[go: up one dir, main page]

CN101742481B - Method and system for distributing secondary security domain initial keys of smart card and mobile terminal - Google Patents

Method and system for distributing secondary security domain initial keys of smart card and mobile terminal Download PDF

Info

Publication number
CN101742481B
CN101742481B CN2008101770164A CN200810177016A CN101742481B CN 101742481 B CN101742481 B CN 101742481B CN 2008101770164 A CN2008101770164 A CN 2008101770164A CN 200810177016 A CN200810177016 A CN 200810177016A CN 101742481 B CN101742481 B CN 101742481B
Authority
CN
China
Prior art keywords
management platform
smart card
security domain
card
service terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2008101770164A
Other languages
Chinese (zh)
Other versions
CN101742481A (en
Inventor
余万涛
马景旺
贾倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN2008101770164A priority Critical patent/CN101742481B/en
Priority to PCT/CN2009/073485 priority patent/WO2010051713A1/en
Publication of CN101742481A publication Critical patent/CN101742481A/en
Application granted granted Critical
Publication of CN101742481B publication Critical patent/CN101742481B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本发明提供了一种智能卡的从安全域初始密钥分发方法和系统,该系统包括具有电子支付应用功能的智能卡、卡发行商管理平台及业务终端;所述智能卡通过所述业务终端与所述卡发行商管理平台进行通信;所述卡发行商管理平台,用于通过所述业务终端将从安全域初始密钥分发给所述智能卡。本发明解决在发卡后,针对对称密钥的情况,在创建从安全域时,将卡发行商管理平台生成的从安全域初始密钥安全的导入到从安全域,从而实现从安全域初始密钥的安全分发。

The present invention provides a smart card initial key distribution method and system from the security domain. The system includes a smart card with electronic payment application functions, a card issuer management platform and a service terminal; the smart card communicates with the service terminal through the The card issuer management platform communicates; the card issuer management platform is used to distribute the initial key from the security domain to the smart card through the service terminal. The present invention solves the problem of the symmetric key after the card is issued. When creating the secondary security domain, the initial key of the secondary security domain generated by the management platform of the card issuer is safely imported into the secondary security domain, thereby realizing the initial encryption of the secondary security domain. secure distribution of keys.

Description

智能卡的从安全域初始密钥分发方法和系统、移动终端Smart card initial key distribution method and system from security domain, mobile terminal

技术领域 technical field

本发明涉及移动终端电子支付技术,尤其涉及智能卡的从安全域初始密钥分发方法和系统、移动终端。The invention relates to mobile terminal electronic payment technology, in particular to a smart card initial key distribution method and system from a security domain, and a mobile terminal.

背景技术 Background technique

IC卡特别是非接触式IC卡经过十多年的发展,已经被广泛应用于公交、门禁、小额电子支付等领域。与此同时,手机经历20多年的迅速发展,在居民中基本得到普及,给人们的工作及生活带来很大的便利。手机的功能越来越强大,并存在集成更多功能的趋势。将手机和非接触式IC卡技术结合,手机应用于电子支付领域,会进一步扩大手机的使用范围,给人们的生活带来便捷,存在着广阔的应用前景。After more than ten years of development, IC cards, especially contactless IC cards, have been widely used in fields such as public transport, access control, and small-amount electronic payment. At the same time, after more than 20 years of rapid development, mobile phones have basically been popularized among residents, bringing great convenience to people's work and life. Mobile phones are becoming more and more powerful, and there is a tendency to integrate more functions. The combination of mobile phone and non-contact IC card technology, and the application of mobile phone in the field of electronic payment will further expand the scope of use of mobile phones, bring convenience to people's life, and have broad application prospects.

近场通信技术(Near Field Communication,NFC)是工作于13.56MHz的一种近距离无线通信技术,由射频识别RFID(Radio Frequency Identification)技术及互连技术融合演变而来。手机等移动通信终端集成NFC技术后,可以模拟非接触式IC卡,用于电子支付的有关应用。移动通信终端上实现该方案需要在终端上增加NFC模拟前端芯片和NFC天线,并使用支持电子支付的智能卡。Near Field Communication (NFC) is a short-range wireless communication technology operating at 13.56MHz, which evolved from the fusion of Radio Frequency Identification (RFID) technology and interconnection technology. After integrating NFC technology, mobile communication terminals such as mobile phones can simulate non-contact IC cards for related applications of electronic payment. To implement this solution on a mobile communication terminal, it is necessary to add an NFC analog front-end chip and an NFC antenna to the terminal, and use a smart card that supports electronic payment.

为实现基于NFC技术的移动电子支付,需要建立移动终端电子支付系统,通过该系统实现对基于NFC的移动终端电子支付的管理,包括:智能卡的发行,电子支付应用的下载、安装和个人化,采用相关技术和管理策略实现电子支付应用的安全等。In order to realize mobile electronic payment based on NFC technology, it is necessary to establish a mobile terminal electronic payment system, through which the management of NFC-based mobile terminal electronic payment, including: the issuance of smart cards, the download, installation and personalization of electronic payment applications, Use relevant technologies and management strategies to realize the security of electronic payment applications, etc.

基于NFC技术的移动终端电子支付系统的业务框架通常采用全球平台GP(Global Platform)规范的多应用框架,在该框架下,支持Global Platform规范的智能卡指的是符合全球平台卡规范(Global Platform Card Specification)V2.1.1/V2.2的IC芯片或智能卡,从物理形式上可以为SIM/USIM卡即客户识别模块(Subscriber Identity Model)/通用移动通信系统客户识别模块(UMTSSubscriber Identity Module UMTS)、可插拔的智能存储卡或者集成在移动终端上的IC芯片。The business framework of the mobile terminal electronic payment system based on NFC technology usually adopts the multi-application framework of the Global Platform GP (Global Platform) specification. Specification) V2.1.1/V2.2 IC chips or smart cards can be SIM/USIM cards in physical form, that is, Subscriber Identity Model (Subscriber Identity Model)/Universal Mobile Telecommunications System Subscriber Identity Module (UMTS Subscriber Identity Module UMTS), which can be A pluggable smart memory card or an IC chip integrated in a mobile terminal.

如果基于近场通信(NFC)技术的移动终端电子支付系统支持GP2.1.1规范,安全信道协议需要支持SCP02(基于对称密钥),如果基于近场通信技术的移动终端电子支付系统支持GP2.2规范,安全信道协议需要支持SCP02(基于对称密钥)和SCP10(基于非对称密钥),卡发行商、应用提供商可以根据安全策略需求进行选择。If the mobile terminal electronic payment system based on near-field communication (NFC) technology supports the GP2.1.1 specification, the secure channel protocol needs to support SCP02 (based on symmetric keys), and if the mobile terminal electronic payment system based on near-field communication technology supports GP2.2 According to the specification, the secure channel protocol needs to support SCP02 (based on symmetric keys) and SCP10 (based on asymmetric keys), and card issuers and application providers can choose according to security policy requirements.

一般情况下,基于NFC的移动终端近距离电子支付系统主要由卡发行商管理平台、一个或多个应用提供商管理平台和支持具有电子支付应用功能智能卡的移动终端组成。In general, the NFC-based mobile terminal short-distance electronic payment system is mainly composed of a card issuer management platform, one or more application provider management platforms, and a mobile terminal that supports smart cards with electronic payment application functions.

在支持Global Platform规范的智能卡上可以安装多个应用,为了实现电子支付应用的安全,智能卡被分隔为若干个独立的安全域,以保证多个应用相互之间的隔离以及独立性,各个应用提供商管理各自的安全域以及应用、应用数据等。Multiple applications can be installed on a smart card that supports the Global Platform specification. In order to achieve the security of electronic payment applications, the smart card is divided into several independent security domains to ensure the isolation and independence of multiple applications. Each application provides Providers manage their own security domains, applications, and application data.

安全域是卡外实体包括卡发行商和应用提供商在卡上的代表,它们包含用于支持安全信道协议运作以及智能卡内容管理的密钥。安全域包括主安全域和从安全域等。主安全域是卡发行商在智能卡上的强制的卡上代表,一个智能卡只包含一个主安全域。从安全域是卡发行商或应用提供商在智能卡上的附加的可选卡上代表。The security domain is the representation on the card of entities outside the card, including the card issuer and the application provider, which contain the keys used to support the operation of the secure channel protocol and the management of the content of the smart card. Security domains include primary security domains and secondary security domains. The primary security domain is the card issuer's mandatory representation on the smart card, and a smart card contains only one primary security domain. The secondary security domain is an optional on-card representation of the card issuer or application provider on the smart card.

安全域的密钥生成与分发由管理该安全域的卡发行商或应用提供商负责,这保证了来自不同应用提供者的应用和数据可以共存于同一个卡上。安全域的密钥包括主安全域密钥、从安全域初始密钥和从安全域密钥。主安全域密钥和从安全域初始密钥由卡发行商管理平台生成,从安全域密钥由管理从安全域的卡发行商管理平台或应用提供商管理平台生成。The key generation and distribution of the security domain is the responsibility of the card issuer or application provider who manages the security domain, which ensures that applications and data from different application providers can coexist on the same card. The keys of the security domain include the key of the main security domain, the initial key of the secondary security domain and the key of the secondary security domain. The main security domain key and the initial key of the secondary security domain are generated by the card issuer management platform, and the secondary security domain keys are generated by the card issuer management platform or the application provider management platform that manages the secondary security domain.

在将电子支付应用下载并安装到智能卡之前,需要在智能卡上为该应用先创建从安全域,智能卡从安全域的创建是由卡发行商管理平台完成的。在智能卡发行后,创建智能卡从安全域时,从安全域初始密钥必须由卡发行商管理平台通过安全途径导入到智能卡上的从安全域。Before the electronic payment application is downloaded and installed on the smart card, it is necessary to create a secondary security domain for the application on the smart card. The creation of the smart card secondary security domain is completed by the card issuer management platform. After the smart card is issued, when the smart card secondary security domain is created, the initial key of the secondary security domain must be imported into the secondary security domain of the smart card by the card issuer management platform through a secure channel.

从安全域初始密钥的分发过程与系统网络架构的具体实现方式有关。为了实现智能卡的安全性管理和支付应用的下载、安装等,智能卡需要和卡发行商管理平台以及应用提供商管理平台建立通信。智能卡可以通过业务终端和管理平台建立通信。业务终端是可以对智能卡进行读写的设备,如与计算机相连的POS机等。在使用业务终端时,针对对称密钥的情况,如何将卡发行商管理平台生成的从安全域初始密钥安全的导入到智能卡上的从安全域,是移动终端电子支付需要解决的一个问题。The distribution process of the initial key from the security domain is related to the specific implementation of the system network architecture. In order to realize the security management of the smart card and the download and installation of payment applications, the smart card needs to establish communication with the card issuer management platform and the application provider management platform. Smart cards can establish communication through service terminals and management platforms. A service terminal is a device that can read and write smart cards, such as a POS machine connected to a computer. When using a business terminal, how to securely import the initial key from the secondary security domain generated by the card issuer management platform to the secondary security domain on the smart card in the case of a symmetric key is a problem that needs to be solved in the electronic payment of the mobile terminal.

发明内容 Contents of the invention

本发明要解决的技术问题是提供一种智能卡的从安全域初始密钥分发方法和系统、移动终端,以将卡发行商管理平台生成的从安全域初始密钥安全的导入到从安全域,从而实现从安全域初始密钥的安全分发。The technical problem to be solved by the present invention is to provide a smart card secondary security domain initial key distribution method and system, and a mobile terminal to safely import the secondary security domain initial key generated by the card issuer management platform into the secondary security domain, Thus, the secure distribution of the initial key from the security domain is realized.

为了解决上述技术问题,智能卡的从安全域初始密钥分发方法,该方法基于移动终端电子支付系统实现,该系统包括具有电子支付应用功能的智能卡、卡发行商管理平台及业务终端,所述智能卡为一独立设备或安装在移动终端上;所述智能卡通过所述业务终端与所述卡发行商管理平台进行通信,所述卡发行商管理平台通过所述业务终端将从安全域初始密钥分发给所述智能卡。In order to solve the above-mentioned technical problems, the initial key distribution method of the smart card from the security domain, the method is realized based on the mobile terminal electronic payment system, the system includes a smart card with electronic payment application functions, a card issuer management platform and a service terminal, the smart card It is an independent device or installed on a mobile terminal; the smart card communicates with the card issuer management platform through the service terminal, and the card issuer management platform distributes the initial key from the security domain through the service terminal to the smart card.

进一步地,该方法包括:(a)用户向所述卡发行商管理平台提交应用下载请求;(b)所述卡发行商管理平台收到应用下载请求信息后,所述卡发行商管理平台和所述智能卡主安全域之间建立安全信道;(c)所述卡发行商管理平台创建从安全域及生成从安全域初始密钥,通过建立的安全信道经由所述业务终端将安全域初始密钥导入到所述智能卡从安全域。Further, the method includes: (a) the user submits an application download request to the card issuer management platform; (b) after the card issuer management platform receives the application download request information, the card issuer management platform and Establish a secure channel between the primary security domains of the smart card; (c) the card issuer management platform creates a secondary security domain and generates an initial key for the secondary security domain, and transfers the initial key for the security domain through the established security channel via the service terminal. The key is imported into the smart card from the security domain.

进一步地,步骤(a)中用户通过所述智能卡程序或所述业务终端客户端程序触发应用下载请求,所述应用下载请求中包括智能卡标识信息、应用标识及应用提供商身份信息,步骤(b)之后,步骤(c)之前,还包括:所述卡发行商管理平台根据所述智能卡标识信息,应用标识及应用提供商身份信息,或者根据智能卡状态信息,判断是否创建从安全域。Further, in step (a), the user triggers an application download request through the smart card program or the service terminal client program, and the application download request includes smart card identification information, application identification and application provider identity information, step (b ) and before step (c), further comprising: the card issuer management platform judging whether to create a secondary security domain according to the smart card identification information, application identification and application provider identity information, or according to the status information of the smart card.

进一步地,步骤(b)建立安全信道的过程包括:(b1)所述卡发行商管理平台与智能卡主安全域经由所述业务终端进行互认证,所述互认证过程经由所述业务终端在所述卡发行商管理平台和所述智能卡主安全域之间完成;(b2)所述卡发行商管理平台与所述智能卡主安全域之间建立临时会话密钥,从而建立安全信道。Further, the process of establishing a secure channel in step (b) includes: (b1) the card issuer management platform and the main security domain of the smart card perform mutual authentication through the service terminal, and the mutual authentication process passes through the service terminal in the between the card issuer management platform and the smart card main security domain; (b2) establishing a temporary session key between the card issuer management platform and the smart card main security domain, thereby establishing a secure channel.

进一步地,所述业务终端为卡发行商业务终端,所述卡发行商管理平台与所述智能卡间的交互信息通过卡发行商业务终端转发;或者,所述业务终端为应用提供商业务终端,从所述卡发行商管理平台到所述智能卡的消息依次通过应用提供商管理平台和应用提供商业务终端转发,从所述智能卡到所述卡发行商管理平台的消息依次通过应用提供商业务终端和应用提供商管理平台转发。Further, the service terminal is a card issuer service terminal, and the interactive information between the card issuer management platform and the smart card is forwarded through the card issuer service terminal; or, the service terminal is an application provider service terminal, The message from the card issuer management platform to the smart card is forwarded through the application provider management platform and the application provider service terminal in turn, and the message from the smart card to the card issuer management platform is sequentially passed through the application provider service terminal And application provider management platform forwarding.

为了解决上述技术问题,本发明还提供了一种智能卡的从安全域初始密钥分发系统,该系统包括具有电子支付应用功能的智能卡、卡发行商管理平台及业务终端;所述智能卡通过所述业务终端与所述卡发行商管理平台进行通信;所述卡发行商管理平台,用于通过所述业务终端将从安全域初始密钥分发给所述智能卡。In order to solve the above technical problems, the present invention also provides a smart card initial key distribution system from the security domain, the system includes a smart card with electronic payment application functions, a card issuer management platform and a service terminal; the smart card passes through the The service terminal communicates with the card issuer management platform; the card issuer management platform is used to distribute the initial key from the security domain to the smart card through the service terminal.

进一步地,所述智能卡,还用于提供向所述卡发行商管理平台提交应用下载请求的支持,与卡发行商管理平台进行互认证及建立临时会话密钥,还用于解密获得的从安全域初始密钥,以及对从安全域进行初始化;所述卡发行商管理平台,还用于与所述智能卡主安全域进行互认证及建立临时会话密钥,还用于根据应用下载请求或智能卡状态信息判断是否建立从安全域,以及建立从安全域,生成并向智能卡分发从安全域初始密钥。Further, the smart card is also used to provide support for submitting an application download request to the card issuer management platform, perform mutual authentication with the card issuer management platform and establish a temporary session key, and is also used to decrypt the obtained from the security domain initial key, and initialize the secondary security domain; the card issuer management platform is also used for mutual authentication and establishing a temporary session key with the smart card primary security domain, and is also used for downloading requests or smart card The state information judges whether to establish the secondary security domain, and establishes the secondary security domain, generates and distributes the initial key of the secondary security domain to the smart card.

进一步地,所述业务终端为卡发行商业务终端,用于对所述卡发行商管理平台与所述智能卡间的交互信息进行转发;或者;Further, the service terminal is a card issuer service terminal, which is used to forward the interaction information between the card issuer management platform and the smart card; or;

所述业务终端为应用提供商业务终端,所述系统还包括应用提供商管理平台;所述应用提供商业务终端,用于接收所述应用提供商管理平台发送的消息并转发给所述智能卡;还用于接收所述智能卡发送的消息并转发给所述应用提供商管理平台;所述应用提供商管理平台,用于接收所述卡发行商管理平台发送的消息并转发给所述应用提供商业务终端;还用于接收所述应用提供商业务终端发送的消息并转发给所述卡发行商管理平台。The service terminal is an application provider service terminal, and the system also includes an application provider management platform; the application provider service terminal is used to receive the message sent by the application provider management platform and forward it to the smart card; It is also used to receive the message sent by the smart card and forward it to the application provider management platform; the application provider management platform is used to receive the message sent by the card issuer management platform and forward it to the application provider The service terminal is also used to receive the message sent by the application provider service terminal and forward it to the card issuer management platform.

进一步地,所述智能卡为一独立设备或安装在移动终端上。Further, the smart card is an independent device or installed on a mobile terminal.

本发明还提供了一种移动终端,所述移动终端包括具有电子支付应用功能的智能卡,所述智能卡从安全域的初始密钥由卡发行商管理平台通过卡发行商业务终端分发,或者通过应用提供商管理平台和应用提供商业务终端分发。The present invention also provides a mobile terminal, which includes a smart card with an electronic payment application function, and the initial key of the smart card from the security domain is distributed by the card issuer management platform through the card issuer service terminal, or through the application Provider management platform and application provider business terminal distribution.

本发明可以解决在发卡后,针对对称密钥的情况,在创建从安全域时,将卡发行商管理平台生成的从安全域初始密钥安全的导入到从安全域,从而实现从安全域初始密钥的安全分发。The present invention can solve the problem of the symmetric key after the card is issued. When creating the secondary security domain, the initial key of the secondary security domain generated by the management platform of the card issuer is safely imported into the secondary security domain, thereby realizing the initialization of the secondary security domain. Secure distribution of keys.

附图说明 Description of drawings

图1是本发明中基于近场通信技术的移动终端电子支付系统架构示意图;Fig. 1 is a schematic diagram of the architecture of a mobile terminal electronic payment system based on near-field communication technology in the present invention;

图2是本发明中实施例一中通过卡发行商业务终端进行从安全域初始密钥分发的流程示意图;Fig. 2 is a schematic flow diagram of initial key distribution from the security domain through the card issuer service terminal in Embodiment 1 of the present invention;

图3是本发明中实施例二中通过应用提供商业务终端进行从安全域初始密钥分发的流程示意图。Fig. 3 is a schematic flow diagram of initial key distribution from the security domain through the service terminal of the application provider in the second embodiment of the present invention.

具体实施方式 Detailed ways

如图1所示,本发明中移动终端电子支付系统包括:应用提供商管理平台、卡发行商管理平台、应用提供商管理平台、业务终端(包括卡发行商业务终端和应用提供商业务终端)、移动终端和具有电子支付应用功能的智能卡,本系统中的智能卡可以安装在一移动终端上。在其它实施例中,此系统也可以不包括移动终端,此时该智能卡是一独立设备。As shown in Figure 1, the mobile terminal electronic payment system in the present invention includes: application provider management platform, card issuer management platform, application provider management platform, service terminal (comprising card issuer service terminal and application provider service terminal), Mobile terminal and smart card with electronic payment application function, the smart card in this system can be installed on a mobile terminal. In other embodiments, the system may not include a mobile terminal, and in this case the smart card is an independent device.

所述智能卡支持Global Platform Card Specification V2.1.1/V2.2规范;具有电子支付应用功能的智能卡可以直接通过卡发行商业务终端和应用提供商业务终端分别与卡发行商管理平台或应用提供商管理平台连接,当具有电子支付应用功能的智能卡安装在移动终端上时,移动终端可以通过卡发行商业务终端或应用提供商业务终端分别与卡发行商管理平台和应用提供商管理平台连接。The smart card supports the Global Platform Card Specification V2.1.1/V2.2; the smart card with electronic payment application function can be directly managed by the card issuer management platform or the application provider through the card issuer business terminal and the application provider business terminal respectively. Platform connection, when a smart card with electronic payment application functions is installed on a mobile terminal, the mobile terminal can be connected to the card issuer management platform and the application provider management platform through the card issuer service terminal or the application provider service terminal respectively.

所述智能卡可以安装在移动终端上,所述智能卡和所述移动终端可以支持OTA功能,移动终端可以通过移动通信网络与OTA服务器相连,OTA服务器分别与卡发行商管理平台和应用提供商管理平台连接。The smart card can be installed on the mobile terminal, the smart card and the mobile terminal can support the OTA function, the mobile terminal can be connected with the OTA server through the mobile communication network, and the OTA server is connected with the card issuer management platform and the application provider management platform respectively connect.

卡发行商管理平台,负责智能卡的发行和管理,对智能卡的资源和生命周期、密钥、证书进行管理,负责从安全域的创建,并与其他安全域交互应用数据,其中包括创建从安全域,与所述智能卡进行互认证及建立临时会话密钥,以及生成从安全域初始密钥和新的从安全域密钥。就具体实现而言,卡发行商管理平台可以包括卡片管理系统、应用管理系统、密钥管理系统、证书管理系统、应用提供商管理系统等,其中证书管理系统在支持非对称密钥的情况下使用,证书管理系统和卡片发行商认证机构(CA)系统连接;The card issuer management platform is responsible for the issuance and management of smart cards, manages the resources and life cycle of smart cards, keys, and certificates, is responsible for the creation of secondary security domains, and interacts with other security domains for application data, including the creation of secondary security domains. , performing mutual authentication with the smart card and establishing a temporary session key, and generating an initial key of the secondary security domain and a new key of the secondary security domain. In terms of specific implementation, the card issuer management platform may include a card management system, an application management system, a key management system, a certificate management system, an application provider management system, etc., where the certificate management system supports asymmetric keys To use, the certificate management system is connected to the card issuer certification authority (CA) system;

应用提供商管理平台,负责电子支付应用的提供和管理功能,提供各种业务应用,并对智能卡上与其对应的从安全域进行安全管理,对所述从安全域的应用密钥、证书、数据等进行控制,提供应用的安全下载、安装等功能。其中包括与所述智能卡进行互认证及建立临时会话密钥,以及生成新的从安全域密钥。就具体实现而言,应用提供商管理平台可以包括应用管理系统、密钥管理系统、证书管理系统,其中证书管理系统在支持非对称密钥的情况下使用,证书管理系统和应用提供商认证机构(CA)系统连接。The application provider management platform is responsible for the provision and management of electronic payment applications, providing various business applications, and performing security management on the corresponding secondary security domain on the smart card. etc. to provide functions such as safe download and installation of applications. It includes performing mutual authentication with the smart card, establishing a temporary session key, and generating a new secondary security domain key. In terms of specific implementation, the application provider management platform may include an application management system, a key management system, and a certificate management system, wherein the certificate management system is used when supporting asymmetric keys, and the certificate management system and the application provider certification authority (CA) system connection.

卡发行商管理平台和应用提供商管理平台可以通过各自的业务终端提供电子支付有关服务:参与处理电子支付用户信息管理,参与从安全域的创建和密钥分发、电子支付应用的下载、以及电子支付应用的个人化等。应用提供商管理平台和卡发行商管理平台之间可以通过安全连接(如专线连接)进行通信。The card issuer management platform and the application provider management platform can provide electronic payment-related services through their respective business terminals: participate in the processing of electronic payment user information management, participate in the creation of security domains and key distribution, download of electronic payment applications, and electronic payment. Personalization of payment applications, etc. The application provider management platform and the card issuer management platform can communicate through a secure connection (such as a dedicated line connection).

所述智能卡,可以安装在所述移动终端上,用于通过移动终端及业务终端与所述卡发行商管理平台进行通信,也可以直接通过业务终端与所述卡发行商管理平台进行通信;还用于提供向所述卡发行商管理平台提交应用下载请求的支持,与卡发行商管理平台进行互认证及建立临时会话密钥,还用于解密获得的从安全域初始密钥,以及对从安全域进行初始化;The smart card can be installed on the mobile terminal, and is used to communicate with the card issuer management platform through the mobile terminal and the service terminal, or directly communicate with the card issuer management platform through the service terminal; It is used to provide support for submitting an application download request to the card issuer management platform, perform mutual authentication with the card issuer management platform and establish a temporary session key, and is also used to decrypt the obtained secondary security domain initial key, and The security domain is initialized;

卡发行商业务终端,由卡发行商管理平台管理;用于对所述卡发行商管理平台与所述智能卡间的交互信息进行转发。The card issuer service terminal is managed by the card issuer management platform; it is used to forward the interaction information between the card issuer management platform and the smart card.

应用提供商业务终端,由应用提供商管理平台管理;用于接收所述应用提供商管理平台发送的消息并转发给所述智能卡;还用于接收所述智能卡发送的消息并转发给所述应用提供商管理平台。The application provider service terminal is managed by the application provider management platform; it is used to receive the message sent by the application provider management platform and forward it to the smart card; it is also used to receive the message sent by the smart card and forward it to the application Provider management platform.

本发明基于图1所示的移动终端电子支付系统架构为例进行描述,但不限于图1所示移动终端电子支付系统架构。The present invention is described based on the mobile terminal electronic payment system architecture shown in FIG. 1 as an example, but is not limited to the mobile terminal electronic payment system architecture shown in FIG. 1 .

如图2所示,实施例一中,卡发行商管理平台通过卡发行商业务终端向智能卡分发安全域初始密钥,具体包括以下步骤:As shown in Figure 2, in Embodiment 1, the card issuer management platform distributes the security domain initial key to the smart card through the card issuer service terminal, specifically including the following steps:

步骤201,用户通过卡发行商业务终端客户端程序或智能卡程序触发应用下载申请,并向卡发行商管理平台提交应用下载申请,应用下载申请可以包含智能卡用户识别信息、应用标识及应用提供商身份等信息;Step 201, the user triggers the application download application through the card issuer business terminal client program or smart card program, and submits the application download application to the card issuer management platform. The application download application can include smart card user identification information, application identification and application provider identity and other information;

步骤202,卡发行商管理平台经由卡发行商业务终端向智能卡发送SELECT命令报文,选择主安全域;Step 202, the card issuer management platform sends a SELECT command message to the smart card via the card issuer service terminal to select the primary security domain;

步骤203,智能卡经由卡发行商业务终端向卡发行商管理平台提交SELECT命令响应;Step 203, the smart card submits a SELECT command response to the card issuer management platform via the card issuer service terminal;

步骤204,卡发行商管理平台与智能卡主安全域经由卡发行商业务终端建立SCP02安全信道;Step 204, the card issuer management platform establishes an SCP02 secure channel with the smart card main security domain via the card issuer service terminal;

所述卡发行商管理平台启动所述卡发行商管理平台和所述智能卡主安全域的互认证,完成互认证后,卡发行商管理平台与智能卡主安全域之间建立起临时会话密钥,从而建立安全信道。该临时会话密钥可以遵循GlobalPlatform Card Specification V2.1.1/V2.2规范建立,也可以通过其它方法建立;The card issuer management platform starts mutual authentication between the card issuer management platform and the smart card main security domain, and after mutual authentication is completed, a temporary session key is established between the card issuer management platform and the smart card main security domain, Thus establishing a secure channel. The temporary session key can be established according to the GlobalPlatform Card Specification V2.1.1/V2.2, or can be established by other methods;

所述互认证过程经由卡发行商业务终端在所述卡发行商管理平台和所述智能卡主安全域之间完成。The mutual authentication process is completed between the card issuer management platform and the smart card primary security domain via the card issuer service terminal.

步骤205,卡发行商管理平台判断是否需要创建从安全域,如果不需要创建从安全域,则终止从安全域创建过程;如果需要创建从安全域,则继续执行后续步骤;Step 205, the card issuer management platform judges whether it is necessary to create a secondary security domain, if it is not necessary to create a secondary security domain, then terminate the process of creating a secondary security domain; if it is necessary to create a secondary security domain, continue to perform subsequent steps;

所述卡发行商管理平台根据所述智能卡ICCID信息、应用标识及应用提供商身份等信息,或者通过智能卡状态信息等方式,判断是否创建从安全域。The card issuer management platform judges whether to create a secondary security domain according to information such as the smart card ICCID information, application identification, and application provider identity, or through smart card status information.

智能卡状态信息由卡发行商管理平台从智能卡主安全域获取。The status information of the smart card is obtained from the main security domain of the smart card by the card issuer management platform.

步骤206,卡发行商管理平台经由卡发行商业务终端向智能卡发送INSTALL命令;Step 206, the card issuer management platform sends the INSTALL command to the smart card via the card issuer service terminal;

步骤207,智能卡经由卡发行商业务终端向卡发行商管理平台提交INSTALL命令响应;Step 207, the smart card submits the INSTALL command response to the card issuer management platform via the card issuer service terminal;

步骤208,卡发行商管理平台生成初始密钥,通过PUTKEY命令,经由卡发行商业务终端向智能卡主安全域发送从安全域初始密钥;Step 208, the card issuer management platform generates an initial key, and sends the initial key from the security domain to the primary security domain of the smart card via the card issuer service terminal through the PUTKEY command;

步骤209,智能卡主安全域接收到从安全域初始密钥后,用接收到的从安全域初始密钥初始化从安全域;Step 209, after receiving the initial key of the slave security domain, the master security domain of the smart card initializes the slave security domain with the received initial key of the slave security domain;

步骤210,智能卡主安全域经由卡发行商业务终端向卡发行商管理平台发送PUTKEY命令响应,结束从安全域初始密钥分发过程。Step 210, the primary security domain of the smart card sends a PUTKEY command response to the card issuer management platform via the card issuer service terminal, and ends the initial key distribution process of the secondary security domain.

实施例一中卡发行商管理平台与智能卡间的交互信息通过卡发行商业务终端转发;在实施例二中,从卡发行商管理平台到智能卡的消息依次通过应用提供商管理平台和应用提供商业务终端转发,从智能卡到卡发行商管理平台的消息依次通过应用提供商业务终端和应用提供商管理平台转发。如图3所示,实施例二中,分发从安全域初始密钥的方法具体包括以下步骤:In the first embodiment, the interactive information between the card issuer management platform and the smart card is forwarded through the card issuer service terminal; in the second embodiment, the message from the card issuer management platform to the smart card passes through the application provider management platform and the application provider in turn Forwarding by the service terminal, the message from the smart card to the card issuer management platform is forwarded through the application provider service terminal and the application provider management platform in turn. As shown in Figure 3, in Embodiment 2, the method for distributing the initial key from the security domain specifically includes the following steps:

步骤301,用户通过应用提供商业务终端客户端程序或智能卡程序触发应用下载申请,并经由应用提供商管理平台向卡发行商管理平台提交应用下载申请,应用下载申请可以包含智能卡用户识别信息、应用标识及应用提供商身份等信息;Step 301, the user triggers an application download application through the application provider's business terminal client program or smart card program, and submits the application download application to the card issuer management platform via the application provider management platform. The application download application may include smart card user identification information, application Identification and application provider identity and other information;

步骤302,卡发行商管理平台经由应用提供商管理平台和应用提供商业务终端向智能卡发送SELECT命令报文,选择主安全域;Step 302, the card issuer management platform sends a SELECT command message to the smart card via the application provider management platform and the application provider service terminal, and selects the main security domain;

步骤303,智能卡经由应用提供商业务终端和应用提供商管理平台向卡发行商管理平台提交SELECT命令响应;Step 303, the smart card submits a SELECT command response to the card issuer management platform via the application provider service terminal and the application provider management platform;

步骤304,卡发行商管理平台与智能卡主安全域经由应用提供商管理平台和应用提供商业务终端建立SCP02安全信道;Step 304, the card issuer management platform and the smart card main security domain establish the SCP02 security channel via the application provider management platform and the application provider service terminal;

所述卡发行商管理平台启动所述卡发行商管理平台和所述智能卡主安全域的互认证,完成互认证后,卡发行商管理平台与智能卡主安全域之间建立起临时会话密钥,从而建立安全信道。该临时会话密钥可以遵循GlobalPlatform Card Specification V2.1.1/V2.2规范建立,也可以通过其它方法建立;The card issuer management platform starts mutual authentication between the card issuer management platform and the smart card main security domain, and after mutual authentication is completed, a temporary session key is established between the card issuer management platform and the smart card main security domain, Thus establishing a secure channel. The temporary session key can be established according to the GlobalPlatform Card Specification V2.1.1/V2.2, or can be established by other methods;

所述互认证过程经由应用提供商管理平台和应用提供商业务终端在所述卡发行商管理平台和所述智能卡主安全域之间完成。The mutual authentication process is completed between the card issuer management platform and the smart card main security domain via the application provider management platform and the application provider service terminal.

步骤305,卡发行商管理平台判断是否需要创建从安全域,如果不需要创建从安全域,则终止从安全域创建过程;如果需要创建从安全域,则继续执行后续步骤;Step 305, the card issuer management platform judges whether it is necessary to create a secondary security domain, if it is not necessary to create a secondary security domain, then terminate the process of creating a secondary security domain; if it is necessary to create a secondary security domain, continue to perform subsequent steps;

所述卡发行商管理平台根据所述智能卡ICCID信息、应用标识及应用提供商身份等信息,或者通过智能卡状态信息等方式,判断是否创建从安全域。The card issuer management platform judges whether to create a secondary security domain according to information such as the smart card ICCID information, application identification, and application provider identity, or through smart card status information.

智能卡状态信息由卡发行商管理平台从智能卡主安全域获取。The status information of the smart card is obtained from the main security domain of the smart card by the card issuer management platform.

步骤306,卡发行商管理平台经由应用提供商管理平台和应用提供商业务终端向智能卡发送INSTALL命令;Step 306, the card issuer management platform sends the INSTALL command to the smart card via the application provider management platform and the application provider service terminal;

步骤307,智能卡经由应用提供商业务终端和应用提供商管理平台向卡发行商管理平台提交INSTALL命令响应;Step 307, the smart card submits the INSTALL command response to the card issuer management platform via the application provider service terminal and the application provider management platform;

步骤308,卡发行商管理平台通过PUTKEY命令,经由应用提供商管理平台和应用提供商业务终端向智能卡主安全域发送从安全域初始密钥;Step 308, the card issuer management platform sends the initial key of the secondary security domain to the smart card primary security domain via the application provider management platform and the application provider service terminal through the PUTKEY command;

步骤309,智能卡主安全域接收到从安全域初始密钥后,用接收到的从安全域初始密钥初始化从安全域;Step 309, after the master security domain of the smart card receives the initial key from the security domain, initialize the slave security domain with the received initial key from the security domain;

步骤310,智能卡主安全域经由应用提供商业务终端和应用提供商管理平台向卡发行商管理平台发送PUTKEY命令响应,结束从安全域初始密钥分发过程。Step 310, the primary security domain of the smart card sends a PUTKEY command response to the card issuer management platform via the service terminal of the application provider and the management platform of the application provider, and ends the initial key distribution process of the secondary security domain.

本发明智能卡从安全域初始密钥分发方法和系统,可以解决在发卡后,针对对称密钥的情况,在创建从安全域时,将卡发行商管理平台生成的从安全域初始密钥安全的导入到从安全域,从而实现从安全域初始密钥的安全分发。The smart card secondary security domain initial key distribution method and system of the present invention can solve the problem of the security of the secondary security domain initial key generated by the card issuer management platform when creating the secondary security domain for the symmetric key after the card is issued. Import to the secondary security domain, so as to realize the safe distribution of the initial key of the secondary security domain.

本发明还可有其他多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明做出各种相应的改变和变形,这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。The present invention can also have other multiple embodiments, without departing from the spirit and essence of the present invention, those skilled in the art can make various corresponding changes and deformations according to the present invention, these corresponding changes and All deformations should belong to the protection scope of the appended claims of the present invention.

Claims (8)

1.智能卡的从安全域初始密钥分发方法,其特征在于,该方法基于移动终端电子支付系统实现,该系统包括具有电子支付应用功能的智能卡、卡发行商管理平台及业务终端,所述智能卡为一独立设备或安装在移动终端上;所述智能卡通过所述业务终端与所述卡发行商管理平台进行通信,所述卡发行商管理平台通过所述业务终端将从安全域初始密钥分发给所述智能卡;该方法包括:1. The initial key distribution method of a smart card from a security domain is characterized in that the method is realized based on a mobile terminal electronic payment system, and the system includes a smart card with an electronic payment application function, a card issuer management platform and a service terminal, and the smart card It is an independent device or installed on a mobile terminal; the smart card communicates with the card issuer management platform through the service terminal, and the card issuer management platform distributes the initial key from the security domain through the service terminal to said smart card; the method comprising: (a)用户通过智能卡程序或业务终端客户端程序触发应用下载请求,并向所述卡发行商管理平台提交应用下载请求,所述应用下载请求中包括智能卡标识信息、应用标识及应用提供商身份信息;(a) The user triggers the application download request through the smart card program or the service terminal client program, and submits the application download request to the card issuer management platform, and the application download request includes the smart card identification information, application identification and application provider identity information; (b)所述卡发行商管理平台收到应用下载请求信息后,所述卡发行商管理平台和所述智能卡主安全域之间建立安全信道;(b) After the card issuer management platform receives the application download request information, a secure channel is established between the card issuer management platform and the smart card main security domain; (c)所述卡发行商管理平台创建从安全域及生成从安全域初始密钥,通过建立的安全信道经由所述业务终端将安全域初始密钥导入到所述智能卡从安全域。(c) The card issuer management platform creates a secondary security domain and generates a secondary security domain initial key, and imports the security domain initial key into the smart card secondary security domain via the service terminal through the established secure channel. 2.如权利要求1所述的方法,其特征在于,2. The method of claim 1, wherein 步骤(b)之后,步骤(c)之前,还包括:所述卡发行商管理平台根据所述智能卡标识信息,应用标识及应用提供商身份信息,或者根据智能卡状态信息,判断是否创建从安全域。After the step (b), before the step (c), it also includes: the card issuer management platform judges whether to create a secondary security domain according to the smart card identification information, application identification and application provider identity information, or according to the smart card status information. . 3.如权利要求1所述的方法,其特征在于,3. The method of claim 1, wherein, 步骤(b)建立安全信道的过程包括:(b1)所述卡发行商管理平台与智能卡主安全域经由所述业务终端进行互认证,所述互认证过程经由所述业务终端在所述卡发行商管理平台和所述智能卡主安全域之间完成;(b2)所述卡发行商管理平台与所述智能卡主安全域之间建立临时会话密钥,从而建立安全信道。Step (b) The process of establishing a secure channel includes: (b1) The card issuer management platform and the main security domain of the smart card perform mutual authentication via the service terminal, and the mutual authentication process passes through the service terminal in the card issuer (b2) establishing a temporary session key between the card issuer management platform and the smart card main security domain, thereby establishing a secure channel. 4.如权利要求1至3中任一项所述的方法,其特征在于,4. The method according to any one of claims 1 to 3, wherein 所述业务终端为卡发行商业务终端,所述卡发行商管理平台与所述智能卡间的交互信息通过卡发行商业务终端转发;或者,所述业务终端为应用提供商业务终端,从所述卡发行商管理平台到所述智能卡的消息依次通过应用提供商管理平台和应用提供商业务终端转发,从所述智能卡到所述卡发行商管理平台的消息依次通过应用提供商业务终端和应用提供商管理平台转发。The service terminal is a card issuer service terminal, and the interactive information between the card issuer management platform and the smart card is forwarded through the card issuer service terminal; or, the service terminal is an application provider service terminal, from the The message from the card issuer management platform to the smart card is forwarded sequentially through the application provider management platform and the application provider service terminal, and the message from the smart card to the card issuer management platform is sequentially passed through the application provider service terminal and the application provider Business management platform forwarding. 5.智能卡的从安全域初始密钥分发系统,其特征在于,该系统包括具有电子支付应用功能的智能卡、卡发行商管理平台及业务终端;5. The initial key distribution system from the security domain of the smart card is characterized in that the system includes a smart card with electronic payment application functions, a card issuer management platform and a business terminal; 所述智能卡通过所述业务终端与所述卡发行商管理平台进行通信;还用于提供向所述卡发行商管理平台提交应用下载请求的支持,与卡发行商管理平台进行互认证及建立临时会话密钥,还用于解密获得的从安全域初始密钥,以及对从安全域进行初始化;The smart card communicates with the card issuer management platform through the service terminal; it is also used to provide support for submitting an application download request to the card issuer management platform, perform mutual authentication with the card issuer management platform and establish a temporary The session key is also used to decrypt the obtained initial key of the secondary security domain and initialize the secondary security domain; 所述卡发行商管理平台,用于通过所述业务终端将从安全域初始密钥分发给所述智能卡;还用于与所述智能卡主安全域进行互认证及建立临时会话密钥,还用于根据应用下载请求或智能卡状态信息判断是否建立从安全域,以及建立从安全域,生成并向智能卡分发从安全域初始密钥。The card issuer management platform is used to distribute the initial key from the security domain to the smart card through the service terminal; it is also used to perform mutual authentication and establish a temporary session key with the main security domain of the smart card, and also use Based on judging whether to establish a secondary security domain according to the application download request or the status information of the smart card, and establishing the secondary security domain, generating and distributing the initial key of the secondary security domain to the smart card. 6.如权利要求5所述的系统,其特征在于,6. The system of claim 5, wherein: 所述业务终端为卡发行商业务终端,用于对所述卡发行商管理平台与所述智能卡间的交互信息进行转发;或者;The service terminal is a card issuer service terminal, which is used to forward the interaction information between the card issuer management platform and the smart card; or; 所述业务终端为应用提供商业务终端,所述系统还包括应用提供商管理平台;The service terminal is an application provider service terminal, and the system also includes an application provider management platform; 所述应用提供商业务终端,用于接收所述应用提供商管理平台发送的消息并转发给所述智能卡;还用于接收所述智能卡发送的消息并转发给所述应用提供商管理平台;The application provider service terminal is used to receive the message sent by the application provider management platform and forward it to the smart card; it is also used to receive the message sent by the smart card and forward it to the application provider management platform; 所述应用提供商管理平台,用于接收所述卡发行商管理平台发送的消息并转发给所述应用提供商业务终端;还用于接收所述应用提供商业务终端发送的消息并转发给所述卡发行商管理平台。The application provider management platform is used to receive the message sent by the card issuer management platform and forward it to the application provider service terminal; it is also used to receive the message sent by the application provider service terminal and forward it to the The card issuer management platform. 7.如权利要求5或6所述的系统,其特征在于,7. A system as claimed in claim 5 or 6, characterized in that, 所述智能卡为一独立设备或安装在移动终端上。The smart card is an independent device or installed on a mobile terminal. 8.一种采用如权利要求1所述智能卡的从安全域初始密钥分发方法的移动终端,所述移动终端包括具有电子支付应用功能的智能卡,其特征在于,所述智能卡从安全域的初始密钥由卡发行商管理平台通过卡发行商业务终端分发,或者通过应用提供商管理平台和应用提供商业务终端分发。8. A mobile terminal adopting a method for initial key distribution from a security domain of a smart card as claimed in claim 1, said mobile terminal comprising a smart card with an electronic payment application function, characterized in that said smart card is initialized from a security domain The key is distributed by the card issuer management platform through the card issuer service terminal, or through the application provider management platform and the application provider service terminal.
CN2008101770164A 2008-11-10 2008-11-10 Method and system for distributing secondary security domain initial keys of smart card and mobile terminal Active CN101742481B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2008101770164A CN101742481B (en) 2008-11-10 2008-11-10 Method and system for distributing secondary security domain initial keys of smart card and mobile terminal
PCT/CN2009/073485 WO2010051713A1 (en) 2008-11-10 2009-08-25 Method, system and mobile terminal for distributing the initial key of security sub-domain of a smart card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008101770164A CN101742481B (en) 2008-11-10 2008-11-10 Method and system for distributing secondary security domain initial keys of smart card and mobile terminal

Publications (2)

Publication Number Publication Date
CN101742481A CN101742481A (en) 2010-06-16
CN101742481B true CN101742481B (en) 2013-03-20

Family

ID=42152476

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008101770164A Active CN101742481B (en) 2008-11-10 2008-11-10 Method and system for distributing secondary security domain initial keys of smart card and mobile terminal

Country Status (2)

Country Link
CN (1) CN101742481B (en)
WO (1) WO2010051713A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101916388B (en) * 2010-07-27 2013-06-05 武汉天喻信息产业股份有限公司 Smart SD card and method for using same for mobile payment
CN105991529A (en) * 2014-11-07 2016-10-05 天地融科技股份有限公司 Data interaction method and system
CN105991530A (en) * 2014-11-07 2016-10-05 天地融科技股份有限公司 Data interaction system
CN105790938B (en) * 2016-05-23 2019-02-19 中国银联股份有限公司 Secure unit key generation system and method based on trusted execution environment
CN107493167B (en) * 2016-06-13 2021-01-29 广州江南科友科技股份有限公司 Terminal key distribution system and terminal key distribution method thereof
CN113490211B (en) * 2021-06-17 2023-03-24 中国联合网络通信集团有限公司 Auxiliary security domain establishing method, SM-SR and system
CN113490210B (en) * 2021-06-17 2023-03-24 中国联合网络通信集团有限公司 Method and system for establishing auxiliary security domain

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7194438B2 (en) * 2004-02-25 2007-03-20 Nokia Corporation Electronic payment schemes in a mobile environment for short-range transactions
US7628322B2 (en) * 2005-03-07 2009-12-08 Nokia Corporation Methods, system and mobile device capable of enabling credit card personalization using a wireless network
US7469151B2 (en) * 2006-09-01 2008-12-23 Vivotech, Inc. Methods, systems and computer program products for over the air (OTA) provisioning of soft cards on devices with wireless communications capabilities
CN101140649A (en) * 2007-10-22 2008-03-12 中兴通讯股份有限公司 Method and system for realizing e-commerce by using mobile phone integrated with RFID chip

Also Published As

Publication number Publication date
CN101742481A (en) 2010-06-16
WO2010051713A1 (en) 2010-05-14

Similar Documents

Publication Publication Date Title
CN101742480B (en) Method and system for distributing initial key of slave security domain of intelligent card and mobile terminal
CN101729502B (en) Method and system for distributing key
US9191813B2 (en) System and method for managing OTA provisioning applications through use of profiles and data preparation
CN101729493B (en) Method and system for distributing key
CN101729503B (en) Method and system for distributing key
CN102630083B (en) System for using mobile terminal to carry out card operation and method thereof
CN101742481B (en) Method and system for distributing secondary security domain initial keys of smart card and mobile terminal
CN101739756B (en) Method for generating secrete key of smart card
CN101923757A (en) Mobile payment management system
CN202444629U (en) System for carrying out card operation by using mobile terminal
CN103366140A (en) Card writing method and card writing device based on NFC (Near Field Communication)
CN101742478B (en) Method and system for updating and distributing key of slave security domain of intelligent card and mobile terminal
CN103262590A (en) System and method for providing confidential information over the air on a mobile communication device with a non-UICC secure element
CN101729244A (en) Method and system for distributing key
CN101729246B (en) Method and system for distributing key
CN105303377B (en) A kind of key of slave security domain of intelligent card update method and electronic fare payment system
CN102685704B (en) Method and system for mobile phone trading
CN101729245B (en) Key distribution method and system
EP2022016A1 (en) Method and system for loading value to a smartcard
CN101727706B (en) Electronic payment system and method for updating mobile user numbers corresponding to intelligent cards
CN101877835A (en) STK (SIM (Subscriber Identity Module) Tool Kit) business processing method and system as well as mobile terminal
CN103270733A (en) Systems and methods for managing OTA provisioning applications by using profiling and data preparation
KR20130048909A (en) Method for providing collective application of module type
CN103986739A (en) Mobile device, conversion system and conversion method of virtual valuables

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant