Since the user data and SIM card information that the soft SIM card needs to store is stored in the RPMB area, it can effectively It can prevent malicious theft of sensitive data, improve the security of soft SIM card application, and does not need to modify the hardware equipment, and the implementation cost is low; when accessing the network, the terminal will use its own hardware identification and corresponding soft SIM card identification. Send to the network side; the network side matches the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification, and when the matching is determined, the terminal is allowed to pass the corresponding identification. The soft SIM card is used for network communication. In this way, malicious stealing of sensitive data can be effectively prevented, the security of the soft SIM card application is improved, the hardware device does not need to be modified, and the implementation cost is low.

附图说明Description of drawings

在附图(其不一定是按比例绘制的)中,相似的附图标记可在不同的视图中描述相似的部件。具有不同字母后缀的相似附图标记可表示相似部件的不同示例。附图以示例而非限制的方式大体示出了本文中所讨论的各个实施例。In the drawings, which are not necessarily to scale, like reference numerals may describe like parts in the different views. Similar reference numbers with different letter suffixes may denote different instances of similar components. The accompanying drawings generally illustrate, by way of example and not limitation, the various embodiments discussed herein.

图1为本发明实施例一软SIM卡的安全保护方法流程示意图;1 is a schematic flowchart of a security protection method for a soft SIM card according to an embodiment of the present invention;

图2为本发明实施例一eMMC架构示意图;2 is a schematic diagram of an eMMC architecture according to an embodiment of the present invention;

图3为本发明实施例一eMMC的存储区域示意图;3 is a schematic diagram of a storage area of an eMMC according to Embodiment 1 of the present invention;

图4为本发明实施例一通过网络侧验证终端是否合法的各设备交互示意图;4 is a schematic diagram of the interaction of various devices for verifying whether the terminal is legal through the network side according to Embodiment 1 of the present invention;

图5为本发明实施例一验证收到的请求是否合法的具体处理流程示意图;5 is a schematic diagram of a specific processing flow for verifying whether a received request is legal according to Embodiment 1 of the present invention;

图6为本发明实施例一另一种软SIM卡的安全保护方法流程示意图;6 is a schematic flowchart of another security protection method for a soft SIM card according to an embodiment of the present invention;

图7为本发明实施例二软SIM卡的安全保护装置结构示意图;7 is a schematic structural diagram of a security protection device for a soft SIM card according to Embodiment 2 of the present invention;

图8为本发明实施例二终端结构示意图;FIG. 8 is a schematic structural diagram of a terminal according to Embodiment 2 of the present invention;

图9为本发明实施例二软SIM卡的安全保护系统结构示意图。FIG. 9 is a schematic structural diagram of a security protection system of a soft SIM card according to Embodiment 2 of the present invention.

具体实施方式Detailed ways

下面结合附图及实施例对本发明再作进一步详细地描述。The present invention will be described in further detail below in conjunction with the accompanying drawings and embodiments.

基于eMMC的安全机制可以在已有硬件架构的基础上,以相对低的成本实现对软SIM卡的安全保护。The security mechanism based on eMMC can realize the security protection of the soft SIM card at a relatively low cost on the basis of the existing hardware architecture.

目前,软SIM卡方案中无论是基于专用Flash还是基于TrustZone的软SIM卡方案,这些方案都需要对基带芯片作改动以支持这些方案,因此实现成本相对较高。同时,近几年智能终端都倾向采用eMMC方式来外接Flash芯片,支持大容量的Flash,而且不需要终端厂家对不同的Flash做适配。另外,eMMC自身带有可以对一块区域进行保护的机制,因此基于已有eMMC的安全机制,可以充分利用智能终端已有的安全机制,来提高软SIM卡的安全性,而本身成本又无需增加。At present, whether the soft SIM card scheme is based on dedicated Flash or the soft SIM card scheme based on TrustZone, these schemes need to make changes to the baseband chip to support these schemes, so the implementation cost is relatively high. At the same time, in recent years, smart terminals tend to use eMMC to connect Flash chips to support large-capacity Flash, and terminal manufacturers do not need to adapt to different Flash. In addition, eMMC itself has a mechanism that can protect an area. Therefore, based on the existing eMMC security mechanism, the existing security mechanism of the smart terminal can be fully utilized to improve the security of the soft SIM card without increasing its own cost. .

基于此,在本发明的各种实施例中:收到访问存储在eMMC RPMB区域的软SIM卡相关信息的请求后,软SIM卡验证所述请求的合法性;验证通过后,所述软SIM卡允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息。Based on this, in various embodiments of the present invention: after receiving a request for accessing information related to the soft SIM card stored in the eMMC RPMB area, the soft SIM card verifies the validity of the request; after the verification is passed, the soft SIM card The card allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area.

实施例一Example 1

本实施例软SIM卡的安全保护方法,如图1所示,包括以下步骤:The security protection method of the soft SIM card in this embodiment, as shown in Figure 1, includes the following steps:

步骤101:收到访问存储在eMMC RPMB区域的软SIM卡相关信息的请求后,软SIM卡验证所述请求的合法性;Step 101: After receiving a request for accessing the soft SIM card-related information stored in the eMMC RPMB area, the soft SIM card verifies the validity of the request;

这里,所述软SIM卡的相关信息可以包括:用户数据和SIM卡数据。Here, the relevant information of the soft SIM card may include: user data and SIM card data.

如图2所示,目前智能终端均倾向基于eMMC来对接Flash,无需对Flash进行适配,而且可以支持大容量的Flash。As shown in Figure 2, at present, smart terminals tend to connect to Flash based on eMMC, which does not need to be adapted to Flash, and can support large-capacity Flash.

其中,如图3所示,eMMC外置Flash的存储区域中,RPMB区域是被保护的区域,因此,可以将把软SIM卡需要存储的用户数据和SIM卡数据放在RPMB区域进程保护,从而防止恶意对敏感数据的窃取。Among them, as shown in Figure 3, in the storage area of the eMMC external Flash, the RPMB area is a protected area. Therefore, the user data and SIM card data that need to be stored by the soft SIM card can be placed in the RPMB area process protection, thereby Prevent malicious theft of sensitive data.

这里,对于用户数据中的敏感数据(比如密钥等),可以以终端的硬件信息(比如:终端ARM芯片的系列号或终端的移动设备国际身份码(IMEI,International MobileEquipment Identity)等)作为加密因子,对敏感数据作进一步的加密保护,相应地,当获取到这些加密的数据后,采用相应的加密因子解密后,获得敏感数据,如此,能进一步保证软SIM卡应用的安全性。Here, for sensitive data (such as keys, etc.) in the user data, the hardware information of the terminal (such as the serial number of the terminal ARM chip or the international mobile equipment identity code (IMEI, International MobileEquipment Identity) of the terminal, etc.) can be used as encryption Sensitive data is further encrypted and protected. Correspondingly, when the encrypted data is obtained, the sensitive data is obtained after decryption with the corresponding encryption factor. In this way, the security of the soft SIM card application can be further guaranteed.

在执行本步骤之前,该方法还可以包括:Before performing this step, the method may further include:

所述终端接入网络时,所述软SIM卡将所述终端的硬件标识及自身标识发送至网络侧,以验证所述终端的合法性;When the terminal accesses the network, the soft SIM card sends the hardware identification of the terminal and its own identification to the network side to verify the legitimacy of the terminal;

收到所述网络侧所述终端合法的指示后,所述软SIM卡使所述终端通过所述软SIM卡进行网络通信。After receiving the legitimate indication of the terminal on the network side, the soft SIM card enables the terminal to perform network communication through the soft SIM card.

其中,所述终端的硬件标识可以是:IMEI等;所述软SIM卡的标识可以为国际移动用户识别码(IMSI,International Mobile Subscriber Identification Number)等,如图4所示,数据开通时软SIM卡通过短信向网络侧上报自身标识及自身所在终端的硬件标识,网络侧的验证服务器存储终端的硬件标识及所述软SIM卡的标识的对应关系,之后只有通过人工渠道才能改变对应关系,从而才能改变绑定关系。终端每次重新开机接入网络时,接入请求(Attach_request)里会携带有IMEI和IMSI,网络侧收到这个请求后,会通过查询此时IMEI与IMSI对应关系确认该终端是否合法。Wherein, the hardware identification of the terminal may be: IMEI, etc.; the identification of the soft SIM card may be an International Mobile Subscriber Identification Number (IMSI, International Mobile Subscriber Identification Number), etc. As shown in FIG. 4, when the data is activated, the soft SIM The card reports its own identification and the hardware identification of the terminal where it is located to the network side through a short message, and the verification server on the network side stores the corresponding relationship between the hardware identification of the terminal and the identification of the soft SIM card, and then the corresponding relationship can only be changed through manual channels, thereby to change the binding relationship. Each time the terminal restarts to access the network, the access request (Attach_request) will carry the IMEI and IMSI. After receiving the request, the network side will check whether the terminal is legal by querying the corresponding relationship between the IMEI and the IMSI.

具体地,基站(eNodeB)收到终端的携带IMEI和IMSI的接入请求后,向MME发送所述接入请求;MME收到所述接入请求后,向HSS发送包含IMEI和IMSI的查询请求;HSS收到查询请求后,将查询请求发送至验证服务器;验证服务器收到查询请求后,将自身保存的IMEI与IMSI的对应关系与查询请求中的IMEI和IMSI进行匹配,并向HSS返回匹配结果;HSS向MME返回匹配结果;MME通过基站向终端(软SIM卡)返回匹配结果。其中,如果IMSI对应的IMEI相同,匹配结果为匹配成功,则说明该终端合法,能通过所述软SIM卡进行网络通信;如果IMSI对应的IMEI不相同,匹配结果为匹配失败,则说明该终端不合法,不能通过所述软SIM卡进行网络通信。Specifically, after receiving the access request carrying the IMEI and IMSI from the terminal, the base station (eNodeB) sends the access request to the MME; after receiving the access request, the MME sends the query request containing the IMEI and IMSI to the HSS ; After the HSS receives the query request, it sends the query request to the verification server; after the verification server receives the query request, it matches the corresponding relationship between the IMEI and IMSI saved by itself with the IMEI and IMSI in the query request, and returns the match to the HSS Result; HSS returns the matching result to MME; MME returns the matching result to the terminal (soft SIM card) through the base station. Wherein, if the IMEIs corresponding to the IMSIs are the same, and the matching result is successful, it means that the terminal is legal and can perform network communication through the soft SIM card; if the IMEIs corresponding to the IMSIs are not the same, and the matching result is that the matching fails, it means that the terminal is It is illegal, and network communication cannot be performed through the soft SIM card.

在执行本步骤之前,该方法还可以包括:Before performing this step, the method may further include:

将所述软SIM卡所在的终端与所述SIM卡进行绑定;Binding the terminal where the soft SIM card is located with the SIM card;

相应地,所述验证所述请求的合法性之前,该方法还可以包括:Correspondingly, before verifying the validity of the request, the method may further include:

所述软SIM卡根据存储的所述软SIM卡所在终端与所述软SIM卡的绑定关系,确定所述请求对应的终端合法时,验证所述请求的合法性。The soft SIM card verifies the legality of the request when it is determined that the terminal corresponding to the request is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card.

其中,所述确定所述请求对应的终端合法,具体为:The determining that the terminal corresponding to the request is legitimate is specifically:

所述软SIM卡将绑定关系对应的终端标识,与所述请求对应的终端标识进行比较,二者相同,则确定所述请求对应的终端合法,二者不相同,则确定所述请求对应的终端不合法,此时,拒绝所述请求。The soft SIM card compares the terminal identifier corresponding to the binding relationship with the terminal identifier corresponding to the request. If the two are the same, it is determined that the terminal corresponding to the request is legitimate, and if the two are different, it is determined that the request corresponds to the request. The terminal is invalid, and in this case, the request is rejected.

所述验证所述请求的合法性,如图5所示,具体包括:The verification of the validity of the request, as shown in Figure 5, specifically includes:

步骤1:所述软SIM卡根据自身所在eMMC的Counter值和key值,利用SHA(比如SHA-256)计算MAC值;Step 1: The soft SIM card uses SHA (such as SHA-256) to calculate the MAC value according to the Counter value and key value of the eMMC where it is located;

其中,外边程序访问用户数据,向软SIM卡发送请求之前,利用Key值和Counter值,采用与所述软SIM卡相同的SHA(比如:SHA-256)计算MAC值;并将计算的MAC值携带在所述请求中。Among them, before the external program accesses user data and sends a request to the soft SIM card, it uses the Key value and the Counter value, and uses the same SHA (for example: SHA-256) as the soft SIM card to calculate the MAC value; and calculates the MAC value. carried in the request.

步骤2:所述软SIM卡将计算出的MAC值与所述请求中携带的MAC值进行比较;Step 2: the soft SIM card compares the calculated MAC value with the MAC value carried in the request;

步骤3:所述软SIM卡根据比较结果确定所述请求的合法性。Step 3: The soft SIM card determines the validity of the request according to the comparison result.

具体地,当二者相同时,说明所述请求合法;当二者不同时,说明所述请求不合法。Specifically, when the two are the same, it indicates that the request is legal; when the two are different, it indicates that the request is illegal.

所述请求不合法时,所述软SIM卡不允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息。When the request is invalid, the soft SIM card does not allow the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area.

步骤102:验证通过后,所述软SIM卡允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息。Step 102: After the verification is passed, the soft SIM card allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area.

实际应用时,通过网络侧验证终端是否合法的方案可以单独采用,基于此,本实施例还提供了另一种软SIM卡的安全保护方法,如图6所示,该方法包括以下步骤:In practical application, the scheme of verifying whether the terminal is legal through the network side can be adopted alone. Based on this, this embodiment also provides another security protection method for a soft SIM card. As shown in FIG. 6 , the method includes the following steps:

步骤601:接入网络时,终端将自身的硬件标识及对应的软SIM卡标识发送至网络侧;Step 601: When accessing the network, the terminal sends its own hardware identification and the corresponding soft SIM card identification to the network side;

具体地,所述终端可以通过接入请求携带自身的硬件标识及对应的软SIM卡标识。Specifically, the terminal may carry its own hardware identifier and the corresponding soft SIM card identifier through the access request.

其中,所述终端的硬件标识可以是:IMEI等;所述软SIM卡的标识可以为IMSI等。Wherein, the hardware identifier of the terminal may be: IMEI, etc.; the identifier of the soft SIM card may be IMSI, etc.

步骤602:所述网络侧将收到的终端硬件标识和对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配,确定匹配时,允许所述终端通过对应的软SIM卡进行网络通信。Step 602: The network side matches the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification, and when the matching is determined, the terminal is allowed to pass the corresponding software identification. SIM card for network communication.

具体地,基站将收到的终端硬件标识及对应的软SIM卡标识发送至移动管理实体MME;Specifically, the base station sends the received terminal hardware identifier and the corresponding soft SIM card identifier to the mobility management entity MME;

所述MME将收到的终端硬件标识及对应的软SIM卡标识发送至归属用户服务器HSS;The MME sends the received terminal hardware identifier and the corresponding soft SIM card identifier to the home subscriber server HSS;

所述HSS将收到的终端硬件标识及对应的软SIM卡标识发送至验证服务器;The HSS sends the received terminal hardware identification and the corresponding soft SIM card identification to the verification server;

所述验证服务器将收到的终端硬件标识及对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配。The verification server matches the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier stored by itself and the corresponding soft SIM card identifier.

这里,当所述验证服务器确定收到的终端硬件标识及对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识匹配时,会向所述HSS反馈匹配成功;Here, when the verification server determines that the received terminal hardware identification and the corresponding soft SIM card identification match with the terminal hardware identification stored by itself and the corresponding soft SIM card identification, it will feedback to the HSS that the matching is successful;

所述HSS向所述MME反馈匹配成功;所述MME向所述基站反馈匹配成功;The HSS feeds back the matching success to the MME; the MME feeds back the matching success to the base station;

收到所述MME反馈的匹配成功后,所述基站允许所述终端通过对应的软SIM卡进行网络通信。After receiving the successful matching feedback from the MME, the base station allows the terminal to perform network communication through the corresponding soft SIM card.

其中,实际应用时,如图4所示,数据开通时软SIM卡通过短信向网络侧上报自身标识及自身所在终端的硬件标识,网络侧的验证服务器存储终端的硬件标识及所述软SIM卡的标识的对应关系,之后只有通过人工渠道才能改变对应关系,从而才能改变绑定关系。终端每次重新开机接入网络时,接入请求(Attach_request)里会携带有IMEI和IMSI,网络侧收到这个请求后,会通过查询此时IMEI与IMSI对应关系确认该终端是否合法。In practical application, as shown in FIG. 4 , when the data is activated, the soft SIM card reports its own identity and the hardware identity of the terminal where it is located to the network side through a short message, and the verification server on the network side stores the hardware identity of the terminal and the soft SIM card. The corresponding relationship of the logo, and then the corresponding relationship can only be changed through manual channels, so that the binding relationship can be changed. Each time the terminal restarts to access the network, the access request (Attach_request) will carry the IMEI and IMSI. After receiving the request, the network side will check the corresponding relationship between the IMEI and the IMSI at this time to confirm whether the terminal is legal.

基站(eNodeB)收到终端的携带IMEI和IMSI的接入请求后,向MME发送所述接入请求;MME收到所述接入请求后,向HSS发送包含IMEI和IMSI的查询请求;HSS收到查询请求后,将查询请求发送至验证服务器;验证服务器收到查询请求后,将自身保存的IMEI与IMSI的对应关系与查询请求中的IMEI和IMSI进行匹配,并向HSS返回匹配结果;HSS向MME返回匹配结果;MME通过基站向终端返回匹配结果。其中,如果IMSI对应的IMEI相同,匹配结果为匹配成功,则说明该终端合法,能通过所述软SIM卡进行网络通信;如果IMSI对应的IMEI不相同,匹配结果为匹配失败,则说明该终端不合法,不能通过所述软SIM卡进行网络通信。After receiving the access request carrying the IMEI and IMSI from the terminal, the base station (eNodeB) sends the access request to the MME; after receiving the access request, the MME sends the query request containing the IMEI and IMSI to the HSS; the HSS receives the access request. After the query request arrives, the query request is sent to the verification server; after the verification server receives the query request, it matches the corresponding relationship between the IMEI and IMSI saved by itself with the IMEI and IMSI in the query request, and returns the matching result to the HSS; HSS Return the matching result to the MME; the MME returns the matching result to the terminal through the base station. Wherein, if the IMEIs corresponding to the IMSIs are the same, and the matching result is successful, it means that the terminal is legal and can perform network communication through the soft SIM card; if the IMEIs corresponding to the IMSIs are not the same, and the matching result is that the matching fails, it means that the terminal is It is illegal, and network communication cannot be performed through the soft SIM card.

本实施例提供的软SIM卡的安全保护方法,收到访问存储在eMMC RPMB区域的软SIM卡相关信息的请求后,软SIM卡验证所述请求的合法性;验证通过后,所述软SIM卡允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息,由于软SIM卡需要存储的用户数据和SIM卡信息存储在RPMB区域,如此,能有效地防止恶意对敏感数据的窃取,提高了软SIM卡应用的安全性。并且,实施时不增加硬件成本。In the security protection method for a soft SIM card provided in this embodiment, after receiving a request for accessing information related to the soft SIM card stored in the eMMC RPMB area, the soft SIM card verifies the validity of the request; after the verification is passed, the soft SIM card The card allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area, because the user data and SIM card information that the soft SIM card needs to store is stored in the RPMB area, so it can effectively prevent malicious access to sensitive data. Steal, improve the security of soft SIM card applications. Also, the implementation does not increase the hardware cost.

另外,终端接入网络时,所述软SIM卡将所述终端的硬件标识及所述软SIM卡的标识发送至网络侧,以验证所述终端的合法性;所述软SIM卡收到所述网络侧所述终端合法的指示后,使所述终端通过所述软SIM卡进行网络通信,通过网络侧对终端进行统一管理,如此,具有良好的可管理性,能进一步保证软SIM卡应用的安全性。In addition, when the terminal accesses the network, the soft SIM card sends the hardware identification of the terminal and the identification of the soft SIM card to the network side to verify the legitimacy of the terminal; the soft SIM card receives the After the terminal is legally indicated on the network side, the terminal is allowed to communicate with the network through the soft SIM card, and the terminal is managed uniformly through the network side. In this way, it has good manageability and can further ensure the application of the soft SIM card. security.

所述软SIM卡根据存储的所述软SIM卡所在终端与所述软SIM卡的绑定关系,确定所述请求对应的终端合法时,验证所述请求的合法性,如此,能进一步保证软SIM卡应用的安全性。When the soft SIM card determines that the terminal corresponding to the request is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card, the legality of the request is verified. Security of SIM card applications.

实施例二Embodiment 2

为实现实施例一的方法,本实施例提供一种软SIM卡的安全保护装置,如图7所示,该装置可以包括:第一验证单元71及访问单元72;其中,In order to implement the method of the first embodiment, this embodiment provides a security protection device for a soft SIM card. As shown in FIG. 7 , the device may include: a first verification unit 71 and an access unit 72; wherein,

所述第一验证单元71,用于收到访问存储在eMMC RPMB区域的软SIM卡相关信息的请求后,验证所述请求的合法性;The first verification unit 71 is used to verify the legitimacy of the request after receiving a request for accessing the relevant information of the soft SIM card stored in the eMMC RPMB area;

所述访问单元72,用于验证通过后,允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息。The access unit 72 is configured to allow the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area after the verification is passed.

这里,所述软SIM卡的相关信息可以包括:用户数据和SIM卡数据。Here, the relevant information of the soft SIM card may include: user data and SIM card data.

如图2所示,目前智能终端均倾向基于eMMC来对接Flash,无需对Flash进行适配,而且可以支持大容量的Flash。As shown in Figure 2, at present, smart terminals tend to connect to Flash based on eMMC, which does not need to be adapted to Flash, and can support large-capacity Flash.

其中,如图3所示,eMMC外置Flash的存储区域中,RPMB区域是被保护的区域,因此,可以将把软SIM卡需要存储的用户数据和SIM卡数据放在RPMB区域进程保护,从而防止恶意对敏感数据的窃取。Among them, as shown in Figure 3, in the storage area of the eMMC external Flash, the RPMB area is a protected area. Therefore, the user data and SIM card data that need to be stored by the soft SIM card can be placed in the RPMB area process protection, thereby Prevent malicious theft of sensitive data.

这里,对于用户数据中的敏感数据,可以以终端的硬件信息(比如:终端ARM芯片的系列号或终端的IMEI等)作为加密因子,对敏感数据作进一步的加密保护,相应地,当获取到这些加密的数据后,采用相应的加密因子解密后,获得敏感数据,如此,能进一步保证软SIM卡应用的安全性。Here, for the sensitive data in the user data, the hardware information of the terminal (such as the serial number of the terminal ARM chip or the IMEI of the terminal, etc.) can be used as the encryption factor to further encrypt and protect the sensitive data. After these encrypted data are decrypted with corresponding encryption factors, sensitive data can be obtained. In this way, the security of the soft SIM card application can be further guaranteed.

该装置还可以包括:第二验证单元,用于所述终端接入网络时,将所述终端的硬件标识及所述软SIM卡的标识发送至网络侧,以验证所述终端的合法性;并收到所述网络侧所述终端合法的指示后,使所述终端通过所述软SIM卡进行网络通信。The device may further include: a second verification unit, configured to send the hardware identification of the terminal and the identification of the soft SIM card to the network side to verify the legitimacy of the terminal when the terminal accesses the network; And after receiving the legitimate instruction of the terminal on the network side, the terminal is made to perform network communication through the soft SIM card.

其中,所述终端的硬件标识可以是:IMEI等;所述软SIM卡的标识可以为IMSI等,如图4所示,数据开通时软SIM卡通过短信向网络侧上报自身标识及自身所在终端的硬件标识,网络侧的验证服务器存储终端的硬件标识及所述软SIM卡的标识的对应关系,之后只有通过人工渠道才能改变对应关系,从而才能改变绑定关系。终端每次重新开机接入网络时,接入请求(Attach_request)里会携带有IMEI和IMSI,网络侧收到这个请求后,会通过查询此时IMEI与IMSI对应关系确认该终端是否合法。Wherein, the hardware identification of the terminal may be: IMEI, etc.; the identification of the soft SIM card may be IMSI, etc., as shown in Figure 4, when the data is activated, the soft SIM card reports its own identification and the terminal where it is located to the network side through a short message The verification server on the network side stores the corresponding relationship between the hardware identification of the terminal and the identification of the soft SIM card, and then the corresponding relationship can only be changed through manual channels, so as to change the binding relationship. Each time the terminal restarts to access the network, the access request (Attach_request) will carry the IMEI and IMSI. After receiving the request, the network side will check whether the terminal is legal by querying the corresponding relationship between the IMEI and the IMSI.

具体地,eNodeB收到所述第二验证单元发送的携带IMEI和IMSI的接入请求后,向MME发送所述接入请求;MME收到所述接入请求后,向HSS发送包含IMEI和IMSI的查询请求;HSS收到查询请求后,将查询请求发送至验证服务器;验证服务器收到查询请求后,将自身保存的IMEI与IMSI的对应关系与查询请求中的IMEI和IMSI进行匹配,并向HSS返回匹配结果;HSS向MME返回匹配结果;MME通过基站向所述第二验证单元返回匹配结果。其中,如果IMSI对应的IMEI相同,匹配结果为匹配成功,则说明该终端合法,能通过所述软SIM卡进行网络通信;如果IMSI对应的IMEI不相同,匹配结果为匹配失败,则说明该终端不合法,不能通过所述软SIM卡进行网络通信。Specifically, after receiving the access request carrying the IMEI and IMSI sent by the second verification unit, the eNodeB sends the access request to the MME; after receiving the access request, the MME sends the access request containing the IMEI and IMSI to the HSS After receiving the query request, the HSS sends the query request to the verification server; after receiving the query request, the verification server matches the corresponding relationship between the IMEI and IMSI saved by itself with the IMEI and IMSI in the query request, and sends the query request to the verification server. The HSS returns the matching result; the HSS returns the matching result to the MME; the MME returns the matching result to the second verification unit through the base station. Wherein, if the IMEIs corresponding to the IMSIs are the same, and the matching result is successful, it means that the terminal is legal and can perform network communication through the soft SIM card; if the IMEIs corresponding to the IMSIs are not the same, and the matching result is that the matching fails, it means that the terminal is It is illegal, and network communication cannot be performed through the soft SIM card.

该装置还可以包括:第三验证单元,用于根据存储的所述软SIM卡所在终端与所述软SIM卡的绑定关系,确定所述请求对应的终端合法时,触发所述第一验证单元71验证所述请求的合法性。The device may further include: a third verification unit, configured to trigger the first verification when it is determined that the terminal corresponding to the request is legitimate according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card Unit 71 verifies the validity of the request.

其中,所述确定所述请求对应的终端合法,具体为:The determining that the terminal corresponding to the request is legitimate is specifically:

将绑定关系对应的终端标识,与所述请求对应的终端标识进行比较,二者相同,则确定所述请求对应的终端合法,二者不相同,则确定所述请求对应的终端不合法,此时,拒绝所述请求。Comparing the terminal identifier corresponding to the binding relationship with the terminal identifier corresponding to the request, if the two are the same, it is determined that the terminal corresponding to the request is legal, and if the two are different, it is determined that the terminal corresponding to the request is illegal, At this point, the request is denied.

所述验证所述请求的合法性,如图5所示,具体包括:The verification of the validity of the request, as shown in Figure 5, specifically includes:

步骤1:所述第一验证单元71根据自身所在eMMC的Counter值和key值,利用SHA(比如:SHA-256)计算MAC值;Step 1: The first verification unit 71 uses SHA (for example: SHA-256) to calculate the MAC value according to the Counter value and key value of the eMMC where it is located;

其中,外边程序访问用户数据,向软SIM卡发送请求之前,利用Key值和Counter值,采用与所述软SIM卡相同的SHA(比如:SHA-256)计算MAC值;并将计算的MAC值携带在所述请求中。Among them, before the external program accesses user data and sends a request to the soft SIM card, it uses the Key value and the Counter value, and uses the same SHA (for example: SHA-256) as the soft SIM card to calculate the MAC value; and calculates the MAC value. carried in the request.

步骤2:所述第一验证单元71将计算出的MAC值与所述请求中携带的MAC值进行比较;Step 2: the first verification unit 71 compares the calculated MAC value with the MAC value carried in the request;

步骤3:所述第一验证单元71根据比较结果确定所述请求的合法性。Step 3: The first verification unit 71 determines the validity of the request according to the comparison result.

具体地,当二者相同时,说明所述请求合法;当二者不同时,说明所述请求不合法。Specifically, when the two are the same, it indicates that the request is legal; when the two are different, it indicates that the request is illegal.

所述请求不合法时,不允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息。When the request is invalid, the terminal corresponding to the request is not allowed to access the relevant information of the soft SIM card in the RPMB area.

实际应用时,所述第二验证单元可由软SIM卡的安全保护装置中的中央处理器(CPU,Central Processing Unit)、微处理器(MCU,Micro Control Unit)、数字信号处理器(DSP,Digital Signal Processor)或可编程逻辑阵列(FPGA,Field-Programmable GateArray)结合收发机实现;所述第一验证单元71、访问单元72、第三验证单元可由软SIM卡的安全保护装置中的CPU、MCU、DSP或FPGA实现。In practical application, the second verification unit can be a central processing unit (CPU, Central Processing Unit), a microprocessor (MCU, Micro Control Unit), a digital signal processor (DSP, Digital) in the security protection device of the soft SIM card Signal Processor) or Programmable Logic Array (FPGA, Field-Programmable GateArray) combined with transceivers; the first verification unit 71, access unit 72, and third verification unit can be implemented by CPU and MCU in the security protection device of the soft SIM card , DSP or FPGA implementation.

本实施例提供的软SIM卡的安全保护装置,收到访问存储在eMMC RPMB区域的软SIM卡相关信息的请求后,所述第一验证单元71验证所述请求的合法性;验证通过后,所述访问单元72允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息,由于软SIM卡需要存储的用户数据和SIM卡信息存储在RPMB区域,如此,能有效地防止恶意对敏感数据的窃取,提高了软SIM卡应用的安全性。并且,实施时不增加硬件成本。In the security protection device for a soft SIM card provided in this embodiment, after receiving a request for accessing information related to the soft SIM card stored in the eMMC RPMB area, the first verification unit 71 verifies the validity of the request; after the verification is passed, The access unit 72 allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area, because the user data and SIM card information that the soft SIM card needs to store is stored in the RPMB area, so that maliciousness can be effectively prevented. The theft of sensitive data improves the security of soft SIM card applications. Also, the implementation does not increase the hardware cost.

另外,所述终端接入网络时,所述第二验证单元将所述终端的硬件标识及所述软SIM卡的标识发送至网络侧,以验证所述终端的合法性;收到所述网络侧所述终端合法的指示后,使所述终端通过所述软SIM卡进行网络通信,如此,能进一步保证软SIM卡应用的安全性。In addition, when the terminal accesses the network, the second verification unit sends the hardware identification of the terminal and the identification of the soft SIM card to the network side to verify the legitimacy of the terminal; After receiving the legitimate instruction of the terminal, the terminal is made to perform network communication through the soft SIM card, in this way, the security of the application of the soft SIM card can be further ensured.

所述第三验证单元根据存储的所述软SIM卡所在终端与所述软SIM卡的绑定关系,确定所述请求对应的终端合法时,验证所述请求的合法性,通过网络侧对终端进行统一管理,如此,具有良好的可管理性,能进一步保证软SIM卡应用的安全性。When the third verification unit determines that the terminal corresponding to the request is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card, the third verification unit verifies the legality of the request, and verifies the terminal through the network side. Unified management is carried out, so that it has good manageability and can further ensure the security of the soft SIM card application.

基于上述装置,本实施例还提供一种终端,该终端包括图7所示的软SIM卡的安全保护装置的基本结构及其各种变形和等同替换,不做赘述。Based on the above device, this embodiment also provides a terminal, the terminal includes the basic structure of the security protection device of the soft SIM card shown in FIG. 7 and its various modifications and equivalent replacements, which will not be repeated.

为实现本实施例的方法,本实施例还提供了另一种终端,如图8所示,该终端包括:存储单元81及发送单元82;其中,To implement the method of this embodiment, this embodiment further provides another terminal. As shown in FIG. 8 , the terminal includes: a storage unit 81 and a sending unit 82; wherein,

所述存储单元81,用于存储所述终端的硬件标识及对应的软SIM卡标识;The storage unit 81 is used to store the hardware identification of the terminal and the corresponding soft SIM card identification;

所述发送单元82,用于所述终端接入网络时,将存储的所述终端的硬件标识及对应的软SIM卡标识发送至网络侧;所述终端的硬件标识及对应的软SIM卡标识用于验证所述终端的合法性。The sending unit 82 is configured to send the stored hardware identifier of the terminal and the corresponding soft SIM card identifier to the network side when the terminal accesses the network; the hardware identifier of the terminal and the corresponding soft SIM card identifier Used to verify the legitimacy of the terminal.

实际应用时,所述存储单元81可由终端中的存储器实现;所述发送单元82可由终端中的发射机实现。In practical application, the storage unit 81 may be implemented by a memory in the terminal; the sending unit 82 may be implemented by a transmitter in the terminal.

为实现本实施例的方法,本实施例还提供了一种软SIM卡的安全保护系统,如图9所示,该系统包括:终端91及网络侧设备92;其中,To implement the method of this embodiment, this embodiment also provides a security protection system for a soft SIM card. As shown in FIG. 9 , the system includes: a terminal 91 and a network side device 92; wherein,

所述终端,用于接入网络时,将自身的硬件标识及对应的软SIM卡标识发送至所述网络侧设备92;The terminal, when used to access the network, sends its own hardware identification and the corresponding soft SIM card identification to the network side device 92;

所述网络侧设备92,用于将收到的终端硬件标识和对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配,确定匹配时,允许所述终端91通过对应的软SIM卡进行网络通信。The network side device 92 is used to match the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification, and when the matching is determined, the terminal 91 is allowed to pass through. The corresponding soft SIM card performs network communication.

这里,所述终端91可以通过接入请求携带自身的硬件标识及对应的软SIM卡标识。Here, the terminal 91 may carry its own hardware identifier and the corresponding soft SIM card identifier through the access request.

其中,所述终端91的硬件标识可以是:IMEI等;所述软SIM卡的标识可以为IMSI等。Wherein, the hardware identifier of the terminal 91 may be: IMEI, etc.; the identifier of the soft SIM card may be IMSI and the like.

所述网络侧设备92可以包括:基站、MME、HSS及验证服务器;其中,The network side device 92 may include: a base station, an MME, an HSS, and a verification server; wherein,

所述基站,用于将收到的终端硬件标识及对应的软SIM卡标识发送至所述MME;并在收到所述MME反馈的匹配成功后,允许所述终端通过对应的软SIM卡进行网络通信;The base station is configured to send the received terminal hardware identification and the corresponding soft SIM card identification to the MME; and after receiving the successful matching feedback from the MME, allow the terminal to perform a corresponding soft SIM card for the terminal. Telecommunication;

所述MME,用于将收到的终端硬件标识及对应的软SIM卡标识发送至所述HSS;并在收到所述HSS反馈的匹配成功后,向所述基站反馈匹配成功;The MME is configured to send the received terminal hardware identifier and the corresponding soft SIM card identifier to the HSS; and after receiving the successful matching feedback from the HSS, feedback the successful matching to the base station;

所述HSS,用于将收到的终端硬件标识及对应的软SIM卡标识发送至所述验证服务器;并在收到所述验证服务器反馈的匹配成功后,向所述MME反馈匹配成功;The HSS is used to send the received terminal hardware identification and the corresponding soft SIM card identification to the verification server; and after receiving the successful matching feedback from the verification server, feedback the matching success to the MME;

所述验证服务器,用于将收到的终端硬件标识及对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配;并在匹配时,向所述HSS反馈匹配成功。The verification server is used to match the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification; and when matching, feedback the matching success to the HSS .

其中,实际应用时,如图4所示,数据开通时软SIM卡通过短信向网络侧上报自身标识及自身所在终端的硬件标识,网络侧的验证服务器存储终端的硬件标识及所述软SIM卡的标识的对应关系,之后只有通过人工渠道才能改变对应关系,从而才能改变绑定关系。终端91每次重新开机接入网络时,接入请求(Attach_request)里会携带有IMEI和IMSI,网络侧收到这个请求后,会通过查询此时IMEI与IMSI对应关系确认终端91是否合法。In practical application, as shown in FIG. 4 , when the data is activated, the soft SIM card reports its own identity and the hardware identity of the terminal where it is located to the network side through a short message, and the verification server on the network side stores the hardware identity of the terminal and the soft SIM card. The corresponding relationship of the logo, and then the corresponding relationship can only be changed through manual channels, so that the binding relationship can be changed. Each time the terminal 91 restarts to access the network, the access request (Attach_request) will carry the IMEI and IMSI. After receiving the request, the network side will check whether the terminal 91 is legal by querying the corresponding relationship between the IMEI and the IMSI at this time.

基站(eNodeB)收到终端91的携带IMEI和IMSI的接入请求后,向MME发送所述接入请求;MME收到所述接入请求后,向HSS发送包含IMEI和IMSI的查询请求;HSS收到查询请求后,将查询请求发送至验证服务器;验证服务器收到查询请求后,将自身保存的IMEI与IMSI的对应关系与查询请求中的IMEI和IMSI进行匹配,并向HSS返回匹配结果;HSS向MME返回匹配结果;MME通过基站向终端返回匹配结果。其中,如果IMSI对应的IMEI相同,匹配结果为匹配成功,则说明终端91合法,能通过所述软SIM卡进行网络通信;如果IMSI对应的IMEI不相同,匹配结果为匹配失败,则说明终端91不合法,不能通过所述软SIM卡进行网络通信。After receiving the access request carrying the IMEI and IMSI from the terminal 91, the base station (eNodeB) sends the access request to the MME; after receiving the access request, the MME sends the query request containing the IMEI and IMSI to the HSS; the HSS After receiving the query request, send the query request to the verification server; after receiving the query request, the verification server matches the corresponding relationship between the IMEI and IMSI saved by itself with the IMEI and IMSI in the query request, and returns the matching result to the HSS; The HSS returns the matching result to the MME; the MME returns the matching result to the terminal through the base station. Wherein, if the IMEIs corresponding to the IMSIs are the same, and the matching result is successful, it means that the terminal 91 is legal and can perform network communication through the soft SIM card; if the IMEIs corresponding to the IMSIs are not the same, and the matching result is a matching failure, it means that the terminal 91 It is illegal, and network communication cannot be performed through the soft SIM card.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein, including but not limited to disk storage, optical storage, and the like.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (14)

1.一种软SIM卡的安全保护方法,其特征在于,所述方法包括:1. a kind of security protection method of soft SIM card, is characterized in that, described method comprises: 收到访问存储在eMMC回放保护内存块RPMB区域的软SIM卡相关信息的请求后,软SIM卡验证所述请求的合法性;After receiving the request for accessing the soft SIM card-related information stored in the eMMC playback protection memory block RPMB area, the soft SIM card verifies the legitimacy of the request; 验证通过后,所述软SIM卡允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息;After the verification is passed, the soft SIM card allows the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area; 其中,所述验证所述请求的合法性,包括:Wherein, the verifying the legitimacy of the request includes: 所述软SIM卡根据自身所在eMMC的计数器Counter值和密钥key值,利用安全哈希算法SHA计算消息鉴权码MAC值;The soft SIM card utilizes the secure hash algorithm SHA to calculate the message authentication code MAC value according to the counter value and the key value of the eMMC where it is located; 所述软SIM卡将计算出的MAC值与所述请求中携带的MAC值进行比较;The soft SIM card compares the calculated MAC value with the MAC value carried in the request; 所述软SIM卡根据比较结果确定所述请求的合法性。The soft SIM card determines the validity of the request according to the comparison result. 2.根据权利要求1所述的方法,其特征在于,收到所述请求之前,所述方法还包括:2. The method according to claim 1, wherein, before receiving the request, the method further comprises: 所述终端接入网络时,所述软SIM卡将所述终端的硬件标识及自身标识发送至网络侧,以验证所述终端的合法性;When the terminal accesses the network, the soft SIM card sends the hardware identification of the terminal and its own identification to the network side to verify the legitimacy of the terminal; 所述软SIM卡收到所述网络侧所述终端合法的指示后,使所述终端通过所述软SIM卡进行网络通信。After the soft SIM card receives the legal instruction of the terminal on the network side, the terminal enables the terminal to perform network communication through the soft SIM card. 3.根据权利要求1所述的方法,其特征在于,所述验证所述请求的合法性之前,所述方法还包括:3. The method according to claim 1, wherein before verifying the validity of the request, the method further comprises: 所述软SIM卡根据存储的所述软SIM卡所在终端与所述软SIM卡的绑定关系,确定所述终端合法时,验证所述请求的合法性。The soft SIM card verifies the legality of the request when it is determined that the terminal is legal according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card. 4.根据权利要求3所述的方法,其特征在于,所述确定所述终端合法,为:4. The method according to claim 3, wherein the determining that the terminal is legitimate is: 所述软SIM卡将绑定关系对应的终端标识,与所述请求对应的终端标识进行比较,二者相同时,确定所述终端合法。The soft SIM card compares the terminal identifier corresponding to the binding relationship with the terminal identifier corresponding to the request, and when the two are the same, it is determined that the terminal is legitimate. 5.一种软SIM卡的安全保护方法,其特征在于,所述方法包括:5. a kind of security protection method of soft SIM card, is characterized in that, described method comprises: 接入网络时,终端将自身的硬件标识及对应的软SIM卡标识发送至网络侧;When accessing the network, the terminal sends its own hardware identifier and the corresponding soft SIM card identifier to the network side; 所述网络侧将收到的终端硬件标识和对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配,确定匹配时,允许所述终端通过对应的软SIM卡进行网络通信,以使所述终端向所述软SIM卡发送访问存储在eMMC回放保护内存块RPMB区域的软SIM卡相关信息的请求;所述请求用于供软SIM卡验证其合法性,验证通过后,允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息;The network side matches the received terminal hardware identifier and the corresponding soft SIM card identifier with the terminal hardware identifier stored by itself and the corresponding soft SIM card identifier, and when the matching is determined, the terminal is allowed to use the corresponding soft SIM card for Network communication, so that the terminal sends a request for accessing the soft SIM card-related information stored in the eMMC playback protection memory block RPMB area to the soft SIM card; the request is used for the soft SIM card to verify its legitimacy, and the verification passes Then, allow the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area; 其中,所述验证所述请求的合法性,包括:Wherein, the verifying the legitimacy of the request includes: 所述软SIM卡根据自身所在eMMC的计数器Counter值和密钥key值,利用安全哈希算法SHA计算消息鉴权码MAC值;The soft SIM card utilizes the secure hash algorithm SHA to calculate the message authentication code MAC value according to the counter value and the key value of the eMMC where it is located; 所述软SIM卡将计算出的MAC值与所述请求中携带的MAC值进行比较;The soft SIM card compares the calculated MAC value with the MAC value carried in the request; 所述软SIM卡根据比较结果确定所述请求的合法性。The soft SIM card determines the validity of the request according to the comparison result. 6.根据权利要求5所述的方法,其特征在于,所述将收到的终端硬件标识和对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配,包括:6. method according to claim 5, is characterized in that, described by the terminal hardware identification of receiving and the corresponding soft SIM card identification and the terminal hardware identification of self-storage and the corresponding soft SIM card identification are matched, including: 基站将收到的终端硬件标识及对应的软SIM卡标识发送至移动管理实体MME;The base station sends the received terminal hardware identifier and the corresponding soft SIM card identifier to the mobility management entity MME; 所述MME将收到的终端硬件标识及对应的软SIM卡标识发送至归属用户服务器HSS;The MME sends the received terminal hardware identifier and the corresponding soft SIM card identifier to the home subscriber server HSS; 所述HSS将收到的终端硬件标识及对应的软SIM卡标识发送至验证服务器;The HSS sends the received terminal hardware identification and the corresponding soft SIM card identification to the verification server; 所述验证服务器将收到的终端硬件标识及对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配。The verification server matches the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification. 7.根据权利要求6所述的方法,其特征在于,所述确定匹配时,允许所述终端通过对应的软SIM卡进行网络通信,包括:7. The method according to claim 6, wherein, when the matching is determined, allowing the terminal to perform network communication through a corresponding soft SIM card, comprising: 所述验证服务器确定收到的终端硬件标识及对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识匹配时,向所述HSS反馈匹配成功;When the verification server determines that the received terminal hardware identifier and the corresponding soft SIM card identifier match the terminal hardware identifier stored by itself and the corresponding soft SIM card identifier, it reports to the HSS that the matching is successful; 所述HSS向所述MME反馈匹配成功;所述MME向所述基站反馈匹配成功;The HSS feeds back the matching success to the MME; the MME feeds back the matching success to the base station; 收到所述MME反馈的匹配成功后,所述基站允许所述终端通过对应的软SIM卡进行网络通信。After receiving the successful matching feedback from the MME, the base station allows the terminal to perform network communication through the corresponding soft SIM card. 8.一种软SIM卡的安全保护装置,其特征在于,所述装置包括:第一验证单元及访问单元;其中,8. A security protection device for a soft SIM card, wherein the device comprises: a first verification unit and an access unit; wherein, 所述第一验证单元,用于收到访问存储在eMMC RPMB区域的软SIM卡相关信息的请求后,验证所述请求的合法性;The first verification unit is used to verify the legitimacy of the request after receiving a request for accessing the relevant information of the soft SIM card stored in the eMMC RPMB area; 所述访问单元,用于验证通过后,允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息;The access unit is used to allow the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area after the verification is passed; 其中,所述第一验证单元,具体用于:根据自身所在eMMC的Counter值和key值,利用SHA计算MAC值;将计算出的MAC值与所述请求中携带的MAC值进行比较;并根据比较结果确定所述请求的合法性。Wherein, the first verification unit is specifically used for: calculating the MAC value by using SHA according to the Counter value and the key value of the eMMC where it is located; comparing the calculated MAC value with the MAC value carried in the request; and according to The result of the comparison determines the legitimacy of the request. 9.根据权利要求8所述的装置,其特征在于,所述装置还包括:第二验证单元,用于所述终端接入网络时,将所述终端的硬件标识及所述软SIM卡的标识发送至网络侧,以验证所述终端的合法性;并收到所述网络侧所述终端合法的指示后,使所述终端通过所述软SIM卡进行网络通信。9 . The device according to claim 8 , wherein the device further comprises: a second verification unit, configured to, when the terminal accesses the network, verify the hardware identifier of the terminal and the information of the soft SIM card. 10 . The identification is sent to the network side to verify the legitimacy of the terminal; and after receiving the legal instruction of the terminal from the network side, the terminal is made to perform network communication through the soft SIM card. 10.根据权利要求8所述的装置,其特征在于,所述装置还包括:第三验证单元,用于根据存储的所述软SIM卡所在终端与所述软SIM卡的绑定关系,确定所述终端合法时,触发所述第一验证单元验证所述请求的合法性。10. The device according to claim 8, characterized in that, the device further comprises: a third verification unit, configured to determine according to the stored binding relationship between the terminal where the soft SIM card is located and the soft SIM card When the terminal is legal, the first verification unit is triggered to verify the legality of the request. 11.一种终端,其特征在于,所述终端包括如权利要求8至10任一项所述的软SIM卡的安全保护装置。11. A terminal, characterized in that the terminal comprises the security protection device for a soft SIM card according to any one of claims 8 to 10. 12.一种终端,其特征在于,所述终端包括:存储单元及发送单元;其中,12. A terminal, characterized in that the terminal comprises: a storage unit and a sending unit; wherein, 所述存储单元,用于存储所述终端的硬件标识及对应的软SIM卡标识;The storage unit is used to store the hardware identification of the terminal and the corresponding soft SIM card identification; 所述发送单元,用于所述终端接入网络时,将存储的所述终端的硬件标识及对应的软SIM卡标识发送至网络侧;所述终端的硬件标识及对应的软SIM卡标识用于验证所述终端的合法性,当确定所述终端合法时,允许所述终端通过对应的软SIM卡进行网络通信,以使所述终端向所述软SIM卡发送访问存储在eMMC回放保护内存块RPMB区域的软SIM卡相关信息的请求;所述请求用于供软SIM卡验证其合法性,验证通过后,允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息;The sending unit is used for sending the stored hardware identification of the terminal and the corresponding soft SIM card identification to the network side when the terminal accesses the network; the hardware identification of the terminal and the corresponding soft SIM card identification are used for In order to verify the legitimacy of the terminal, when it is determined that the terminal is legal, the terminal is allowed to perform network communication through the corresponding soft SIM card, so that the terminal sends access to the soft SIM card and is stored in the eMMC playback protection memory. The request of the soft SIM card-related information in the block RPMB area; the request is used for the soft SIM card to verify its legitimacy, and after the verification is passed, the terminal corresponding to the request is allowed to access the relevant information of the soft SIM card in the RPMB area; 其中,所述验证所述请求的合法性,包括:Wherein, the verifying the legitimacy of the request includes: 所述软SIM卡根据自身所在eMMC的计数器Counter值和密钥key值,利用安全哈希算法SHA计算消息鉴权码MAC值;The soft SIM card utilizes the secure hash algorithm SHA to calculate the message authentication code MAC value according to the counter value and the key value of the eMMC where it is located; 所述软SIM卡将计算出的MAC值与所述请求中携带的MAC值进行比较;The soft SIM card compares the calculated MAC value with the MAC value carried in the request; 所述软SIM卡根据比较结果确定所述请求的合法性。The soft SIM card determines the validity of the request according to the comparison result. 13.一种软SIM卡的安全保护系统,其特征在于,所述系统包括:终端及网络侧设备;其中,13. A security protection system for a soft SIM card, wherein the system comprises: a terminal and a network side device; wherein, 所述终端,用于接入网络时,将自身的硬件标识及对应的软SIM卡标识发送至所述网络侧设备;The terminal, when used to access the network, sends its own hardware identification and the corresponding soft SIM card identification to the network side device; 所述网络侧设备,用于将收到的终端硬件标识和对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配,确定匹配时,允许所述终端通过对应的软SIM卡进行网络通信,以使所述终端向所述软SIM卡发送访问存储在eMMC回放保护内存块RPMB区域的软SIM卡相关信息的请求;所述请求用于供软SIM卡验证其合法性,验证通过后,允许所述请求对应的终端访问所述RPMB区域的软SIM卡的相关信息;The network side device is used to match the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification, and when the matching is determined, the terminal is allowed to pass the corresponding software SIM card identification. The soft SIM card performs network communication, so that the terminal sends a request for accessing the soft SIM card-related information stored in the eMMC playback protection memory block RPMB area to the soft SIM card; the request is used for the soft SIM card to verify its legality property, after the verification is passed, allow the terminal corresponding to the request to access the relevant information of the soft SIM card in the RPMB area; 其中,所述验证所述请求的合法性,包括:Wherein, the verification of the legitimacy of the request includes: 所述软SIM卡根据自身所在eMMC的计数器Counter值和密钥key值,利用安全哈希算法SHA计算消息鉴权码MAC值;The soft SIM card utilizes the secure hash algorithm SHA to calculate the message authentication code MAC value according to the counter value and the key value of the eMMC where it is located; 所述软SIM卡将计算出的MAC值与所述请求中携带的MAC值进行比较;The soft SIM card compares the calculated MAC value with the MAC value carried in the request; 所述软SIM卡根据比较结果确定所述请求的合法性。The soft SIM card determines the validity of the request according to the comparison result. 14.根据权利要求13所述的系统,其特征在于,所述网络侧设备包括:基站、MME、HSS及验证服务器;其中,14. The system according to claim 13, wherein the network side equipment comprises: a base station, an MME, an HSS, and a verification server; wherein, 所述基站,用于将收到的终端硬件标识及对应的软SIM卡标识发送至所述MME;并在收到所述MME反馈的匹配成功后,允许所述终端通过对应的软SIM卡进行网络通信;The base station is configured to send the received terminal hardware identification and the corresponding soft SIM card identification to the MME; and after receiving the successful matching feedback from the MME, allow the terminal to perform a corresponding soft SIM card for the terminal. Telecommunication; 所述MME,用于将收到的终端硬件标识及对应的软SIM卡标识发送至所述HSS;并在收到所述HSS反馈的匹配成功后,向所述基站反馈匹配成功;The MME is configured to send the received terminal hardware identifier and the corresponding soft SIM card identifier to the HSS; and after receiving the successful matching feedback from the HSS, feedback the successful matching to the base station; 所述HSS,用于将收到的终端硬件标识及对应的软SIM卡标识发送至所述验证服务器;并在收到所述验证服务器反馈的匹配成功后,向所述MME反馈匹配成功;The HSS is used to send the received terminal hardware identification and the corresponding soft SIM card identification to the verification server; and after receiving the successful matching feedback from the verification server, feedback the matching success to the MME; 所述验证服务器,用于将收到的终端硬件标识及对应的软SIM卡标识与自身存储的终端硬件标识与对应的软SIM卡标识进行匹配;并在匹配时,向所述HSS反馈匹配成功。The verification server is used to match the received terminal hardware identification and the corresponding soft SIM card identification with the terminal hardware identification stored by itself and the corresponding soft SIM card identification; and when matching, feedback the matching success to the HSS .
CN201510031137.8A 2015-01-21 2015-01-21 Method for security protection, device, system and the terminal of soft SIM card Active CN105873045B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510031137.8A CN105873045B (en) 2015-01-21 2015-01-21 Method for security protection, device, system and the terminal of soft SIM card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510031137.8A CN105873045B (en) 2015-01-21 2015-01-21 Method for security protection, device, system and the terminal of soft SIM card

Publications (2)

Publication Number Publication Date
CN105873045A CN105873045A (en) 2016-08-17
CN105873045B true CN105873045B (en) 2019-05-28

Family

ID=56623209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510031137.8A Active CN105873045B (en) 2015-01-21 2015-01-21 Method for security protection, device, system and the terminal of soft SIM card

Country Status (1)

Country Link
CN (1) CN105873045B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106961678A (en) * 2017-04-13 2017-07-18 上海与德科技有限公司 A kind of method, mobile terminal and service end for preventing mobile terminal stolen
CN109451504B (en) * 2019-01-03 2021-11-16 中国联合网络通信集团有限公司 Internet of things module authentication method and system
CN109831775B (en) * 2019-02-02 2021-12-03 华为数字技术(苏州)有限公司 Processor, baseband chip and SIM card information transmission method
CN111741465B (en) * 2019-03-25 2023-04-28 成都鼎桥通信技术有限公司 Soft SIM protection method and equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101667258A (en) * 2009-08-28 2010-03-10 北京握奇数据系统有限公司 Data operating method and device for intelligent card
CN103391535A (en) * 2013-07-31 2013-11-13 华为技术有限公司 Method for allowing multiple terminals to share virtual SIM (subscriber identity module) card, as well as terminals, server and system
CN103813314A (en) * 2012-11-09 2014-05-21 华为技术有限公司 Soft SIM card enabling method and network access method, terminal, and network access device
CN104137587A (en) * 2014-01-09 2014-11-05 华为技术有限公司 Method and terminal sending and receiving user data

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9369938B2 (en) * 2009-03-31 2016-06-14 Microsoft Technology Licensing, Llc Subscriber identity module (SIM) for mobile stations

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101667258A (en) * 2009-08-28 2010-03-10 北京握奇数据系统有限公司 Data operating method and device for intelligent card
CN103813314A (en) * 2012-11-09 2014-05-21 华为技术有限公司 Soft SIM card enabling method and network access method, terminal, and network access device
CN103391535A (en) * 2013-07-31 2013-11-13 华为技术有限公司 Method for allowing multiple terminals to share virtual SIM (subscriber identity module) card, as well as terminals, server and system
CN104137587A (en) * 2014-01-09 2014-11-05 华为技术有限公司 Method and terminal sending and receiving user data

Also Published As

Publication number Publication date
CN105873045A (en) 2016-08-17

Similar Documents

Publication Publication Date Title
KR102325912B1 (en) Holistic module authentication with a device
US9788209B2 (en) Apparatus and methods for controlling distribution of electronic access clients
US9112905B2 (en) Authentication of access terminal identities in roaming networks
US9094823B2 (en) Data processing for securing local resources in a mobile device
JP6170115B2 (en) Network-assisted fraud detection apparatus and method
KR101554408B1 (en) Method for authentication of a remote station using a secure element
US11381964B2 (en) Cellular network authentication control
US9537663B2 (en) Manipulation and restoration of authentication challenge parameters in network authentication procedures
CA2879910C (en) Terminal identity verification and service authentication method, system and terminal
CN110545252B (en) A method, terminal, control function entity and application server for authentication and information protection
CN103108327B (en) Checking terminal unit and the method for subscriber card security association, Apparatus and system
US10484187B2 (en) Cellular network authentication
CN105873045B (en) Method for security protection, device, system and the terminal of soft SIM card
EP3146742B1 (en) Exception handling in cellular authentication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant