[go: up one dir, main page]

CN103685194A - Capacity calling method and device, and terminal - Google Patents

Capacity calling method and device, and terminal Download PDF

Info

Publication number
CN103685194A
CN103685194A CN201210352570.8A CN201210352570A CN103685194A CN 103685194 A CN103685194 A CN 103685194A CN 201210352570 A CN201210352570 A CN 201210352570A CN 103685194 A CN103685194 A CN 103685194A
Authority
CN
China
Prior art keywords
application
request message
ability
appointment
capability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201210352570.8A
Other languages
Chinese (zh)
Other versions
CN103685194B (en
Inventor
王姗姗
蔡准
张译恬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201210352570.8A priority Critical patent/CN103685194B/en
Publication of CN103685194A publication Critical patent/CN103685194A/en
Application granted granted Critical
Publication of CN103685194B publication Critical patent/CN103685194B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种能力调用方法、装置及终端,包括:接收终端中的指定应用发送的第一能力调用请求消息,其中,该指定应用为该终端具有能力调用权限的各应用之一;在该第一能力调用请求消息中添加与该指定应用对应的验证信息,生成第二能力调用请求消息;向能力开放平台发送该第二能力调用请求消息;接收该能力开放平台返回的对应的能力调用响应消息,并向该指定应用发送该能力调用响应消息。采用本发明提供的方法、装置及终端,能够节省网络资源及终端资源。

Figure 201210352570

The invention discloses a capability calling method, device and terminal, comprising: receiving a first capability calling request message sent by a specified application in the terminal, wherein the specified application is one of the applications with capability calling authority in the terminal; Add verification information corresponding to the specified application to the first capability call request message, generate a second capability call request message; send the second capability call request message to the capability open platform; receive the corresponding capability call returned by the capability open platform response message, and send the capability call response message to the specified application. By adopting the method, device and terminal provided by the invention, network resources and terminal resources can be saved.

Figure 201210352570

Description

一种能力调用方法、装置及终端A capability calling method, device and terminal

技术领域 technical field

本发明涉及无线通信领域,尤其涉及一种能力调用方法、装置及终端。The present invention relates to the field of wireless communication, in particular to a method, device and terminal for invoking a capability.

背景技术 Background technique

伴随着互联网的发展以及互联网应用的不断丰富,面对互联网发展带来的机遇与挑战,电信运营商在探索如何加大应用创新力度,深度挖掘增值业务拓展潜力的基础上,开始尝试通过开放电信以及互联网能力,吸引全球开发者,通过全面降低应用创新门槛,基于开放的能力开发更多长尾应用。With the development of the Internet and the continuous enrichment of Internet applications, facing the opportunities and challenges brought about by the development of the Internet, telecom operators, on the basis of exploring how to increase application innovation and deeply tap the potential of value-added As well as Internet capabilities, attract global developers, and develop more long-tail applications based on open capabilities by comprehensively lowering the threshold for application innovation.

不仅如此,移动互联网为应用内计费等新型商业模式提供了契机,然而这种向最终用户收费的前向商业模式,导致频繁出现盗用计费代码、伪造用户身份、篡改和仿冒应用等现象的发生,部分用户被恶意扣费,运营商遭受用户投诉,同时也严重影响了应用开发者和运营商的商业利益。此外,由于终端操作系统的开源和智能能终端的普及,以及单个终端应用一旦发布会被大量终端下载和运行的场景,也使得终端应用以及终端应用的能力开放面临更加大的安全风险和挑战。Not only that, the mobile Internet provides opportunities for new business models such as in-app billing. However, this forward business model of charging end users leads to frequent theft of billing codes, forged user identities, tampering and counterfeiting of applications, etc. occurred, some users were maliciously deducted fees, and operators suffered user complaints, which also seriously affected the commercial interests of application developers and operators. In addition, due to the open source of terminal operating systems and the popularity of smart terminals, as well as the scenario where a single terminal application is downloaded and run by a large number of terminals once released, terminal applications and their capability exposure face greater security risks and challenges.

因此,面向终端应用场景的能力开放中,如何保证能力开放的安全性,应用使用的安全性,保证计费安全、用户隐私安全,以及应用和内容等的安全始终是能力开放的关键问题,因此需要通过有效的安全机制满足能力开放的安全需求。Therefore, in capability exposure for terminal application scenarios, how to ensure the security of capability exposure, application security, billing security, user privacy security, and application and content security is always a key issue in capability exposure. An effective security mechanism needs to be used to meet the security requirements of capability exposure.

现有的能力开放系统在每个应用中部署安全组件,但这种方式会带来相同逻辑重复下载安装的问题,造成网络资源的开销,以及安装在终端时对终端资源的大量占用。此外,在每个应用中部署安全组件的方式,也很难解决每个安全组件的更新问题。The existing capability exposure system deploys security components in each application, but this method will bring about the problem of repeated download and installation of the same logic, resulting in network resource overhead and a large occupation of terminal resources when installed on the terminal. In addition, the way of deploying security components in each application makes it difficult to solve the problem of updating each security component.

发明内容 Contents of the invention

本发明实施例提供一种能力调用方法、装置及终端,用以解决现有技术中存在的应用下载过程中网络资源开销大及应用安装在终端中资源占用大的问题。Embodiments of the present invention provide a capability invoking method, device, and terminal to solve the problems in the prior art of high network resource overhead during application downloading and large resource occupation of the application installed in the terminal.

本发明实施例提供一种能力调用方法,包括:An embodiment of the present invention provides a method for invoking a capability, including:

接收终端中的指定应用发送的第一能力调用请求消息,其中,所述指定应用为所述终端具有能力调用权限的各应用之一;receiving a first capability invocation request message sent by a specified application in the terminal, where the specified application is one of the applications that the terminal has capability invocation authority;

在所述第一能力调用请求消息中添加与所述指定应用对应的验证信息,生成第二能力调用请求消息;Adding verification information corresponding to the designated application to the first capability invocation request message to generate a second capability invocation request message;

向能力开放平台发送所述第二能力调用请求消息;sending the second capability invocation request message to the capability opening platform;

接收所述能力开放平台返回的对应的能力调用响应消息,并向所述指定应用发送所述能力调用响应消息。Receive the corresponding capability invocation response message returned by the capability opening platform, and send the capability invocation response message to the specified application.

本发明实施例提供一种能力调用装置,包括:An embodiment of the present invention provides a capability calling device, including:

接收单元,用于接收终端中的指定应用发送的第一能力调用请求消息,其中,所述指定应用为所述终端具有能力调用权限的各应用之一;以及接收能力开放平台返回的对应的能力调用响应消息,并向所述指定应用发送所述能力调用响应消息;A receiving unit, configured to receive a first capability call request message sent by a specified application in the terminal, where the specified application is one of the applications that the terminal has permission to call capabilities; and receive the corresponding capability returned by the capability openness platform invoking a response message, and sending the capability invoking response message to the specified application;

添加单元,用于在所述第一能力调用请求消息中添加与所述指定应用对应的验证信息,生成第二能力调用请求消息;An adding unit, configured to add verification information corresponding to the specified application to the first capability invocation request message, and generate a second capability invocation request message;

发送单元,用于向所述能力开放平台发送所述第二能力调用请求消息。A sending unit, configured to send the second capability invocation request message to the capability opening platform.

本发明实施例提供一种终端,包括:上述能力调用装置。An embodiment of the present invention provides a terminal, including: the above device for invoking a capability.

本发明的有益效果包括:The beneficial effects of the present invention include:

本发明实施例提供的方法中,当终端中存在多个应用时,任一应用均可通过一个安全中间件向能力开放平台发送能力调用请求消息,获取能力开放平台返回的能力调用响应消息。因此不需要在终端中的每个应用中分别下载和安装安全组件,仅在终端中下载安装一个安全中间件即可,从而能够降低应用下载时网络资源的开销,并且减少了应用安装在终端中所占用的资源。In the method provided by the embodiment of the present invention, when there are multiple applications in the terminal, any application can send a capability invocation request message to the capability openness platform through a security middleware, and obtain a capability invocation response message returned by the capability openness platform. Therefore, it is not necessary to download and install security components in each application in the terminal, but only download and install a security middleware in the terminal, which can reduce the overhead of network resources when the application is downloaded, and reduce the number of applications installed in the terminal resources used.

附图说明 Description of drawings

附图用来提供对本发明的进一步理解,并且构成说明书的一部分,与本发明实施例一起用于解释本发明,并不构成对本发明的限制。在附图中:The accompanying drawings are used to provide a further understanding of the present invention, and constitute a part of the description, and are used together with the embodiments of the present invention to explain the present invention, and do not constitute a limitation to the present invention. In the attached picture:

图1为本发明实施例提供的能力调用方法的流程图;FIG. 1 is a flowchart of a capability calling method provided by an embodiment of the present invention;

图2为本发明实施例提供的能力调用方法的详细流程图;FIG. 2 is a detailed flow chart of a capability calling method provided by an embodiment of the present invention;

图3为本发明实施例提供的安全中间件向能力开放平台获取应用密钥的详细流程图;Fig. 3 is a detailed flowchart of the security middleware obtaining the application key from the capability opening platform provided by the embodiment of the present invention;

图4为本发明实施例提供的能力调用装置的结构示意图。Fig. 4 is a schematic structural diagram of a capability calling device provided by an embodiment of the present invention.

具体实施方式 Detailed ways

为了给出节省网络资源与终端资源的实现方案,本发明实施例提供了一种能力调用方法、装置及终端,以下结合说明书附图对本发明的优选实施例进行说明,应当理解,此处所描述的优选实施例仅用于说明和解释本发明,并不用于限定本发明。并且在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。In order to provide an implementation plan for saving network resources and terminal resources, the embodiments of the present invention provide a capability calling method, device, and terminal. The preferred embodiments of the present invention will be described below in conjunction with the accompanying drawings. It should be understood that the The preferred embodiments are only used to illustrate and explain the present invention, not to limit the present invention. And in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other.

本发明实施例提供一种能力调用方法,如图1所示,包括:An embodiment of the present invention provides a method for invoking a capability, as shown in FIG. 1 , including:

步骤101、接收终端中的指定应用发送的第一能力调用请求消息,其中,该指定应用为该终端具有能力调用权限的各应用之一;Step 101. Receive a first capability invocation request message sent by a specified application in the terminal, wherein the specified application is one of the applications with capability invocation authority in the terminal;

步骤102、在该第一能力调用请求消息中添加与该指定应用对应的验证信息,生成第二能力调用请求消息;Step 102: Add verification information corresponding to the designated application to the first capability invocation request message to generate a second capability invocation request message;

步骤103、向能力开放平台发送该第二能力调用请求消息;Step 103, sending the second capability invocation request message to the capability opening platform;

步骤104、接收该能力开放平台返回的对应的能力调用响应消息,并向该指定应用发送该能力调用响应消息。Step 104: Receive the corresponding capability invocation response message returned by the capability opening platform, and send the capability invocation response message to the specified application.

下面结合附图,用具体实施例对本发明提供的方法进行详细描述。The method provided by the present invention will be described in detail below with specific embodiments in conjunction with the accompanying drawings.

图2所示为本发明实施例提供的能力调用方法的详细流程图,具体包括:Figure 2 is a detailed flow chart of the capability invocation method provided by the embodiment of the present invention, which specifically includes:

步骤201、指定应用向其所属终端中的安全中间件发送携带指定应用标识AppID的第一能力调用请求消息。Step 201, the specified application sends a first capability invocation request message carrying the specified application identifier AppID to the security middleware in the terminal to which it belongs.

其中,指定应用可以为终端多个应用中的任意一个,即任意一个应用在能力调用时,都向安全中间件发送携带应用标识的第一能力调用请求消息。Wherein, the specified application may be any one of multiple applications of the terminal, that is, any application sends a first capability invocation request message carrying an application identifier to the security middleware when invoking a capability.

步骤202、安全中间件接收该第一能力调用请求消息,向指定应用返回携带随机数Random的验证指示消息。Step 202, the security middleware receives the first capability call request message, and returns a verification indication message carrying the random number Random to the designated application.

步骤203、指定应用接收该验证指示消息,基于指定应用密钥AppKey和Random生成第一消息摘要H1。Step 203, the designated application receives the verification indication message, and generates a first message digest H1 based on the designated application key AppKey and Random.

步骤204、指定应用向安全中间件发送携带H1的验证请求消息。Step 204, the designated application sends a verification request message carrying H1 to the security middleware.

步骤205、安全中间件接收该验证请求消息,对指定应用进行验证,具体为:Step 205, the security middleware receives the verification request message, and verifies the specified application, specifically:

获取与指定应用对应的应用密钥,基于与指定应用对应的应用密钥和Random生成第二消息摘要H2,判断H1和H2是否相同。Obtain the application key corresponding to the specified application, generate a second message digest H2 based on the application key corresponding to the specified application and Random, and determine whether H1 and H2 are the same.

其中,当本地存储的应用密钥中存在与指定应用对应的应用密钥时,可直接调取与指定应用对应的应用密钥;当本地存储的应用密钥中不存在与指定应用对应的应用密钥时,安全中间件向能力开放平台获取与指定应用对应的应用密钥,具体获取流程参见流程3。Among them, when there is an application key corresponding to the specified application in the application key stored locally, the application key corresponding to the specified application can be directly called; when there is no application key corresponding to the specified application in the locally stored application key When using the key, the security middleware obtains the application key corresponding to the specified application from the capability exposure platform. For the specific obtaining process, refer to process 3.

当H1和H2相同时,验证通过,进入步骤206;当H1和H2不同时,验证失败,停止该流程。When H1 and H2 are the same, the verification is passed, and step 206 is entered; when H1 and H2 are different, the verification fails, and the process is stopped.

步骤206,安全中间件在第一能力调用请求消息中添加基于终端对应的移动用户国际号码MSISDN和AppID生成的伪码PID、安全中间件接收到指定应用发送第一能力调用请求消息的次数Counter、基于鉴权因子Seed和Counter生成的终端令牌TerToken,生成携带AppID、PID、Counter和TerToken的第二能力调用请求消息。Step 206, the security middleware adds to the first capability invocation request message the pseudo-code PID generated based on the mobile subscriber international number MSISDN and AppID corresponding to the terminal, the number of times the security middleware receives the first capability invocation request message sent by the specified application Counter, Based on the authentication factor Seed and the terminal token TerToken generated by the Counter, a second capability invocation request message carrying the AppID, PID, Counter and TerToken is generated.

步骤207,安全中间件向能力开放平台发送该第二能力调用请求消息。Step 207, the security middleware sends the second capability invocation request message to the capability opening platform.

步骤208,能力开放平台接收该第二能力调用请求消息,对TerToken进行验证,具体为:Step 208, the capability opening platform receives the second capability call request message, and verifies the TerToken, specifically:

基于与安全中间件共享的鉴权因子和Counter生成令牌,判断TerToken和该令牌是否相同。Based on the authentication factor shared with the security middleware and the token generated by the Counter, it is judged whether the TerToken is the same as the token.

当TerToken和该令牌相同时,验证通过,进入步骤209;当TerToken和该令牌不同时,验证失败,返回错误代码。When the TerToken is the same as the token, the verification is passed, and step 209 is entered; when the TerToken is different from the token, the verification fails, and an error code is returned.

步骤209,能力开放平台对应用与能力的签约关系,用户与应用产品的订购关系,开发者的子账户以及用户的账户,进行一一验证。In step 209, the capability opening platform verifies the signing relationship between the application and the capability, the subscription relationship between the user and the application product, the sub-account of the developer, and the account of the user.

当验证通过时,进入步骤210;当验证失败时,返回错误代码。When the verification is passed, enter step 210; when the verification fails, an error code is returned.

步骤210,能力开放平台对应用、用户进行预扣费处理。Step 210, the capability opening platform performs withholding fee processing on applications and users.

步骤211,能力开放平台向能力平台发送调用请求消息。Step 211, the capability opening platform sends an invocation request message to the capability platform.

步骤212,能力平台向能力开放平台返回能力调用响应消息。Step 212, the capability platform returns a capability call response message to the capability opening platform.

步骤213,能力开放平台接收该能力调用响应消息,并向安全中间件发送该能力调用响应消息。Step 213, the capability opening platform receives the capability invocation response message, and sends the capability invocation response message to the security middleware.

步骤214,安全中间件接收该能力调用响应消息,并向指定应用发送该能力调用响应消息。Step 214, the security middleware receives the capability invocation response message, and sends the capability invocation response message to the designated application.

能力开放平台在完成能力调用之后,还可以执行扣费处理等操作,此部分为现有技术,在此不再详述。After the capability opening platform completes the capability call, it can also perform operations such as fee deduction processing. This part is an existing technology and will not be described in detail here.

图3为上述步骤205中当安全中间件本地存储的应用密钥中不存在与指定应用对应的应用密钥时,安全中间件向能力开放平台获取与指定应用对应的应用密钥的详细流程图,具体包括:Fig. 3 is a detailed flow chart of the security middleware obtaining the application key corresponding to the specified application from the capability exposure platform when there is no application key corresponding to the specified application among the application keys locally stored by the security middleware in the above step 205 , including:

步骤301,安全中间件基于安全中间件密钥Mkey、AppID、H1、Random及时间戳Timestamp生成第三消息摘要H3;Step 301, the security middleware generates a third message digest H3 based on the security middleware key Mkey, AppID, H1, Random and timestamp Timestamp;

步骤302,安全中间件向能力开放平台发送携带安全中间件标识MiddlewareID、AppID、H1、H3、Random及Timestamp的指定应用密钥获取请求消息;Step 302, the security middleware sends a specified application key acquisition request message carrying security middleware identifiers MiddlewareID, AppID, H1, H3, Random, and Timestamp to the capability exposure platform;

步骤303,能力开放平台接收该指定应用密钥获取请求消息,对H3进行验证,具体为:Step 303, the capability opening platform receives the specified application key acquisition request message, and verifies H3, specifically:

能力开放平台通过MiddlewareID获取与安全中间件对应的安全中间件密钥,基于与安全中间件对应的安全中间件密钥、AppID、H1、Random及Timestamp生成第四消息摘要H4,判断H3和H4是否相同。The capability exposure platform obtains the security middleware key corresponding to the security middleware through MiddlewareID, generates the fourth message digest H4 based on the security middleware key corresponding to the security middleware, AppID, H1, Random and Timestamp, and judges whether H3 and H4 are same.

当H3和H4相同时,对H3验证通过,进入步骤304;当H3和H4不相同时,对H3验证失败,停止该流程。When H3 and H4 are the same, the verification of H3 is passed, and step 304 is entered; when H3 and H4 are different, the verification of H3 fails, and the process is stopped.

步骤304,能力开放平台对H1进行验证,具体为:Step 304, the capability opening platform verifies H1, specifically:

能力开放平台通过AppID获取与指定应用对应的应用密钥,基于与指定应用对应的应用密钥和Random生成第五消息摘要H5,判断H1和H5是否相同。The capability exposure platform obtains the application key corresponding to the specified application through the AppID, generates the fifth message digest H5 based on the application key corresponding to the specified application and Random, and determines whether H1 and H5 are the same.

当H1和H5相同时,对H1验证通过,进入步骤305;当H1和H5不相同时,对H1验证失败,停止该流程。When H1 and H5 are the same, the verification of H1 is passed, and step 305 is entered; when H1 and H5 are different, the verification of H1 fails, and the process is stopped.

步骤305,能力开放平台向安全中间件返回携带与指定应用对应的应用密钥的密钥应答消息。Step 305, the capability opening platform returns a key response message carrying the application key corresponding to the specified application to the security middleware.

较佳的,可以使用与安全中间件对应的安全中间件密钥,对与指定应用对应的应用密钥进行加密,能力开放平台向安全中间件返回携带加密的与指定应用对应的应用密钥的密钥应答消息。Preferably, the security middleware key corresponding to the security middleware can be used to encrypt the application key corresponding to the specified application, and the capability opening platform returns the encrypted application key corresponding to the specified application to the security middleware. Key reply message.

步骤306,安全中间件接收该密钥应答消息。Step 306, the security middleware receives the key response message.

安全中间件对加密的与指定应用对应的应用密钥进行解密,得到与指定应用对应的应用密钥,并保存在本地。The security middleware decrypts the encrypted application key corresponding to the specified application, obtains the application key corresponding to the specified application, and stores it locally.

安全中间件的下载安装不需要对开发者提出新的开发要求,用户可以通过客户端集成、网站下载等多种方式获取安全中间件安装文件并进行安装,安全中间件安装完毕后自动发起初始化流程。The download and installation of security middleware does not require new development requirements for developers. Users can obtain and install security middleware installation files through client integration, website download, etc. After the security middleware is installed, the initialization process is automatically initiated. .

可见,采用本发明实施例提供的方法,不需要在终端中的每个应用中分别下载和安装安全组件,仅在终端中下载安装一个安全中间件即可,从而能够降低应用下载时网络资源的开销,减少了应用安装在终端中所占用的资源。It can be seen that by using the method provided by the embodiment of the present invention, it is not necessary to download and install security components in each application in the terminal, but only download and install a security middleware in the terminal, thereby reducing the load on network resources when downloading applications. Overhead, reducing the resources occupied by the application installed in the terminal.

并且,安全中间件能够自动完成版本的更新。安全中间件定时与能力开放平台进行通信,获取安全中间件的版本信息,当发现存在新版本时自动下载,并完成后台替换更新。从而能够解决现有技术中存在的,在每个应用中部署的安全组件难以更新的问题。Moreover, the security middleware can automatically update the version. The security middleware regularly communicates with the capability exposure platform to obtain the version information of the security middleware, automatically downloads when a new version is found, and completes background replacement and update. Therefore, the problem existing in the prior art that the security components deployed in each application are difficult to update can be solved.

基于同一发明构思,根据本发明上述实施例提供的能力调用方法,相应地,本发明实施例还提供一种能力调用装置,该能力调用装置相当于上述方法中的安全中间件,其结构示意图如图4所示,具体包括:Based on the same inventive concept, according to the capability invocation method provided by the above-mentioned embodiments of the present invention, correspondingly, the embodiment of the present invention also provides a capability invocation device, which is equivalent to the security middleware in the above method, and its structural diagram is as follows As shown in Figure 4, it specifically includes:

接收单元401,用于接收终端中的指定应用发送的第一能力调用请求消息,其中,该指定应用为该终端具有能力调用权限的各应用之一;以及接收能力开放平台返回的对应的能力调用响应消息,并向该指定应用发送该能力调用响应消息;The receiving unit 401 is configured to receive a first capability invocation request message sent by a specified application in the terminal, where the specified application is one of the applications with capability invocation authority in the terminal; and receive the corresponding capability invocation returned by the capability opening platform A response message, and send the capability call response message to the specified application;

添加单元402,用于在该第一能力调用请求消息中添加与该指定应用对应的验证信息,生成第二能力调用请求消息;Adding unit 402, configured to add verification information corresponding to the specified application to the first capability invocation request message, and generate a second capability invocation request message;

发送单元403,用于向该能力开放平台发送该第二能力调用请求消息。The sending unit 403 is configured to send the second capability invocation request message to the capability opening platform.

进一步的,接收单元401,具体用于接收该终端中的指定应用发送的携带指定应用标识AppID的第一能力调用请求消息;Further, the receiving unit 401 is specifically configured to receive a first capability invocation request message carrying a specified application identifier AppID sent by a specified application in the terminal;

添加单元402,具体用于在该第一能力调用请求消息中添加基于该终端对应的移动用户国际号码MSISDN和AppID生成的伪码PID、该接收单元401接收到该指定应用发送该第一能力调用请求消息的次数Counter、基于鉴权因子Seed和Counter生成的终端令牌TerToken。The adding unit 402 is specifically configured to add a pseudocode PID generated based on the mobile subscriber international number MSISDN and AppID corresponding to the terminal to the first capability call request message. The receiving unit 401 receives the first capability call sent by the specified application. The counter of the number of request messages, the terminal token TerToken generated based on the authentication factor Seed and Counter.

进一步的,该能力调用装置,还包括:Further, the capability calling device also includes:

验证单元404,用于在该第一能力调用请求消息中添加与该指定应用对应的验证信息之前,对该指定应用验证通过。The verification unit 404 is configured to pass the verification of the designated application before adding the verification information corresponding to the designated application in the first capability invocation request message.

进一步的,验证单元404,具体用于向该指定应用返回携带随机数Random的验证指示消息;接收该指定应用发送的携带基于指定应用密钥AppKey和Random生成的第一消息摘要H1的验证请求消息;获取与该指定应用对应的应用密钥,基于与该指定应用对应的应用密钥和Random生成第二消息摘要H2,确定H1和H2相同。Further, the verification unit 404 is specifically configured to return a verification instruction message carrying a random number Random to the designated application; receive a verification request message sent by the designated application and carry the first message digest H1 generated based on the designated application key AppKey and Random ; Obtain an application key corresponding to the specified application, generate a second message digest H2 based on the application key corresponding to the specified application and Random, and determine that H1 and H2 are the same.

进一步的,验证单元404,具体用于当本地存储的应用密钥中存在与该指定应用对应的应用密钥时,调取与该指定应用对应的应用密钥;当本地存储的应用密钥中不存在与该指定应用对应的应用密钥时,向该能力开放平台发送指定应用密钥获取请求消息;接收该能力开放平台返回的携带与该指定应用对应的应用密钥的密钥应答消息。Further, the verification unit 404 is specifically configured to call the application key corresponding to the specified application when there is an application key corresponding to the specified application in the locally stored application key; When there is no application key corresponding to the specified application, send a specified application key acquisition request message to the capability openness platform; receive a key response message carrying the application key corresponding to the specified application returned by the capability openness platform.

该能力调用装置还具有应用完整性检测、敏感信息安全保护、安全加固、支持本地模拟测试及远程调用测试等功能。The capability invocation device also has the functions of application integrity detection, sensitive information security protection, security reinforcement, support for local simulation test and remote invocation test, and the like.

应用完整性检测:能力调用装置计算媒体接入控制MAC指纹,并与安全存储的MAC指纹进行匹配,以防止上线后的终端能力调用装置在下载及运行过程中被篡改。Application integrity detection: The capability invocation device calculates the MAC fingerprint of the media access control and matches it with the securely stored MAC fingerprint to prevent the online terminal capability invocation device from being tampered with during download and operation.

敏感信息安全保护:能力调用装置提供应用软件级别(不依赖于硬件及不依赖于对操作系统的改造/定制)的敏感信息安全保护机制(如加密存储、离散存储、代码混淆、安全算法转换、及时清除内存等机制)保障预置于能力调用装置中的AppKey不被静态破解(如静态反逆向工程分析)或动态破解(如内存空间嗅探、动态代码跟踪等)。Sensitive information security protection: Capability calling devices provide sensitive information security protection mechanisms (such as encrypted storage, discrete storage, code obfuscation, security algorithm conversion, Mechanisms such as clearing the memory in time) ensure that the AppKey preset in the capability calling device will not be cracked statically (such as static anti-reverse engineering analysis) or dynamically cracked (such as memory space sniffing, dynamic code tracking, etc.).

安全加固:通过软件工程方法(如代码混淆等)保障能力调用装置提供的应用程序编程接口API在任何情况下(包括静态反逆向工程分析、动态代码跟踪)不被非法窜改,以及通过软件工程方法防止能力调用装置在静态或动态情况被非法篡改,即在能力调用装置被非法篡改后,需要拒绝执行并提示异常错误。Security hardening: use software engineering methods (such as code obfuscation, etc.) to ensure that the application programming interface API provided by the capability call device will not be illegally tampered with under any circumstances (including static anti-reverse engineering analysis, dynamic code tracking), and through software engineering methods To prevent the capability calling device from being tampered with statically or dynamically, that is, after the capability calling device is illegally tampered with, it needs to refuse execution and prompt an abnormal error.

支持本地模拟测试:能力调用装置可以识别用户环境,如为测试环境则将初始化流程进行关闭,从而支持终端应用的本地模拟测试。Support local simulation test: the capability invocation device can identify the user environment, and if it is a test environment, the initialization process will be closed, thereby supporting local simulation testing of terminal applications.

支持远程调用测试:为了满足开发者使用模拟器可以进行在线测试,能力调用装置能够实现模拟器测试功能的支持。Support remote invocation test: In order to meet the needs of online testing by developers using the emulator, the ability invocation device can realize the support of the emulator test function.

基于同一发明构思,根据本发明上述实施例提供的能力调用方法,相应地,本发明实施例还提供一种终端,包括上述图4所示的能力调用装置。Based on the same inventive concept, according to the capability invocation method provided in the foregoing embodiments of the present invention, correspondingly, the embodiment of the present invention further provides a terminal, including the capability invocation apparatus shown in FIG. 4 above.

综上所述,本发明实施例提供的方案,包括:接收终端中的指定应用发送的第一能力调用请求消息,其中,该指定应用为该终端具有能力调用权限的各应用之一;在该第一能力调用请求消息中添加与该指定应用对应的验证信息,生成第二能力调用请求消息;向能力开放平台发送该第二能力调用请求消息;接收该能力开放平台返回的对应的能力调用响应消息,并向该指定应用发送该能力调用响应消息。采用本发明实施例提供的方案,能够在保证能力开放安全性的前提下,节省网络资源及终端资源。To sum up, the solution provided by the embodiment of the present invention includes: receiving a first capability invocation request message sent by a specified application in the terminal, wherein the specified application is one of the applications with capability invocation authority in the terminal; Add verification information corresponding to the specified application to the first capability call request message, generate a second capability call request message; send the second capability call request message to the capability open platform; receive the corresponding capability call response returned by the capability open platform message, and send the capability call response message to the specified application. By adopting the solutions provided by the embodiments of the present invention, network resources and terminal resources can be saved on the premise of ensuring the security of capability opening.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (11)

1. a capacity calling method, is characterized in that, comprising:
The first ability call request message that appointment application in receiving terminal sends, wherein, described appointment is applied as described terminal and has respectively one of application that ability is called authority;
In described the first ability call request message, add and apply corresponding authorization information with described appointment, generate the second ability call request message;
To ability open platform, send described the second ability call request message;
Receive the corresponding ability that described ability open platform returns and call response message, and to described appointment application, send described ability and call response message.
2. the method for claim 1, is characterized in that, the first ability call request message that the appointment application in receiving terminal sends, is specially:
The first ability call request message of carrying appointment application identities AppID that appointment application in receiving terminal sends;
In described the first ability call request message, add and apply corresponding authorization information with described appointment, be specially:
In described the first ability call request message, add pseudo-code PID, the number of times Counter that receives the described the first ability call request message of described appointment application transmission, the terminal token TerToken based on authentication factor S eed and Counter generation based on mobile subscriber's international number MSISDN corresponding to described terminal and AppID generation.
3. method as claimed in claim 1 or 2, is characterized in that, before in described the first ability call request message, interpolation is applied corresponding authorization information with described appointment, also comprises:
Described appointment application verification is passed through.
4. method as claimed in claim 3, is characterized in that, described appointment application verification is passed through, and is specially:
To described appointment application, return to the checking Indication message that carries random number R andom;
Receive the checking request message that carries the first eap-message digest H1 based on specifying application key A ppKey and Random to generate that described appointment application sends;
Obtain with described appointment and apply corresponding application key, based on applying corresponding application key with described appointment and Random generates the second eap-message digest H2, determine that H1 is identical with H2.
5. method as claimed in claim 4, is characterized in that, obtains with described appointment and applies corresponding application key, is specially:
In the application key of this locality storage, exist while applying corresponding application key with described appointment, transfer with described appointment and apply corresponding application key;
In the application key of this locality storage, do not exist while applying corresponding application key with described appointment, to described ability open platform, send and specify application cipher key acquisition request message; Receive the key response message of applying corresponding application key with described appointment of carrying that described ability open platform returns.
6. an ability calling device, is characterized in that, comprising:
Receiving element, applies for the appointment of receiving terminal the first ability call request message sending, and wherein, described appointment is applied as described terminal and has respectively one of application that ability is called authority; And the corresponding ability that receiving ability open platform returns calls response message, and to described appointment application, send described ability and call response message;
Adding device, for adding and apply corresponding authorization information with described appointment in described the first ability call request message, generates the second ability call request message;
Transmitting element, for sending described the second ability call request message to described ability open platform.
7. device as claimed in claim 6, is characterized in that, described receiving element, the first ability call request message of carrying appointment application identities AppID sending specifically for the appointment application receiving in described terminal;
Described adding device, the pseudo-code PID specifically for interpolation in described the first ability call request message based on mobile subscriber's international number MSISDN corresponding to described terminal and AppID generation, the number of times Counter that receives the described the first ability call request message of described appointment application transmission, the terminal token TerToken based on authentication factor S eed and Counter generation.
8. device as claimed in claim 6, is characterized in that, also comprises:
Authentication unit, before applying corresponding authorization information in described the first ability call request message interpolation with described appointment, passes through described appointment application verification.
9. device as claimed in claim 8, is characterized in that, described authentication unit, specifically for returning to described appointment application the checking Indication message that carries random number R andom; Receive the checking request message that carries the first eap-message digest H1 based on specifying application key A ppKey and Random to generate that described appointment application sends; Obtain with described appointment and apply corresponding application key, based on applying corresponding application key with described appointment and Random generates the second eap-message digest H2, determine that H1 is identical with H2.
10. device as claimed in claim 9, is characterized in that, described authentication unit, while applying corresponding application key specifically for existing in the application key when local storage with described appointment, is transferred with described appointment and applied corresponding application key; In the application key of this locality storage, do not exist while applying corresponding application key with described appointment, to described ability open platform, send and specify application cipher key acquisition request message; Receive the key response message of applying corresponding application key with described appointment of carrying that described ability open platform returns.
11. 1 kinds of terminals, is characterized in that, comprise the ability calling device described in claim 6-10 any one.
CN201210352570.8A 2012-09-20 2012-09-20 Capacity calling method and device, and terminal Active CN103685194B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210352570.8A CN103685194B (en) 2012-09-20 2012-09-20 Capacity calling method and device, and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210352570.8A CN103685194B (en) 2012-09-20 2012-09-20 Capacity calling method and device, and terminal

Publications (2)

Publication Number Publication Date
CN103685194A true CN103685194A (en) 2014-03-26
CN103685194B CN103685194B (en) 2017-02-22

Family

ID=50321520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210352570.8A Active CN103685194B (en) 2012-09-20 2012-09-20 Capacity calling method and device, and terminal

Country Status (1)

Country Link
CN (1) CN103685194B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105491557A (en) * 2014-09-15 2016-04-13 中兴通讯股份有限公司 System and method for achieving capability opening, and capability opening platform
CN107261502A (en) * 2017-05-10 2017-10-20 珠海金山网络游戏科技有限公司 A kind of anti-external store system of game on line based on procotol and method
CN107645474A (en) * 2016-07-20 2018-01-30 腾讯科技(深圳)有限公司 Log in the method for open platform and log in the device of open platform
CN107645521A (en) * 2016-07-21 2018-01-30 平安科技(深圳)有限公司 Functional unit installation method, terminal and server
CN108156122A (en) * 2016-12-06 2018-06-12 中移(杭州)信息技术有限公司 Ability introducing method, system and the equipment of ability open platform
CN109144743A (en) * 2017-06-28 2019-01-04 阿里巴巴集团控股有限公司 A kind of acquisition methods of data, device and equipment
US10484486B2 (en) 2015-05-22 2019-11-19 Zte Corporation Capability opening method and system, and capability opening function entity
CN112131597A (en) * 2019-10-22 2020-12-25 刘高峰 Method and device for generating encrypted information and intelligent equipment
CN114844644A (en) * 2022-03-16 2022-08-02 深信服科技股份有限公司 Resource request method, device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969475A (en) * 2010-11-15 2011-02-09 张军 Business data controllable distribution and fusion application system based on cloud computing
CN102065573A (en) * 2010-12-28 2011-05-18 北京高信达通信技术有限公司福州分公司 WAP gateway agent service data processing method and server
CN102082771A (en) * 2009-11-30 2011-06-01 中国移动通信集团福建有限公司 Service management middleware based on ESB (enterprise service bus) technology
CN102572815A (en) * 2010-12-29 2012-07-11 中国移动通信集团公司 Method, system and device for processing terminal application request

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102082771A (en) * 2009-11-30 2011-06-01 中国移动通信集团福建有限公司 Service management middleware based on ESB (enterprise service bus) technology
CN101969475A (en) * 2010-11-15 2011-02-09 张军 Business data controllable distribution and fusion application system based on cloud computing
CN102065573A (en) * 2010-12-28 2011-05-18 北京高信达通信技术有限公司福州分公司 WAP gateway agent service data processing method and server
CN102572815A (en) * 2010-12-29 2012-07-11 中国移动通信集团公司 Method, system and device for processing terminal application request

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105491557B (en) * 2014-09-15 2020-04-21 中兴通讯股份有限公司 A system, method and capability opening platform for realizing capability opening
CN105491557A (en) * 2014-09-15 2016-04-13 中兴通讯股份有限公司 System and method for achieving capability opening, and capability opening platform
US10484486B2 (en) 2015-05-22 2019-11-19 Zte Corporation Capability opening method and system, and capability opening function entity
CN107645474A (en) * 2016-07-20 2018-01-30 腾讯科技(深圳)有限公司 Log in the method for open platform and log in the device of open platform
CN107645474B (en) * 2016-07-20 2020-02-14 腾讯科技(深圳)有限公司 Method and device for logging in open platform
CN107645521A (en) * 2016-07-21 2018-01-30 平安科技(深圳)有限公司 Functional unit installation method, terminal and server
CN108156122A (en) * 2016-12-06 2018-06-12 中移(杭州)信息技术有限公司 Ability introducing method, system and the equipment of ability open platform
CN108156122B (en) * 2016-12-06 2021-08-13 中移(杭州)信息技术有限公司 Capability introduction method, system and device for capability open platform
CN107261502A (en) * 2017-05-10 2017-10-20 珠海金山网络游戏科技有限公司 A kind of anti-external store system of game on line based on procotol and method
CN109144743A (en) * 2017-06-28 2019-01-04 阿里巴巴集团控股有限公司 A kind of acquisition methods of data, device and equipment
CN112131597A (en) * 2019-10-22 2020-12-25 刘高峰 Method and device for generating encrypted information and intelligent equipment
CN112131597B (en) * 2019-10-22 2025-06-03 刘高峰 A method, device and intelligent device for generating encrypted information
CN114844644A (en) * 2022-03-16 2022-08-02 深信服科技股份有限公司 Resource request method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN103685194B (en) 2017-02-22

Similar Documents

Publication Publication Date Title
CN103685194B (en) Capacity calling method and device, and terminal
CN111461723B (en) Data processing system, method and device based on block chain
CN102378170B (en) Method, device and system of authentication and service calling
US9009243B2 (en) Tracking usage of and sharing data between mobile device applications
US7784089B2 (en) System and method for providing a multi-credential authentication protocol
CA2837090C (en) Apparatus and method of managing a licensable item
CN102394887A (en) OAuth protocol-based safety certificate method of open platform and system thereof
EP2887607A1 (en) Migration of assets of a trusted execution environment
CN114896570A (en) Installation management method, device and system of applet
CN103620556A (en) Binding applications to device capabilities
CN103095457A (en) Login and verification method for application program
CN102437998B (en) Application store system and the method using this application store system to develop
CN109086596B (en) Authentication method, device and system for application program
WO2020187008A1 (en) Service invocation control method, service invocation method, device, and terminal
CN103067911A (en) Method and equipment used for controlling hardware module
CN108933838B (en) Application data processing method and device
CN103514000A (en) Browser plug-in installation method and device
CN102024124A (en) Method, device and system for processing mobile widgets as well as client-side
CN115964743A (en) User identification and user information processing method, device, equipment and medium
CN113849558B (en) Method and device for deploying data sharing service
CN112636954B (en) Server upgrading method and device
CN109802927B (en) Security service providing method and device
CN109413034A (en) Application data display methods, device, computer equipment and storage medium
CN112131597B (en) A method, device and intelligent device for generating encrypted information
US10939297B1 (en) Secure unlock of mobile phone

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant