Summary of the invention
The technical problem to be solved by the present invention is to improve the safety of mobile phone card application access.
According to an aspect of the present invention, a kind of mobile phone terminal for realizing mobile phone card application secure accessing is proposed, comprising:
Card applications client, for sending access ID (AID) request to security middleware;
Security middleware, for AID request to be sent to platform, being judged whether it is by the platform allows accessThe AID is requested to encapsulate, and be transmitted to access and connect by request if it is, receiving the AID request of card applications clientMouthful, otherwise, do not forward;
Access interface for AID request to be transmitted to AC controller, and receives the matching that the AC controller returnsAs a result, allowing the safety of the card applications client access mobile phone card if matching result shows to receive the AID requestOtherwise domain cannot access the security domain of mobile phone card;
AC controller, is requested for receiving the AID, obtains the card applications client certificate from mobile phone operating system,Rule match is carried out, and returns to matching result to the access interface.
Further, AID request is encrypted, is encapsulated by the security middleware, and is transmitted to the access interface;
The AC controller receives the AID request from the access interface, and requests the AID to carry out ruleMatch, wherein the rule is encryption rule.
Further, the AC controller checks the update mark in the file system of mobile phone card, if the update indicatesShow there is more new content, then obtains updated rule, and rule match is carried out according to updated rule;If the updateMark shows without more new content, then carries out rule match according to previously stored rule.
According to an aspect of the present invention, a kind of platform for realizing mobile phone card application secure accessing is proposed, comprising:
Receiving unit, the AID request that the security middleware for receiving mobile phone terminal is sent;
Judging result for judging whether the AID request is the request for allowing to access, and is returned to institute by judging unitState the security middleware of mobile phone terminal;
Wherein, the security middleware of the mobile phone terminal decides whether that the AID is forwarded to request according to the judging result.
Further, issuance unit, for issuing matching rule to mobile phone card;
Wherein, the matching rule of the mobile phone card sends the AC controller of the mobile phone terminal to, by the AC controllerRule match is carried out according to the rule.
According to an aspect of the present invention, a kind of system for realizing mobile phone card application secure accessing, including any of the above-described institute are proposedState mobile phone terminal and any of the above-described platform.
According to an aspect of the present invention, a kind of method for realizing mobile phone card application secure accessing is proposed, comprising:
The card applications client of mobile phone terminal sends AID request to the security middleware of mobile phone terminal;
AID request is sent to platform by the security middleware, and being judged whether it is by the platform allows accessThe AID is requested to encapsulate, and be transmitted to access and connect by request if it is, receiving the AID request of card applications clientMouthful, otherwise, do not forward;
AID request is transmitted to the AC controller of mobile phone terminal by the access interface of mobile phone terminal;
The AC controller receives the AID request, obtains the card applications client certificate from mobile phone operating system, intoLine discipline matching, and matching result is returned to the access interface, if matching result shows to receive the AID request, permitPerhaps otherwise the security domain of the described card applications client access mobile phone card cannot access the security domain of mobile phone card.
Further, AID request is encrypted, is encapsulated by the security middleware, and is transmitted to the access interface;
The AC controller receives the AID request from the access interface, and requests the AID to carry out ruleMatch, wherein the rule is encryption rule.
Further, the AC controller checks the update mark in the file system of mobile phone card, if the update indicatesShow there is more new content, then obtains updated rule, and rule match is carried out according to updated rule;If the updateMark shows without more new content, then carries out rule match according to previously stored rule.
According to an aspect of the present invention, a kind of method for realizing mobile phone card application secure accessing is proposed, comprising:
The AID request that the security middleware that platform receives mobile phone terminal is sent;
The platform judges whether the AID request is the request for allowing to access, and judging result is returned to the handThe security middleware of machine terminal;
Wherein, the security middleware of the mobile phone terminal decides whether that the AID is forwarded to request according to the judging result.
In the present invention, AID request is transmitted to platform by security middleware, and platform judges whether AID request is to allow to visitThe request asked, if it is the request for allowing to access, then mobile phone terminal allows the security domain of card applications client access mobile phone card.It is noThen, the security domain of mobile phone card cannot be accessed.It is not to be requested directly in response to the AID and card applications client is allowed to access mobile phone card.This improves the safeties of mobile phone card application access.
By referring to the drawings to the detailed description of exemplary embodiment of the present invention, other feature of the invention and itsAdvantage will become apparent.
Specific embodiment
Carry out the various exemplary embodiments of detailed description of the present invention now with reference to attached drawing.It should also be noted that unless in addition havingBody explanation, the unlimited system of component and the positioned opposite of step, numerical expression and the numerical value otherwise illustrated in these embodiments is originallyThe range of invention.
Simultaneously, it should be appreciated that for ease of description, the size of various pieces shown in attached drawing is not according to realityProportionate relationship draw.
Be to the description only actually of at least one exemplary embodiment below it is illustrative, never as to the present inventionAnd its application or any restrictions used.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitableIn the case of, the technology, method and apparatus should be considered as authorizing part of specification.
It is shown here and discuss all examples in, any occurrence should be construed as merely illustratively, withoutIt is as limitation.Therefore, the other examples of exemplary embodiment can have different values.
It should also be noted that similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang YiIt is defined in a attached drawing, then in subsequent attached drawing does not need that it is further discussed.
Present invention seek to address that operating system security breaches that may be present in NFC mobile phone, are answered so as to cause SWP-SIM cardWith the security hidden trouble of the access control to SE, by being added in safety between cell phone client and SIM Access APIBetween part, realize the safety that mobile phone card application access is improved to the multi-stage protection of the secure access of SE in SWP-SIM.
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with specific embodiment, and referenceAttached drawing, the present invention is described in more detail.
Fig. 1 is a kind of structure chart of system for realizing mobile phone card application secure accessing.The system include mobile phone terminal 110 withAnd platform 120.Wherein, platform 120 is network side platform, e.g. TSM platform.The system includes e.g. NFC mobile phone and TSMPlatform, be related to NFC mobile phone UICC (Universal Integrated Circuit Card) or UIM (subscriber identification module) card application client software withThe secure access technology of TSM platform can be used for the business realizing system of NFC mobile phone wallet.
Mobile phone terminal 110 installs at least one card applications client, and the AID request of the card applications client is transmitted to platform120, judge whether AID request is the request for allowing to access through platform 120, if it is, allowing the card applications clientMobile phone card is accessed, for example, the security domain of SWP-SIM card.
In this embodiment, it first passes through platform 120 to judge AID request, is not to request and permit directly in response to the AIDPerhaps card applications client accesses mobile phone card.This improves the safeties of mobile phone card application access.Including improving to user informationSafety assurance, especially guarantee user sensitive information safe transmission.
In addition, AID request is judged by platform, also matching rule is managed and is issued by platform, etc..It embodies and embodies operator to the control ability of card space.Transaction data etc. can also be thus controlled, to the usage behavior of userIt is for statistical analysis, to control mobile phone card, card applications client etc..
Below in conjunction with the drawings and specific embodiments, the present invention will be further described.
Fig. 2 is a kind of structure chart of mobile phone terminal for realizing mobile phone card application secure accessing.The mobile phone terminal 110 includes cardApplications client 210, security middleware 220, access interface 230 and AC controller 240.
Card applications client 210 is used to send access ID (AID) request to security middleware 220.
Security middleware 220 is used to AID request being sent to platform, and the request for allowing to access is judged whether it is by platform.If it is, receiving the AID request of card applications client, AID is requested to encapsulate by security middleware, and is transmitted to access interface,Such as otherwise SIM Access API is not forwarded.
Access interface 230 is used to AID request being transmitted to AC controller 240, and receives that the AC controller returnsWith as a result, allowing the safety of the card applications client access mobile phone card if matching result shows to receive the AID requestOtherwise domain cannot access the security domain of mobile phone card.
AC controller 240 obtains card applications client card for receiving the AID request, from mobile phone operating system (OS)Book carries out rule match, and returns to matching result to access interface, which is, for example, to receive AID request or refusalAID request.If receiving AID request, card applications client accesses the security domain of mobile phone card by access interface.Otherwise, noThe security domain of mobile phone card can be accessed.
Wherein, rule match operation is the normal process of secure access access control, it then follows international standard GlobalPlatform。
In this embodiment, AID request is transmitted to platform by security middleware, and platform judges whether AID request is fairPerhaps the request accessed, if it is the request for allowing to access, then mobile phone terminal allows the safety of card applications client access mobile phone cardDomain.Otherwise, the security domain of mobile phone card cannot be accessed.This improves the safeties of mobile phone card application access.
Further, since AID request is issued platform by security middleware, and according to the rule after the result progress of platform returnThen match.Wherein, security middleware or platform can request multiple AID to carry out queuing control.Therefore, even if having multipleCard applications client sends AID request simultaneously, will not be limited due to the number of channels of ACE and SIM Access API, mayThe AC efficiency that caused card issuer blocks application reduces.
In an alternative embodiment of the invention, if platform judgement is the request for allowing to access, by security middleware to thisAID request is encrypted, and is transmitted to access interface, for example, SIMAccess API.The AC controller connects from describedThe mouth reception AID request, and the AID is requested to carry out rule match, wherein it is described regular for encryption rule.Wherein plusHash or other algorithms may be selected in close algorithm, can be managed by platform (such as TSM platform) or cloud, real by two-way http protocolIt is existing.Therefore, by carrying out cryptographic operation for the request for allowing to access, safety is further improved.
In an alternative embodiment of the invention, AC controller checks in the file system of mobile phone card (such as SWP-SIM card)Mark is updated, if updating mark shows there is more new content, obtains updated rule, and carry out according to updated ruleRule match.If updating mark to show without more new content, rule match is carried out according to previously stored rule.Wherein,Rule includes the rule of unencryption and the rule of encryption.File system mentioned here is, for example, PKCS#15 file system.
Fig. 3 is a kind of structure chart of platform for realizing mobile phone card application secure accessing.The platform 120 includes receiving unit310 and judging unit 320.
The AID request that the security middleware that receiving unit 310 is used to receive mobile phone terminal is sent.
Judging unit 320 is used to judge whether the AID request to be the request for allowing to access, and judging result is returned toThe security middleware of the mobile phone terminal.
Wherein, the security middleware of the mobile phone terminal decides whether that the AID is forwarded to request according to the judging result.
In this embodiment, platform judges whether the AID request that mobile phone terminal is sent is the request for allowing to access, if it isAllow the request accessed, then mobile phone terminal allows the security domain of card applications client access mobile phone card.Otherwise, mobile phone cannot be accessedThe security domain of card.This improves the safeties of mobile phone card application access.
Further, since AID request is issued platform by security middleware, and according to the rule after the result progress of platform returnThen match.Wherein, security middleware or platform can request multiple AID to carry out queuing control.Therefore, even if having multipleCard applications client sends AID request simultaneously, will not be limited due to the number of channels of ACE and SIM Access API, mayThe AC efficiency that caused card issuer blocks application reduces.
In an alternative embodiment of the invention, platform further includes issuance unit 230, for issuing matching rule to mobile phone card.Wherein, the matching rule of the mobile phone card sends the AC controller of the mobile phone terminal to, as the AC controller according toRule carries out rule match.
Fig. 4 is a kind of structure chart of the embodiment of system for realizing mobile phone card application secure accessing.
Card applications client sends AID request to security middleware.
AID request is sent to TSM platform by security middleware, the request for allowing to access is judged whether it is by TSM platform, such asFruit is the AID request for then receiving card applications client, and AID is requested to encapsulate by security middleware, and is transmitted to SIM AccessOtherwise API is not forwarded.
AID request is transmitted to AC controller by SIM Access API.
AC controller obtains card applications client certificate from mobile phone operating system (OS).AC controller checks SWP-SIM cardPKCS#15 file system in update mark, if update mark show there is more new content, obtain updated rule,And rule match is carried out according to updated rule.If updating mark to show without more new content, according to previously storedRule carries out rule match.
AC controller returns to matching result to SIM Access API, which is to receive AID request or refusalAID request.If receiving AID request, card applications client passes through the safety of SIM Access API Access SWP-SIM cardDomain.Otherwise, the security domain of SWP-SIM card cannot be accessed.
In the embodiment, AID request is transmitted to TSM platform by security middleware, and whether TSM platform judges AID requestTo allow the request accessed, if it is the request for allowing to access, then mobile phone terminal allows card applications client to access SWP-SIM cardSecurity domain.Otherwise, the security domain of SWP-SIM card cannot be accessed.It is not to be requested directly in response to the AID and allow card application clientEnd access SWP-SIM card.This improves the safeties of SWP-SIM card application access.
Fig. 5 is a kind of method flow schematic diagram for realizing mobile phone card application secure accessing.Method includes the following steps:
AID request is sent to the security middleware of mobile phone terminal in the card applications client of step 510, mobile phone terminal.
In step 520, AID request is sent to platform, is judged whether it is by the platform by the security middlewareThe request accessed is allowed otherwise, not forward if so, thening follow the steps 530.
In step 530, receives the AID request of card applications client, the AID is requested to encapsulate, and be transmitted to and connectIncoming interface.
In step 540, AID request is transmitted to the AC controller of mobile phone terminal by the access interface of mobile phone terminal.
In step 550, the AC controller receives the AID request, obtains the card application visitor from mobile phone operating systemFamily end certificate carries out rule match, and returns to matching result to the access interface.If matching result shows described in receivingAID request then allows the security domain of the card applications client access mobile phone card otherwise cannot access the security domain of mobile phone card.Wherein, the matching rule that AC controller receiving platform issues, and rule match is carried out according to the rule.
In this embodiment, AID request is transmitted to platform by security middleware, and platform judges whether AID request is fairPerhaps the request accessed, if it is the request for allowing to access, then mobile phone terminal allows the safety of card applications client access mobile phone cardDomain.Otherwise, the security domain of mobile phone card cannot be accessed.This improves the safeties of mobile phone card application access.
Further, since AID request is issued platform by security middleware, and according to the rule after the result progress of platform returnThen match.Wherein, security middleware or platform can request multiple AID to carry out queuing control.Therefore, even if having multipleCard applications client sends AID request simultaneously, will not be limited due to the number of channels of ACE and SIM Access API, mayThe AC efficiency that caused card issuer blocks application reduces.
In an alternative embodiment of the invention, if platform judgement is the request for allowing to access,
Include following operation in step 530:
The AID request for receiving card applications client encrypts AID request by security middleware, is encapsulated, andIt is transmitted to access interface.
Include following operation in step 550:
The AC controller receives the AID request, obtains the card applications client certificate from mobile phone operating system, rightThe AID request carries out rule match, wherein the rule is encryption rule, and returns to matching result to the access interface.Wherein hash or other algorithms may be selected in Encryption Algorithm, can be managed by platform (such as TSM platform) or cloud, pass through two-way HTTPProtocol realization.
In this embodiment, by carrying out cryptographic operation for the request for allowing to access, safety is further improved.
In an alternative embodiment of the invention, the operation of rule match is carried out in step 550 are as follows:
AC controller checks the update mark in the file system of mobile phone card (such as SWP-SIM card), if updating markShow there is more new content, then obtains updated rule, and rule match is carried out according to updated rule.If updating markShow without more new content, then rule match is carried out according to previously stored rule.Wherein, rule include unencryption rule andThe rule of encryption.File system mentioned here is, for example, PKCS#15 file system.
Fig. 6 is a kind of method flow schematic diagram for realizing mobile phone card application secure accessing.Method includes the following steps:
In step 610, the AID that the security middleware that platform receives mobile phone terminal is sent is requested.
In step 620, the platform judges whether the AID request is the request for allowing to access, and judging result is returnedBack to the security middleware of the mobile phone terminal.
Wherein, the security middleware of the mobile phone terminal decides whether that the AID is forwarded to request according to the judging result.
In this embodiment, platform judges whether the AID request that mobile phone terminal is sent is the request for allowing to access, if it isAllow the request accessed, then mobile phone terminal allows the security domain of card applications client access mobile phone card.Otherwise, mobile phone cannot be accessedThe security domain of card.This improves the safeties of mobile phone card application access.
Further, since AID request is issued platform by security middleware, and according to the rule after the result progress of platform returnThen match.Wherein, security middleware or platform can request multiple AID to carry out queuing control.Therefore, even if having multipleCard applications client sends AID request simultaneously, will not be limited due to the number of channels of ACE and SIM Access API, mayThe AC efficiency that caused card issuer blocks application reduces.
So far, the present invention is described in detail.In order to avoid covering design of the invention, it is public that this field institute is not describedThe some details known.Those skilled in the art as described above, completely it can be appreciated how implementing technology disclosed hereinScheme.
Method and device of the invention may be achieved in many ways.For example, can by software, hardware, firmware orPerson's software, hardware, firmware any combination realize method and device of the invention.The step of for the method it is above-mentionedSequence is merely to be illustrated, and the step of method of the invention is not limited to sequence described in detail above, unless with other sidesFormula illustrates.In addition, in some embodiments, the present invention can be also embodied as recording program in the recording medium, theseProgram includes for realizing machine readable instructions according to the method for the present invention.Thus, the present invention also covers storage for executingThe recording medium of program according to the method for the present invention.
Although some specific embodiments of the invention are described in detail by example, the skill of this fieldArt personnel it should be understood that above example merely to being illustrated, the range being not intended to be limiting of the invention.The skill of this fieldArt personnel are it should be understood that can without departing from the scope and spirit of the present invention modify to above embodiments.This hairBright range is defined by the following claims.