CN115484593B - Key retrieval method, server and user identification card - Google Patents
Key retrieval method, server and user identification card Download PDFInfo
- Publication number
- CN115484593B CN115484593B CN202211062339.5A CN202211062339A CN115484593B CN 115484593 B CN115484593 B CN 115484593B CN 202211062339 A CN202211062339 A CN 202211062339A CN 115484593 B CN115484593 B CN 115484593B
- Authority
- CN
- China
- Prior art keywords
- key
- terminal
- user identity
- destination address
- key parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000012795 verification Methods 0.000 claims abstract description 72
- 230000004044 response Effects 0.000 claims description 18
- 238000004891 communication Methods 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 abstract description 5
- 238000011084 recovery Methods 0.000 description 26
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 8
- 230000011664 signaling Effects 0.000 description 6
- 230000008901 benefit Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
Abstract
本申请公开一种密钥找回方法、服务器及用户身份识别卡,属于通信技术领域。该方法包括:响应终端发送的密钥找回请求,向第一用户身份识别卡发送密钥取回指令;在接收到第一用户身份识别卡返回的身份验证请求的情况下,向终端发送信息获取请求;接收终端返回的第一密钥参数和预设的目的地址;根据第一密钥参数和目的地址,与第一用户身份识别卡进行身份验证;在通过身份验证的情况下,向运营商安全服务器发送验证通过消息,以供运营商安全服务器通过解密获得第一密钥,依据第一密钥和终端发送的第二密钥参数配置第二用户身份识别卡,使终端通过第二用户身份识别卡登录预设客户端。该方法可以安全地找回密钥,从而保障用户的信息安全和资产安全。
The present application discloses a key retrieval method, a server and a user identity card, which belong to the field of communication technology. The method includes: responding to a key retrieval request sent by a terminal, sending a key retrieval instruction to a first user identity card; in the case of receiving an identity authentication request returned by the first user identity card, sending an information acquisition request to the terminal; receiving a first key parameter and a preset destination address returned by the terminal; performing identity authentication with the first user identity card according to the first key parameter and the destination address; in the case of passing the identity authentication, sending a verification pass message to the operator security server, so that the operator security server can obtain the first key through decryption, configure the second user identity card according to the first key and the second key parameter sent by the terminal, and enable the terminal to log in to the preset client through the second user identity card. The method can safely retrieve the key, thereby ensuring the information security and asset security of the user.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a key recovery method, a server, and a user identification card.
Background
The meta space (METAVERSE) is a virtual world which is linked and created by using a scientific and technological means and is mapped and interacted with the real world, and has a digital living space of a novel social system. The user information and assets in the meta-universe are both in digital form, and the identity of the user depends on the user's private key, which, if lost once, could result in collapse of the user's personal universe.
In the related art, after losing the private key, the user may retrieve the private key through the operator,
However, the operator has absolute control right on the private key, so that lawbreakers can obtain the private key of the user maliciously through the operator, and therefore, the risk of the user on the assets in the meta universe is high, and the benefits of the user can not be effectively guaranteed.
Disclosure of Invention
Therefore, the application provides a key retrieving method, a server and a user identity card, which are used for solving the problem that user information and assets are lost due to the fact that lawless persons maliciously acquire a user private key through an operator.
In order to achieve the above object, a first aspect of the present application provides a key retrieving method, applied to an operator service server, including:
a key retrieval request sent by a terminal is responded, a key retrieval instruction is sent to a first user identity card, the key retrieval request is a request sent by the terminal under the condition that the first user identity card is lost, a first key and a first key parameter for logging in a preset client are arranged in the first user identity card, and the key retrieval instruction is used for indicating the first user identity card to generate an identity verification request;
under the condition that the authentication request returned by the first user identity card is received, an information acquisition request is sent to the terminal;
Receiving the first key parameter and a preset destination address returned by the terminal;
According to the first key parameter and the destination address, carrying out identity verification with the first user identity card;
Under the condition of passing the identity verification, sending a verification passing message to an operator security server so that the operator security server receives a second key and the first key parameter sent by the terminal, decrypting the second key according to the first key parameter to obtain the first key, configuring a second user identity identification card according to the first key and the second key parameter sent by the terminal, enabling the terminal to log in the preset client through the second user identity identification card, and enabling the second key to be a key which is generated by encrypting the first key by using the first key parameter by the first user identity identification card and is sent to the destination address.
Further, the authenticating with the first subscriber identity module card according to the first key parameter and the destination address includes:
Encrypting the destination address by using the first key parameter to obtain a first encryption result;
the first encryption result is sent to the first user identity identification card so that the first user identity identification card can obtain an identity verification result according to the first encryption result and a second encryption result, wherein the second encryption result is obtained by encrypting the destination address according to a first key parameter by the first user identity identification card;
receiving the identity verification result returned by the first user identity card;
And determining whether the identity verification is passed or not according to the identity verification result.
Further, the destination address is a designated address built in the first user identity card, or the destination address is a temporary address provided by the terminal;
And under the condition that the destination address is a temporary address provided by the terminal, after receiving the first key parameter returned by the terminal and the preset destination address, the method further comprises the following steps:
and sending the destination address to the first user identity identification card.
In order to achieve the above object, a second aspect of the present application provides a key retrieving method, applied to an operator security server, comprising:
Responding to a verification passing message sent by an operator service server, and acquiring a second key and a first key parameter provided by a terminal;
The authentication passing message is a message sent by the operator service server under the condition of passing the identity authentication of a first user identity identification card, wherein the first user identity identification card is internally provided with a first key and a first key parameter for logging in a preset client, and the second key is a key generated by encrypting the first key by using the first key parameter by the first user identity identification card and sent to a destination address;
decrypting the second key according to the first key parameter to obtain the first key;
and under the condition that a second key parameter provided by the terminal is obtained, configuring a second user identity identification card according to the first key and the second key parameter so that the terminal can log in the preset client through the second user identity identification card.
In order to achieve the above object, a third aspect of the present application provides a key retrieving method, applied to a first subscriber identity module card, including:
receiving a key retrieval instruction sent by an operator service server, wherein the key retrieval instruction is an instruction sent by the operator service server in response to a key retrieval request of a terminal;
sending an identity verification request to the operator service server;
Using a preset destination address and a first key parameter built in the first user identity identification card to carry out identity verification on the operator service server;
encrypting the first key by using the first key parameter under the condition that the operator service server passes the identity verification to obtain a second key;
And sending the second key to the destination address so that the terminal can acquire the second key from the destination address, providing the second key and the first key parameter to an operator security server, enabling the operator security server to decrypt the second key according to the first key parameter to acquire the first key, and configuring a second user identity card according to the first key and the second key parameter provided by the terminal so that the terminal can log in the preset client through the second user identity card.
Further, the destination address is a designated address built in the first subscriber identity module card, or the destination address is a temporary address provided by the terminal and forwarded by the operator service server.
Further, the performing identity verification on the operator service server by using a preset destination address and a first key parameter built in the first subscriber identity module card includes:
receiving a first encryption result sent by the operator service server, wherein the first encryption result is obtained by encrypting a destination address provided by the terminal by the operator service server by using a first key parameter provided by the terminal;
Encrypting the destination address according to the first key parameter to obtain a second encryption result;
obtaining an identity verification result according to the first encryption result and the second encryption result;
and sending the identity verification result to the operator service server.
In order to achieve the above object, a fourth aspect of the present application provides an operator service server, comprising:
The first sending module is used for responding to a key retrieval request sent by the terminal and sending a key retrieval instruction to the first user identity card, wherein the key retrieval request is a request sent by the terminal under the condition that the first user identity card is lost, a first key and a first key parameter for logging in a preset client are arranged in the first user identity card, and the key retrieval instruction is used for indicating the first user identity card to generate an identity verification request;
the second sending module is used for sending an information acquisition request to the terminal under the condition that the authentication request returned by the first user identity card is received;
the first receiving module is used for receiving the first key parameter returned by the terminal and a preset destination address;
The first verification module is used for carrying out identity verification with the first user identity identification card according to the first key parameter and the destination address;
And the third sending module is used for sending a verification passing message to an operator security server under the condition of passing identity verification, so that the operator security server receives a second key and the first key parameter sent by the terminal, decrypts the second key according to the first key parameter to obtain the first key, configures a second user identity identification card according to the first key and the second key parameter sent by the terminal, enables the terminal to log in the preset client through the second user identity identification card, and the second key is a key which is generated by encrypting the first key by using the first key parameter by the first user identity identification card and is sent to the destination address.
In order to achieve the above object, a fifth aspect of the present application provides an operator security server comprising:
The acquisition module is used for responding to the verification passing message sent by the operator business server to acquire a second key and a first key parameter provided by the terminal;
The authentication passing message is a message sent by the operator service server under the condition of passing the identity authentication of a first user identity identification card, wherein the first user identity identification card is internally provided with a first key and a first key parameter for logging in a preset client, and the second key is a key generated by encrypting the first key by using the first key parameter by the first user identity identification card and sent to a destination address;
The decryption module is used for decrypting the second key according to the first key parameter to obtain the first key;
And the configuration module is used for configuring a second user identity identification card according to the first key and the second key parameter under the condition of receiving the second key parameter sent by the terminal so as to enable the terminal to log in the preset client through the second user identity identification card.
In order to achieve the above object, a sixth aspect of the present application provides a subscriber identity card, including:
the second receiving module is used for receiving a key retrieval instruction sent by an operator service server, wherein the key retrieval instruction is an instruction sent by the operator service server in response to a key retrieval request of a terminal;
a fourth sending module, configured to send an authentication request to the operator service server;
The second verification module is used for carrying out identity verification on the operator service server by using a preset destination address and a first key parameter built in the first user identity identification card;
The encryption module is used for encrypting the first key by using the first key parameter under the condition that the operator service server passes the identity verification to obtain a second key;
And a fifth sending module, configured to send the second key to the destination address, so that the terminal obtains the second key from the destination address, and provide the second key and the first key parameter to an operator security server, so that the operator security server decrypts the second key according to the first key parameter to obtain the first key, and configures a second user identity card according to the first key and the second key parameter provided by the terminal, so that the terminal logs in to the preset client through the second user identity card.
The application has the following advantages:
The key retrieving method, the server and the user identity card provided by the application are characterized in that an operator service server responds to a key retrieving request sent by a terminal, sends a key retrieving instruction to a first user identity card, performs identity verification with the first user identity card according to a first key parameter and a preset destination address, and sends a verification passing message to an operator safety server under the condition of passing the identity verification. The method divides the server at the operator side into an operator business server and an operator security server, the operator business server executes the services such as identity verification, the operator security server executes the operations such as key decryption, and the security of the user key recovery process is ensured through the service division and the server division, so that the situations that lawbreakers maliciously acquire the user private key through operators and the user information and assets suffer loss are effectively reduced.
Drawings
The accompanying drawings are included to provide a further understanding of the application, and are incorporated in and constitute a part of this specification, illustrate the application and together with the description serve to explain, without limitation, the application.
FIG. 1 is a flowchart of a key recovery method according to an embodiment of the present application;
FIG. 2 is a flowchart of a key recovery method according to an embodiment of the present application;
FIG. 3 is a flowchart of a key recovery method according to an embodiment of the present application;
FIG. 4 is a block diagram of an operator business server provided by an embodiment of the present application;
FIG. 5 is a block diagram of an operator security server provided by an embodiment of the present application;
FIG. 6 is a block diagram of a subscriber identity module card according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a key recovery system according to an embodiment of the present application;
FIG. 8 is a schematic diagram illustrating a key recovery method according to an embodiment of the present application;
Fig. 9 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following describes specific embodiments of the present application in detail with reference to the drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the application, are not intended to limit the application.
As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used herein, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
When the terms "comprises" and/or "comprising," "including," are used in this specification, they specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present application and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The meta universe is a virtual world which is linked and created by utilizing a scientific and technological means and is mapped and interacted with the real world, and has a digital living space of a novel social system. The user information and the assets in the metauniverse exist in digital form, the identification of the user identity depends on the private key (namely the secret key) of the user, and the user can log in the metauniverse client through the user identity identification card to check related information or conduct transaction.
If once the key is lost, it may result in collapse of the user's personal universe. In the related technology, after the key is lost, the user can retrieve the key through the operator, but because the operator has absolute control right on the key, the situation that lawbreakers maliciously acquire the private key of the user through the operator is easily caused, so that a large risk is caused to the assets of the user in the meta universe, and the benefits of the user cannot be effectively ensured.
Based on this, in the embodiment of the present application, when retrieving the user key, the operator service server and the first user identification card perform the authentication, and after passing the authentication, the operator security server with higher security level completes the operations of key retrieval and new card configuration. Because the operation process and the operation result of the operator security server are not displayed outwards (including the operator service server), the security of information such as keys can be effectively ensured.
In a first aspect, an embodiment of the present application provides a key recovery method.
Fig. 1 is a flowchart of a key recovery method according to an embodiment of the present application, where the key recovery method may be applied to an operator service server. As shown in fig. 1, the key recovery method includes the steps of:
Step S101, a key retrieval instruction is sent to a first user identity identification card in response to a key retrieval request sent by a terminal.
The key finding request is a request sent by the terminal under the condition that the first user identity card is lost, a first key and a first key parameter for logging in a preset client are arranged in the first user identity card, and the key retrieving instruction is used for indicating the first user identity card to generate an identity verification request.
In some possible implementations, the first subscriber identity card is a user (Subscriber Identity Model Card, SIM card), and the user embeds a first key and a first key parameter in the first subscriber identity card in advance, so that the user can log in to the preset client based on the first key. The preset client may be a metauniverse client, and the first key parameter is a parameter for retrieving the first key, which may be a password, an authentication code, or the like.
In some possible implementations, after the user loses the first user identification card, the user sends a key recovery request to the operator service server in an online or offline manner. The operator service server instructs the terminal to provide identification information, and sends a key retrieval instruction to the first user identification card under the condition that the operator service server confirms that the user is a true and trusted user through the identification information. The identification information may be identification information of the user, or a security answer corresponding to a preset security question, etc., which is not limited in the embodiment of the present application.
It should be noted that, the operator service server sends the key retrieval instruction to the first subscriber identity card through the signaling channel, and the key retrieval instruction can be received as long as the terminal where the first subscriber identity card is located is in a power-on state.
It should be further noted that the current implementation body is an operator service server, and for an operator, the current implementation body further includes an operator security server. In general, the service server of the operator is mainly used for executing conventional services, the security server of the operator is used for executing services with higher security level, and the operation process and the operation result of the security server of the operator are not displayed outwards, so that the security of related information is ensured.
Step S102, under the condition that an authentication request returned by the first user identity card is received, an information acquisition request is sent to the terminal.
In some possible implementations, after the first subscriber identity module card receives the key retrieval instruction, the validity of the operator service server needs to be determined through an authentication operation, so as to avoid that a third party illegally steals the key by means of the identity of the operator service server.
In one example, the first subscriber identity card sends an authentication request to the operator business server in response to the key retrieval instruction. And the operator service server sends an information acquisition request to the terminal under the condition of receiving the authentication request. The information acquisition request may carry an explanation of the information to be acquired. For example, the first key parameter and the destination address need to be acquired.
It should be appreciated that if the key retrieval instruction is not an instruction sent by the operator service server, the operator service server may no longer respond to the authentication request and may send a reminder message to the corresponding terminal.
Step S103, receiving a first key parameter returned by the terminal and a preset destination address.
In some possible implementations, if the scenario is online, the terminal returns the first key parameter and the preset destination address to the operator service server through the mobile communication network or other communication networks. Wherein the destination address may be a mailbox or other specified address.
In some possible implementations, if the scenario is offline, the operator business server instructs the user to input related information, and the user inputs the first key parameter and the destination address through the secure keyboard.
In some possible implementations, the destination address is a specified address built into the first subscriber identity card, or the destination address is a temporary address provided by the terminal. In case the destination address is a temporary address provided by the terminal, the method further comprises, after step S102, the operator service server sending the destination address to the first subscriber identity card.
Step S104, according to the first key parameter and the destination address, the identity authentication is carried out with the first user identity card.
In some possible implementations, the operator service server encrypts the destination address using the first key parameter, obtains a first encryption result, and sends the first encryption result to the first subscriber identity card. The first user identity identification card encrypts the destination address according to the first key parameter in the first user identity identification card to obtain a second encryption result, obtains an identity verification result according to the first encryption result and the second encryption result, and then sends the identity verification result to the service server of the operator. And the operator service server receives an identity verification result returned by the first user identity identification card and determines whether the identity verification is passed or not according to the identity verification result.
In one example, the first encryption result is a result obtained by the operator service server encrypting the destination address using the first key parameter according to a pre-agreed encryption algorithm. For example, the first encryption result c1=e PWD (addr), where PWD is the first key parameter provided by the terminal, addr is the destination address, and E () represents the encryption algorithm. Correspondingly, the second encryption result is obtained by encrypting the destination address by the first user identity identification card according to a preset encryption algorithm by using the built-in first key parameter. For example, the second encryption result c2=e PWD' (addr '), where PWD ' is a built-in first key parameter, addr ' is a destination address corresponding to the first subscriber identity module card, and E () represents an encryption algorithm. When C1 and C2 are the same, the first user identification card determines that the verification is passed, and when C1 and C2 are different, the first user identification card determines that the verification is not passed.
It should be noted that if the terminal is a legal terminal, the PWD provided by the terminal should be the same as the PWD 'built in the first identity card, and addr should be the same as addr'.
Step S105, in the case of passing the authentication, transmits an authentication passing message to the operator security server.
In some possible implementation manners, the operator security server receives the second key and the first key parameter sent by the terminal, decrypts the second key according to the first key parameter to obtain the first key, configures the second user identification card according to the first key and the second key parameter sent by the terminal, enables the terminal to log in the preset client through the second user identification card, and the second key is a key generated by encrypting the first key by the first user identification card by using the first key parameter and sent to the destination address.
Fig. 2 is a flowchart of a key recovery method according to an embodiment of the present application, where the key recovery method may be applied to an operator security server. As shown in fig. 2, the key recovery method includes the steps of:
Step S201, in response to the authentication passing message sent by the operator service server, the second key and the first key parameter provided by the terminal are obtained.
The authentication pass message is a message sent by the operator service server under the condition of passing the identity authentication of the first user identity card, the first user identity card is internally provided with a first key and a first key parameter for logging in a preset client, and the second key is a key which is generated by encrypting the first key by the first user identity card by using the first key parameter and is sent to a destination address.
In some possible implementations, in the case that the first subscriber identity card passes the authentication of the operator service server, the first subscriber identity card encrypts the first key using the first key parameter, generates a second key, and sends the second key to the destination address. Since the destination address is an address agreed upon by the user (terminal) with the first user identification card, the user (terminal) can obtain the second key from the destination address. After the second key is obtained, the user sends the second key and the first key parameter to the operator security server through the terminal in the online scene, and the user inputs the second key and the first key parameter to the operator security server through the security keyboard in the online scene.
It should be noted that, the operator business server cannot acquire the information such as the second key, so that the information security of the user can be ensured to the extent of movement, thereby ensuring the asset security of the user in the meta-space system.
Step S202, the second key is decrypted according to the first key parameter to obtain the first key.
In some possible implementations, the second key SK '=f PWD' (SK), where SK represents the first key, PWD' is the first key parameter built into the card, and F () represents the corresponding encryption algorithm. Correspondingly, the operator security server adopts a decryption algorithm corresponding to F (), and decrypts SK' using the first key parameter PWD provided by the terminal, thereby obtaining the first key SK.
Step S203, under the condition that the second key parameter provided by the terminal is obtained, the second user identity identification card is configured according to the first key and the second key parameter, so that the terminal logs in the preset client through the second user identity identification card.
In some possible implementations, the second key parameter is a new key parameter, and if the first key is retrieved after the second user id card is lost, the above-mentioned key retrieval method needs to be performed based on the second key parameter.
In some possible implementations, the second subscriber identity card is a new SIM card, and after the SIM card is configured according to the first key and the second key parameters, the final second subscriber identity card is obtained. And the terminal downloads the appointed client based on the second user identity identification card and logs in the client by using a first secret key built in the card.
Fig. 3 is a flowchart of a key recovery method according to an embodiment of the present application, where the key recovery method may be applied to a first subscriber identity card, and the first subscriber identity card has a first key and a first key parameter for logging in a preset client. As shown in fig. 3, the key recovery method includes the steps of:
step S301, a key retrieval instruction sent by an operator service server is received.
The key retrieval instruction is an instruction sent by the service server of the operator in response to the key retrieval request of the terminal.
In some possible implementations. The operator service server sends a key retrieval instruction through a signaling channel. The key retrieval instruction can be received as long as the terminal where the first user identification card is located is in a starting-up state.
Step S302, an authentication request is sent to the operator service server.
In some possible implementations, after the first subscriber identity module card receives the key retrieval instruction, the validity of the operator service server needs to be determined through an authentication operation, so as to avoid that a third party illegally steals the key by means of the identity of the operator service server.
In one example, the authentication request may take the form of a challenge question and answer. For example, the first subscriber identity module card sends a challenge question and answer to the operator service server, and the operator service server is required to encrypt the destination address by using the first key parameter to obtain a first encryption result, and returns the first encryption result to the first subscriber identity module card.
Step S303, the identity of the operator server is verified by using the preset destination address and the first key parameter built in the first user identity card.
In some possible implementations, the destination address is a specified address built into the first subscriber identity card, or the destination address is a temporary address provided by the terminal. Under the condition that the destination address is a temporary address provided by the terminal, the operator service server needs to send the destination address provided by the terminal to the first user identification card through a signaling channel so that the first user identification card can execute the authentication and subsequent operations based on the destination address, and when the destination address is a specified address built in the first user identification card, the first user identification card can directly execute the authentication and subsequent operations by using the specified address.
In some possible implementations, the operator service server encrypts the destination address using the first key parameter, obtains a first encryption result, and sends the first encryption result to the first subscriber identity card. The first user identity identification card encrypts the destination address according to the first key parameter in the first user identity identification card to obtain a second encryption result, obtains an identity verification result according to the first encryption result and the second encryption result, and then sends the identity verification result to the service server of the operator. And the operator service server receives an identity verification result returned by the first user identity identification card and determines whether the identity verification is passed or not according to the identity verification result.
In one example, the first encryption result is a result obtained by the operator service server encrypting the destination address using the first key parameter according to a pre-agreed encryption algorithm. For example, the first encryption result c1=e PWD (addr), where PWD is the first key parameter, addr is the destination address, and E () represents the encryption algorithm. Correspondingly, the second encryption result is obtained by encrypting the destination address by the first user identity identification card according to a preset encryption algorithm by using the built-in first key parameter. For example, the second encryption result c2=e PWD' (addr '), where PWD ' is a built-in first key parameter, addr ' is a destination address corresponding to the first subscriber identity module card, and E () represents an encryption algorithm. When C1 and C2 are the same, the first user identification card determines that the verification is passed, and when C1 and C2 are different, the first user identification card determines that the verification is not passed.
Step S304, in case that the service server of the operator passes the identity verification, the first key is encrypted by using the first key parameter to obtain the second key.
In some possible implementations, the second key SK '=f PWD' (SK), where SK represents the first key, PWD' is the first key parameter built into the card, and F () represents the corresponding encryption algorithm.
Step S305, the second key is sent to the destination address.
In some possible implementations, since the destination address is an address agreed upon by the user (terminal) with the first subscriber identity card, the user (terminal) can obtain the second key from the destination address. After the second key is obtained, the user sends the second key and the first key parameter to the operator security server through the terminal in the online scene, and the user inputs the second key and the first key parameter to the operator security server through the security keyboard in the online scene. And the operator security server decrypts the second key by using the first key parameter according to a preset decryption algorithm to obtain the first key, and configures the second user identity identification card according to the first key and the second key parameter provided by the terminal. And the terminal downloads the appointed client based on the second user identity identification card and logs in the client by using a first secret key built in the card.
The above steps of the methods are divided into only for clarity of description, and may be combined into one step or split into multiple steps when implemented, so long as the steps include the same logic relationship, and all the steps are within the protection scope of the patent, and adding insignificant modification or introducing insignificant design to the algorithm or the process, but not changing the core design of the algorithm and the process, and all the steps are within the protection scope of the patent.
In a second aspect, an embodiment of the present application provides an operator service server, an operator security server, and a subscriber identity module card.
Fig. 4 is a block diagram of an operator service server according to an embodiment of the present application. As shown in fig. 4, the operator service server includes the following modules:
the first sending module 401 is configured to send a key retrieval instruction to the first subscriber identity module card in response to a key retrieval request sent by the terminal.
The key finding request is a request sent by the terminal under the condition that the first user identity card is lost, a first key and a first key parameter for logging in a preset client are arranged in the first user identity card, and the key retrieving instruction is used for indicating the first user identity card to generate an identity verification request.
And the second sending module 402 is configured to send an information acquisition request to the terminal when receiving an authentication request returned by the first subscriber identity module.
The first receiving module 403 is configured to receive a first key parameter and a preset destination address returned by the terminal.
In some possible implementations, the destination address is a specified address built into the first subscriber identity card, or the destination address is a temporary address provided by the terminal. In the case that the destination address is a temporary address provided by the terminal, the operator service server needs to send the destination address provided by the terminal to the first subscriber identity card through the signaling channel.
The first verification module 404 is configured to perform identity verification with the first subscriber identity card according to the first key parameter and the destination address.
In some possible implementations, the first verification module 404 includes a first encryption unit, a first transmission unit, a first reception unit, and a result determination unit. The system comprises a first encryption unit, a first sending unit, a first receiving unit and a result determining unit, wherein the first encryption unit is used for encrypting a destination address by using a first key parameter to obtain a first encryption result, the first sending unit is used for sending the first encryption result to a first user identity identification card so that the first user identity identification card can obtain an identity verification result according to the first encryption result and a second encryption result, the second encryption result is obtained by encrypting the destination address by the first user identity identification card according to the first key parameter, the first receiving unit is used for receiving the identity verification result returned by the first user identity identification card, and the result determining unit is used for determining whether the identity verification is passed or not according to the identity verification result.
And the third sending module 405 is configured to send a verification passing message to the operator security server under the condition of passing the identity verification, so that the operator security server receives the second key and the first key parameter sent by the terminal, decrypts the second key according to the first key parameter to obtain the first key, configures the second user identity card according to the first key and the second key parameter sent by the terminal, and enables the terminal to log in the preset client through the second user identity card, and the second key is a key generated by encrypting the first key by using the first key parameter by the first user identity card and sent to the destination address.
Fig. 5 is a block diagram of an operator security server according to an embodiment of the present application. As shown in fig. 5, the operator security server includes the following modules:
an obtaining module 501, configured to obtain the second key and the first key parameter provided by the terminal in response to the authentication passing message sent by the operator service server.
The authentication pass message is a message sent by the operator service server under the condition of passing the identity authentication of the first user identity card, the first user identity card is internally provided with a first key and a first key parameter for logging in a preset client, and the second key is a key which is generated by encrypting the first key by the first user identity card by using the first key parameter and is sent to a destination address.
The decryption module 502 is configured to decrypt the second key according to the first key parameter to obtain the first key.
And the configuration module 503 is configured to configure the second user identification card according to the first key and the second key parameter under the condition of receiving the second key parameter sent by the terminal, so that the terminal logs in the preset client through the second user identification card.
Fig. 6 is a block diagram of a subscriber identity module card according to an embodiment of the present application. As shown in fig. 6, the subscriber identity card includes the following modules:
A second receiving module 601, configured to receive a key retrieval instruction sent by an operator service server.
The key retrieval instruction is an instruction sent by the service server of the operator in response to the key retrieval request of the terminal.
A fourth sending module 602, configured to send an authentication request to the operator service server.
The second verification module 603 is configured to perform identity verification on the operator service server using a preset destination address and a first key parameter that is built in the first subscriber identity module card.
In some possible implementations, the second authentication module 603 includes a second receiving unit, a second encrypting unit, an authentication unit, and a second transmitting unit. The system comprises a first receiving unit, a second receiving unit, a verification unit and a second sending unit, wherein the first receiving unit is used for receiving a first encryption result sent by an operator service server, the first encryption result is obtained by encrypting a destination address provided by a terminal by using a first key parameter provided by the terminal, the second encryption unit is used for encrypting the destination address according to the first key parameter to obtain a second encryption result, the verification unit is used for obtaining an identity verification result according to the first encryption result and the second encryption result, and the second sending unit is used for sending the identity verification result to the operator service server.
The encryption module 604 is configured to encrypt the first key with the first key parameter to obtain the second key when the operator service server passes the authentication.
And a fifth sending module 605, configured to send the second key to the destination address, so that the terminal obtains the second key from the destination address, and provide the second key and the first key parameter to the operator security server, so that the operator security server decrypts the second key according to the first key parameter to obtain the first key, and configures the second user identification card according to the first key and the second key parameter provided by the terminal, so that the terminal logs in to the preset client through the second user identification card.
In some possible implementations, the destination address is a specified address built into the first subscriber identity card, or the destination address is a temporary address provided by the terminal. In the case that the destination address is a temporary address provided by the terminal, the operator service server needs to send the destination address provided by the terminal to the first subscriber identity card through the signaling channel.
In a third aspect, an embodiment of the present application provides a key recovery system.
Fig. 7 is a schematic diagram of a key recovery system according to an embodiment of the present application. As shown in fig. 7, the key recovery system includes a terminal 701, an operator security server 702, an operator business server 703, a destination address server 704, a first subscriber identity card 705, and a second subscriber identity card 706.
Referring to fig. 7, after losing the first subscriber identity card 705, the terminal 701 transmits a key retrieval request to the operator service server 703, and the operator service server 703 transmits a key retrieval instruction to the first subscriber identity card 705 through a signaling channel. The first subscriber identity card 705 performs identity verification with the operator service server 703, and in the case of passing the identity verification, the first subscriber identity card 705 encrypts the first key using a first key parameter built in the card and transmits to the destination address server 704 corresponding to the destination address, so that the terminal 701 obtains the second key from the destination address server 704. The operator security server 702 obtains the second key and the first key parameter from the terminal 701 in response to the authentication passing message sent by the operator service server 703, decrypts the second key according to the first key parameter, obtains the first key, and configures the second user identification card 706 according to the first key and the second key parameter provided by the terminal 701. The terminal 701 can log in to a preset client using the second user identification card 706.
Fig. 8 is a schematic diagram of a working process of a key retrieving method according to an embodiment of the present application. As shown in fig. 8, the key recovery method includes the following steps:
in step S801, the terminal sends a key recovery request to the operator service server.
In step S802, the operator service server sends a key retrieval instruction to the first subscriber identity module card in response to the key retrieval request.
In step S803, the first subscriber identity module card sends an authentication request to the operator service server.
In step S804, the operator service server sends an information acquisition request to the terminal, and the terminal returns the first key parameter and the destination address to the operator service server.
In step S805, the operator service server encrypts the destination address using the first key parameter, to obtain a first encryption result.
In step S806, the operator service server sends the first encryption result to the first subscriber identity module card.
In step S807, the first user id card encrypts the preset destination address according to the first key parameter, obtains a second encryption result, and obtains an authentication result according to the first encryption result and the second encryption result.
In step S808, the first subscriber identity module card sends the authentication result to the operator service server.
Step S809, in the case that the operator service server passes the authentication, the first subscriber identity module card encrypts the first key with the first key parameter to obtain the second key.
In step S810, the first subscriber identity module card sends the second key to the destination address server.
In step S811, in the case where the operator service server passes the authentication, the operator service server transmits an authentication passing message to the operator security server.
In step S812, the operator security server transmits an information acquisition instruction to the terminal in response to the authentication pass message.
In step S813, the terminal acquires the second key from the destination address server in response to the information acquisition instruction.
In step S814, the terminal transmits the second key and the first key parameter to the operator security server.
In step S815, the operator security server decrypts the second key according to the first key parameter to obtain the first key.
In step S816, the operator security server configures the second user identification card according to the first key and the second key parameter sent by the terminal, so that the terminal logs in to the preset client through the second user identification card.
The functions or modules included in the apparatus provided by the embodiments of the present application may be used to perform the method described in the method embodiment of the first aspect, and the specific implementation and technical effects thereof may refer to the description of the method embodiment of the foregoing, which is not repeated herein for brevity.
In this embodiment, each module is a logic module, and in practical application, one logic unit may be one physical unit, or may be a part of one physical unit, or may be implemented by a combination of a plurality of physical units. In addition, in order to highlight the innovative part of the present application, units that are not so close to solving the technical problem presented by the present application are not introduced in the present embodiment, but this does not indicate that other units are not present in the present embodiment.
Fig. 9 is a block diagram of an electronic device according to an embodiment of the present application.
Referring to fig. 9, an embodiment of the present application provides an electronic device including:
One or more processors 901;
a memory 902 having one or more programs stored thereon, which when executed by one or more processors cause the one or more processors to implement the key recovery method of any of the above;
one or more I/O interfaces 903, coupled between the processor and the memory, are configured to enable information interaction of the processor with the memory.
The processor 901 is a device with data processing capability, including but not limited to a Central Processing Unit (CPU), the memory 902 is a device with data storage capability, including but not limited to a random access memory (RAM, more specifically SDRAM, DDR, etc.), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a FLASH memory (FLASH), and an I/O interface 903 is connected between the processor 901 and the memory 902, so as to enable information interaction between the processor 901 and the memory 902, including but not limited to a data Bus (Bus), etc.
In some embodiments, processor 901, memory 902, and I/O interface 903 are connected to each other via a bus, which in turn connects to other components of the computing device.
The present embodiment also provides a computer readable medium, on which a computer program is stored, where the program when executed by a processor implements the key recovery method provided in the present embodiment, and in order to avoid repetitive description, specific steps of the key recovery method are not described herein.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods of the invention described above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components, for example, one physical component may have a plurality of functions, or one function or step may be cooperatively performed by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the embodiments and form different embodiments.
It is to be understood that the above embodiments are merely illustrative of the application of the principles of the present application, but not in limitation thereof. Various modifications and improvements may be made by those skilled in the art without departing from the spirit and substance of the application, and are also considered to be within the scope of the application.
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211062339.5A CN115484593B (en) | 2022-09-01 | 2022-09-01 | Key retrieval method, server and user identification card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211062339.5A CN115484593B (en) | 2022-09-01 | 2022-09-01 | Key retrieval method, server and user identification card |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115484593A CN115484593A (en) | 2022-12-16 |
| CN115484593B true CN115484593B (en) | 2024-12-24 |
Family
ID=84422457
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211062339.5A Active CN115484593B (en) | 2022-09-01 | 2022-09-01 | Key retrieval method, server and user identification card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115484593B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111385084A (en) * | 2018-12-27 | 2020-07-07 | 中国电信股份有限公司 | Key management method and device for digital assets and computer readable storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080115211A1 (en) * | 2006-11-14 | 2008-05-15 | Fabrice Jogand-Coulomb | Methods for binding content to a separate memory device |
| CN106797535A (en) * | 2014-08-28 | 2017-05-31 | 酷派软件技术(深圳)有限公司 | Terminal and its antitheft tracing method and anti-theft tracking device |
| US10868808B1 (en) * | 2018-10-16 | 2020-12-15 | Sprint Communications Company L.P. | Server application access authentication based on SIM |
| CN114245374B (en) * | 2020-09-07 | 2024-04-05 | 中国电信股份有限公司 | Security authentication method, system and related equipment |
-
2022
- 2022-09-01 CN CN202211062339.5A patent/CN115484593B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111385084A (en) * | 2018-12-27 | 2020-07-07 | 中国电信股份有限公司 | Key management method and device for digital assets and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115484593A (en) | 2022-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6573627B2 (en) | Service authorization using auxiliary devices | |
| US20160294794A1 (en) | Security System For Data Communications Including Key Management And Privacy | |
| CN103731395B (en) | The processing method and system of file | |
| CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
| US9954834B2 (en) | Method of operating a computing device, computing device and computer program | |
| CN107743133A (en) | Mobile terminal and its access control method and system based on trusted security environment | |
| CN106452770B (en) | Data encryption method, data decryption method, device and system | |
| US11146554B2 (en) | System, method, and apparatus for secure identity authentication | |
| JP2022518061A (en) | Methods, Computer Program Products, and Equipment for Transferring Ownership of Digital Assets | |
| WO2020062667A1 (en) | Data asset management method, data asset management device and computer readable medium | |
| US20190222414A1 (en) | System and method for controlling usage of cryptographic keys | |
| WO2015180689A1 (en) | Method and apparatus for acquiring verification information | |
| KR102364649B1 (en) | APPARATUS AND METHOD FOR AUTHENTICATING IoT DEVICE BASED ON PUF | |
| CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
| CN109660534B (en) | Multi-merchant-based security authentication method and device, electronic equipment and storage medium | |
| CN111401901A (en) | Authentication method and device of biological payment device, computer device and storage medium | |
| JP2019507559A (en) | Approval method and device for joint account and authentication method and device for joint account | |
| CN111917536A (en) | Identity authentication key generation method, identity authentication method, device and system | |
| JP2018532326A (en) | Method and device for registering and authenticating information | |
| CN102404337A (en) | Data encryption method and device | |
| CN116346341A (en) | Private key protection and server access method, system, device and storage medium | |
| CN117041956A (en) | Communication authentication method, device, computer equipment and storage medium | |
| US10764260B2 (en) | Distributed processing of a product on the basis of centrally encrypted stored data | |
| CN113114610B (en) | Stream taking method, device and equipment | |
| CN113079506B (en) | Network security authentication method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |