A terminal device and method for cloud SIM communication
By dividing the processor's operating environment into secure and insecure operating environment zones, and using a parallel and independent design with encrypted interface communication, the vulnerability of the soft SIM card function in cloud SIM communication is solved, thereby improving security and the overall security of the device.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- TIANJIN ROAMWIFI TECH
- Filing Date
- 2022-10-18
- Publication Date
- 2026-07-07
AI Technical Summary
In existing cloud SIM communication, applications with soft SIM card functionality are vulnerable to attacks such as memory reading and program decompilation, resulting in insufficient security.
The processor's operating environment is divided into a secure operating environment zone and a non-secure operating environment zone. The secure operating environment zone and the non-secure operating environment zone operate in parallel and are independent of each other. They communicate with each other through an encrypted interface. The secure operating environment zone deploys an application that simulates a soft SIM card to provide secure access and protection.
It improves the security of cloud SIM communication, protects the application of soft SIM card function and the generated soft SIM card from attacks, and balances device cost and security requirements.
Smart Images

Figure CN115643582B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of mobile communication technology, and in particular to a terminal device and method for cloud SIM communication. Background Technology
[0002] Currently, with the number of people traveling and working abroad increasing year by year, outbound users have become a significant user group. Convenient and affordable mobile device services for making calls and accessing the internet abroad have become a major demand for these users. To reduce international roaming fees, users can obtain communication services such as data internet access, sending and receiving text messages, and making and receiving calls through terminal devices like MiFi devices. One type of terminal device, such as a MiFi device, is a portable broadband wireless device that integrates the functions of a modem, router, and access point.
[0003] Figure 1 This is a schematic diagram of a communication system based on cloud SIM technology. SIM stands for Subscriber Identification Module, and its main function is to provide identification information, i.e., deployment data, when mobile terminal devices communicate with the network. Figure 1 In this system, after the terminal device 101 of a MiFi device is powered on, it establishes a connection with the cloud server 102 through its built-in boot card (which can be called a seed SIM card; if multiple seed SIM cards are deployed in the terminal device 101, these multiple seed SIM cards can be called group cards). The cloud server 102 intelligently schedules the optimal SIM card (which can be called a production card) from the cloud card pool 103 based on information such as the location and usage of the terminal device 101 to provide communication services for the terminal device 101. When the end user needs to make or receive calls, send or receive text messages, or access the internet without roaming, they can establish a connection with the GoIP device 105 through an APP on the user terminal device 104, such as a mobile phone, to exchange data and achieve roaming-free communication, thereby reducing international roaming fees.
[0004] However, in current technology, after the cloud-based card pool 103 sends the card production information to the terminal device 101, the terminal device 101 generates a program to implement the soft SIM card function based on the card production information. The generated soft SIM card is then directly deployed in the device's memory and disk, making it vulnerable to attacks such as memory access and program decompilation. Therefore, improving the security of cloud SIM communication is worth studying. Summary of the Invention
[0005] This application provides a terminal device and method for cloud SIM communication, which can improve the security of cloud SIM communication and protect the application that implements the soft SIM card function and the soft SIM card it generates from attacks by techniques such as memory reading and program decompilation.
[0006] In a first aspect, this application provides a terminal device for cloud SIM communication, the terminal device including a transmission module and a processor;
[0007] The processor's operating environment includes a secure operating environment zone and a non-secure operating environment zone. The secure operating environment zone and the non-secure operating environment zone run in parallel and are independent of each other. The non-secure operating environment zone communicates with the secure operating environment zone through an interface that is a portable interface that provides encryption operations. The secure operating environment zone is used to provide secure deployment of data and secure access to applications.
[0008] The secure operating environment zone is used to deploy applications that simulate soft SIM cards and provides secure access to these applications. These applications are used to simulate the generation of soft SIM cards, which include production cards or seed SIM cards.
[0009] The first main program is deployed in an insecure operating environment area to enable terminal devices to access the operator network and communicate with the cloud server through the application of the soft SIM card.
[0010] The transmission module is used for data transmission between the main program and the cloud server.
[0011] In one example, the secure operating environment zone is also used to deploy seed SIM card information and provide protection for the seed SIM card information.
[0012] In one example, the secure operating environment contains a first sub-partition and a second sub-partition. The first and second sub-partitions run in parallel and are independent of each other. The seed SIM card information is deployed in the first sub-partition, and the application that simulates the soft SIM card is deployed in the second sub-partition.
[0013] In one example, the secure runtime environment zone deployment manager manages the scheduling of threads in the first sub-partition and the second sub-partition, and is also used for communication between the first and second sub-partitions.
[0014] In one example, the secure runtime environment also includes a third sub-partition, which runs in parallel with and independently of the first sub-partition, and in parallel with and independently of the second sub-partition. The third sub-partition is used to provide security services. The secure runtime environment is used to provide secure deployment of data and secure access to applications, including:
[0015] The secure operating environment zone is used to provide secure deployment of data and secure access to applications based on security services.
[0016] In one example, the secure operating environment zone is implemented based on the platform security architecture, the first and second sub-partitions are implemented based on the application trust root service of the platform security architecture, and the third sub-partition is implemented based on the trust platform root service of the platform security architecture.
[0017] In one example, the secure operating environment contains a fourth subpartition, where information about the seed SIM card and applications that simulate a soft SIM card are deployed.
[0018] Secondly, this application provides a method for cloud SIM communication, utilizing the terminal device described in the above embodiments, the method comprising:
[0019] Terminal devices access the operator's network via a seed SIM card;
[0020] The first main program establishes a communication connection with the cloud server;
[0021] The first main program sends a first request message to the cloud server. The first request message is used to obtain information about the production card.
[0022] The first main program receives information about the production card from the cloud server;
[0023] The first main program sends the production card information to the application that simulates the soft SIM card through an interface, so that the application that simulates the soft SIM card can generate a production card based on the production card information. The production card is used for the terminal device to reconnect to the operator's network.
[0024] In one example, if the secure operating environment is also used to deploy and protect the seed SIM card information, the terminal device accesses the operator's network through the seed SIM card, including:
[0025] The first main program obtains the seed SIM card information through an interface;
[0026] The first main program uses the seed SIM card information to simulate the generation of a seed SIM card through an interface call to an application that simulates a soft SIM card, so that the terminal device can access the operator's network.
[0027] In one example, the method also includes:
[0028] The first main program re-establishes a communication connection with the cloud server;
[0029] The first main program sends a second request message to the cloud server. The second request message is used to release the production card.
[0030] The first main program uses an interface call to simulate a soft SIM card application in order to stop the production of the card.
[0031] As can be seen from the above embodiments, this application divides the processor's operating environment into a secure operating environment zone and a non-secure operating environment zone. The secure operating environment zone and the non-secure operating environment zone operate in parallel and independently. Since the non-secure operating environment zone communicates with the secure operating environment zone through an interface, but not directly with it, and this interface is a portable interface providing encryption operations, the security of data and applications in the secure operating environment zone is ensured. Furthermore, because they operate in parallel and independently, if the non-secure operating environment zone is attacked, it will not affect the data and applications in the secure operating environment zone. In addition, since protecting data and applications increases the hardware configuration requirements of the device, dividing the processor's operating environment into a secure operating environment zone and a non-secure operating environment zone can balance device cost and security requirements. Furthermore, in the communication process of cloud SIM, the application implementing the soft SIM card function involves personal privacy information and has high confidentiality requirements. Therefore, deploying the application implementing the soft SIM card function in the secure operating environment zone can provide secure access to the application implementing the soft SIM card function and protect the soft SIM card simulated by the application implementing the soft SIM card function. Attached Figure Description
[0032] To more clearly illustrate the technical solution of this application, the drawings used in the embodiments will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0033] Figure 1 This is a schematic diagram of a communication system based on cloud SIM technology;
[0034] Figure 2 This is a schematic diagram of a terminal device structure provided in an embodiment of this application;
[0035] Figure 3 This is another example of a terminal device structure provided in the embodiments of this application;
[0036] Figure 4 This is a schematic flowchart of cloud SIM communication provided in an embodiment of this application. Detailed Implementation
[0037] The embodiments of this application are described in detail below. Examples of these embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain this application, and should not be construed as limiting this application. It should be noted that, unless otherwise specified, the embodiments and features in the embodiments of this application can be combined with each other.
[0038] Those skilled in the art will understand that, unless specifically stated otherwise, the singular forms “a,” “an,” “the,” and “the” used herein may also include the plural forms. It should be further understood that the term “comprising” as used in this application means the presence of the stated features, integers, steps, operations, elements, and / or components, but does not exclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and / or groups thereof. It should be understood that when we say an element is “connected” or “coupled” to another element, it can be directly connected or coupled to the other element, or there may be intermediate elements. Furthermore, “connected” or “coupled” as used herein can include wireless connections or wireless coupling. The term “and / or” as used herein includes all or any units and all combinations of one or more associated listed items.
[0039] To facilitate the subsequent description and to clearly explain this application, the following is a brief explanation of the concepts that may be used in this application.
[0040] In various embodiments of this application, a terminal device refers to a device that provides voice and / or data connectivity to a user, a handheld device with wireless connectivity, or other processing devices connected to a wireless modem. The terminal can be a mobile terminal, such as a mobile phone (or "cellular" phone) and a computer with a mobile terminal; for example, it can be a portable, pocket-sized, handheld, computer-embedded, or vehicle-mounted mobile device that exchanges voice and / or data with a wireless access network. Examples include MiFi devices, personal communication service (PCS) phones, cordless phones, personal digital assistants (PDAs), etc. It can also be a mobile station (MS), remote station (RS), access point (AP), remote terminal (RT), access terminal (AT), user terminal (UT), user agent (UA), user equipment, or user equipment (UE), and this application is not limiting.
[0041] Soft SIM cards: These rely on operating system software to implement SIM functionality (e.g., terminal devices can use analog Universal Integrated Circuit Card (UICC) services to achieve this function), without any actual physical chip present. Information on a soft SIM card can be erased or rewritten via software. Cloud SIM is a solution based on the concept of soft SIM.
[0042] Seed SIM Card: In the cloud SIM communication process provided in this application, the seed SIM card is used to establish the network connection required for authentication of the terminal device on the cloud server. The production card is only issued after successful authentication by the cloud server. The seed SIM card can be a group of multiple SIM cards, including SIM cards from multiple countries and operators. It can be a software SIM card or a physical card. In this application, the seed SIM card can be a group of cards and stored in the device's memory as a software SIM card. For example, the UICC service can generate a seed SIM card based on the information of the seed SIM card. The seed SIM card in this application can also be a physical card.
[0043] Production SIM: During cloud SIM communication, the cloud server intelligently schedules the optimal SIM card from the cloud SIM card pool based on information such as the location and usage of the terminal device to provide communication services for terminal device 101. The optimal SIM card is the production SIM card. For example, the cloud server sends production SIM card information to the terminal device, and the UICC service can generate a production SIM card based on this information.
[0044] The cloud server selects a seed SIM card from a set of seed SIM cards based on the terminal device's region and operator charges to establish a network connection between the terminal and the cloud server. Therefore, the established connection may be roaming or local (non-roaming). Then, a production SIM card is issued to the mobile terminal device, enabling the mobile terminal device 101 to access the operator's network using this production SIM card. The cloud server includes, but is not limited to, servers. The service configuration and business scale of the cloud server can be configured and flexibly adjusted according to user needs.
[0045] The production card in each embodiment of this application is a soft SIM card stored in the form of a soft card, which can be a SIM card information record. The information record may include information such as the International Mobile Subscriber Identification Number (IMSI), Integrated Circuit Card Identification (ICCID), Key Identifier (KI), and OPC (3G network authentication key, calculated from the authentication key and the operator's root key). The SIM card includes SIM cards, USIM cards, RUIM cards, and UIMD cards, etc. The production card generated by the UICC service can be called a soft SIM card, and the UICC service implements the soft SIM card function. The seed SIM card in this application includes information such as ICCID, IMSI, KI, and OPC.
[0046] Currently, with the increasing number of people traveling and working abroad, outbound users have become a significant user group. Convenient and affordable mobile phone connectivity for calls and internet access overseas has become a major demand for these users. Cloud SIM communication solutions can address the mobile service needs of domestic users abroad and can also be used for terminal devices to access local operator networks (i.e., the operator network in the user's region). This requires utilizing seed SIM card information and applications that implement soft SIM card functionality. Improving the security of seed SIM card information stored in mobile device software and enhancing the security of applications implementing soft SIM card functionality warrant further research.
[0047] Figure 2This is a schematic diagram of a terminal device structure provided in an embodiment of this application. The following is a description of a terminal device structure. Figure 2 This document describes the terminal device used for cloud SIM communication.
[0048] Terminal device 101 includes a transmission module 1011 and a processor 1012. The processor's operating environment includes a secure operating environment zone and a non-secure operating environment zone. The secure operating environment zone and the non-secure operating environment zone operate in parallel and independently. The non-secure operating environment zone communicates with the secure operating environment zone through an interface that is a portable interface providing encryption operations. The secure operating environment zone is used to provide secure deployment of data and secure access to applications.
[0049] The secure operating environment zone is used to deploy applications that simulate soft SIM cards and provides secure access to these applications, which are used to simulate the generation of soft SIM cards, including production cards or seed SIM cards.
[0050] For example, the application that simulates a soft SIM card can be a UICC service or other applications that implement soft SIM card functionality, and this application does not limit it.
[0051] The first main program is deployed in the non-secure operating environment area, which enables the terminal device to access the operator network and communicate with the cloud server 102 through the simulation of the soft SIM card deployed in the secure operating environment area.
[0052] The transmission module 1011 is used for data transmission between the first main program and the cloud server 102.
[0053] As can be seen from the above embodiments, this application divides the processor's operating environment into a secure operating environment zone and a non-secure operating environment zone. The secure operating environment zone and the non-secure operating environment zone operate in parallel and independently. Since the non-secure operating environment zone communicates with the secure operating environment zone through an interface, but not directly with it, and this interface is a portable interface providing encryption operations, the security of data and applications in the secure operating environment zone is ensured. Furthermore, because they operate in parallel and independently, if the non-secure operating environment zone is attacked, it will not affect the data and applications in the secure operating environment zone. In addition, since protecting data and applications increases the hardware configuration requirements of the device, dividing the processor's operating environment into a secure operating environment zone and a non-secure operating environment zone can balance device cost and security requirements. Furthermore, in the communication process of cloud SIM, the application simulating a soft SIM card involves personal privacy information and has high confidentiality requirements. Therefore, deploying the application simulating a soft SIM card in the secure operating environment zone can provide secure access to the application simulating a soft SIM card and protect the soft SIM card simulated by the application simulating a soft SIM card.
[0054] In the above embodiments, the seed SIM card can be a physical card, not requiring an application to simulate a soft SIM card for generation. The seed SIM card is placed in the card slot of the terminal device 101 as a physical card, used to establish the network connection required for authentication on the cloud server 102. The seed SIM card can also be generated by an application simulating a soft SIM card; therefore, in one example, the secure operating environment area is also used to deploy the seed SIM card information and provide protection for it. A schematic diagram of the terminal device structure in this example is shown below. Figure 3 As shown.
[0055] The above method further protects the information of the seed SIM card and improves the security of cloud SIM communication by deploying the seed SIM card information in a secure operating environment.
[0056] In one example, the secure operating environment contains a first sub-partition and a second sub-partition. The first and second sub-partitions run in parallel and are independent of each other. The seed SIM card information is deployed in the first sub-partition, and the application that simulates the soft SIM card is deployed in the second sub-partition.
[0057] In the above method, the seed SIM card information and the application that simulates the soft SIM card are deployed in two parallel and independent sub-partitions. If one sub-partition is physically attacked, the other sub-partition remains secure. This comprehensively improves the security of deploying the seed SIM card information and the application that simulates the soft SIM card, thereby further ensuring the security of users' privacy data.
[0058] In one example, the application that simulates a soft SIM card determines the seed SIM card or production card and stores it in a second sub-partition, or a different partition than the second sub-partition.
[0059] In one example, the secure runtime environment zone deployment manager manages the scheduling of threads in the first sub-partition and the second sub-partition, and is also used for communication between the first and second sub-partitions.
[0060] As further exemplified, the manager also uses the following methods for communication between the first sub-partition and the second sub-partition:
[0061] The manager receives information from the first sub-partition through its interface, and sends the same information to the second sub-partition through its interface. The first and second sub-partitions do not communicate directly; instead, they exchange information through the manager. This enhances the independence and security of the two sub-partitions, preventing an attack on one sub-partition from affecting the other.
[0062] In one example, the secure operating environment area also contains a third sub-partition, which runs in parallel with and independently of the first sub-partition, and runs in parallel with and independently of the second sub-partition. The third sub-partition is used to provide security services.
[0063] The secure operating environment zone is used to provide secure deployment of data and secure access to applications, including:
[0064] The secure operating environment zone is used to provide secure deployment of data and secure access to applications based on the security services mentioned above.
[0065] In the above method, the third sub-partition is responsible for providing security services to implement the security functions of the secure operating environment zone. The third sub-partition is isolated from the first and second sub-partitions, which ensures the independence and security of the three, and facilitates the manager's management of the security services in the third sub-partition.
[0066] In one example, the secure operating environment zone is implemented based on the Platform Security Architecture (PSA), the first and second sub-partitions are implemented based on the application trust root service of the PSA, and the third sub-partition is implemented based on the trust platform root service of the PSA.
[0067] In this example, the manager provides secure application trust roots and trust platform roots (also known as PSA trust roots), and the interfaces mentioned above are PSA Functional APIs. The PSA trust root includes several PSA RoT services, which provide access to the underlying trust root secrets.
[0068] For example, the PSA RoT service - Crypto Ooerrtions - provides a portable interface for cryptographic operations.
[0069] In the above method, the secure operating environment zone based on the PSA framework utilizes the security policies of the PSA framework to further enhance the security of the seed SIM card information and the application that simulates the soft SIM card.
[0070] In one example, the secure operating environment contains a fourth subpartition, where information about the seed SIM card and applications that simulate a soft SIM card are deployed.
[0071] In the above method, based on the secure storage of seed SIM card information and the secure operating environment of the application that simulates the soft SIM card, deploying the seed SIM card information and the application that simulates the soft SIM card in the same sub-partition can save resources of the terminal device's operating environment and improve the utilization rate of operating environment resources.
[0072] In one example, the manager can also be used to manage the scheduling of threads in the fourth subpartition and to exchange information through the interface of the fourth subpartition.
[0073] In one example, the third sub-partition and the fourth sub-partition run in parallel and independently of each other.
[0074] In one example, the fourth sub-partition is based on the application trust root service implementation of the platform security architecture.
[0075] Using the aforementioned terminal device 101, this application also provides a method for cloud SIM communication, such as... Figure 4 As shown, the method includes:
[0076] S210: Terminal devices access the operator's network via a seed SIM card.
[0077] In one example, if the secure operating environment is also used to deploy and protect the seed SIM card information, the terminal device accesses the operator's network through the seed SIM card, including:
[0078] S211, the first main program obtains the seed SIM card information through the interface.
[0079] It should be noted that the seed SIM card information here includes ICCID, IMSI, KI, OPC, and other information.
[0080] S212, the first main program calls the application that simulates a soft SIM card to simulate the generation of a seed SIM card.
[0081] Specifically, the first main program generates a seed SIM card by calling an application that simulates a soft SIM card through an interface call, based on the information of the seed SIM card. The seed SIM card is used by the terminal device to transmit data with the cloud server through the transmission module, and by the terminal device to access the local operator's network through the transmission module.
[0082] In one example, the application that simulates a soft SIM card is the UICC service. The first main program calls the UICC service through an interface and sends the seed SIM card information to the UICC service. The UICC service then simulates and generates a seed SIM card based on the seed SIM card information.
[0083] S220, the first main program establishes a communication connection with the cloud server.
[0084] S230, the first main program sends the first request information to the cloud server. The first request information is used to obtain the information of the production card.
[0085] For example, the first request information includes the identifier of the terminal device so that the cloud server can authenticate the terminal device.
[0086] In one example, after the application simulating a soft SIM card generates a seed SIM card based on the seed SIM card, the terminal device can access the operator's network and establish a communication connection with the cloud server. The first main program sends a first request message to the cloud server through the transmission module. The first request message includes the identifier of the terminal device. The cloud server authenticates the terminal device based on the identifier in the first request message. After successful authentication, it sends the production card information to the terminal device. The production card is the optimal SIM card intelligently scheduled by the cloud server from the cloud card pool 103. After sending the production card information, and upon receiving feedback from the device terminal that the application simulating a soft SIM card has successfully generated the production card based on the production card information, the cloud server disconnects the communication connection with the seed SIM card.
[0087] As a further example, the first main program can securely send the first request information to the cloud server via Hypertext Transfer Control Protocol or Message Queuing Telemetry Transfer Protocol.
[0088] For example, the first main program is RomLink Master, and the cloud server is the backend RomLink server. RomLinkMaster communicates with the backend RomLink server through Hypertext Transfer Control Protocol or Message Queuing Telemetry Transfer Protocol.
[0089] S240, the first main program receives information about the production card from the cloud server.
[0090] In one example, the first main program receives information about the production card from the cloud server via the transmission module. This production card information includes ICCID, IMSI, KI, OPC, and other details.
[0091] S250, the first main program sends the production card information to the application that simulates the soft SIM card through the interface, so that the application that simulates the soft SIM card can simulate the generation of the production card based on the production card information.
[0092] In one example, an application simulating a soft SIM card deletes the seed SIM card and then simulates generating a production SIM card based on the production SIM card information. The terminal device then accesses the local operator's network via the production SIM card.
[0093] In one example, the cloud SIM communication method also includes:
[0094] S260, the first main program re-establishes a communication connection with the cloud server.
[0095] The terminal device connects to the local operator's network through the production card, achieving low roaming costs. When the main program cannot access the internet through the production card, it can re-establish a communication connection with the cloud server through the network accessed by the production card to facilitate the subsequent transmission of information.
[0096] S270, the first main program sends a second request message to the cloud server, the second request message is used to release the production card.
[0097] For example, the second request information includes the identifier of the terminal device, and optionally, also includes information about the production card.
[0098] For example, the first main program sends a second request message to the cloud server through the transmission module. The second request message is used to release the production card and includes the identifier of the terminal device 101. Based on the identifier of the terminal device 101 in the second request message, the cloud server unbinds the terminal device 101 from the corresponding production card.
[0099] S280, the first main program calls the application that simulates the soft SIM card through the interface to stop the production card from running.
[0100] In the above method, after the user no longer needs the network access provided by the production card, the first main program sends a second request to the cloud server, causing the cloud server to unbind the terminal device 101 from the corresponding production card, so that other terminal devices can bind to the production card subsequently. After sending the second request, the first main program stops the production card from running by calling an application that simulates a soft SIM card through an interface call, in order to prevent the production card from continuing to occupy memory resources.
[0101] As can be seen from the above embodiments, the first main program in this application is deployed in a non-secure environment and cannot directly obtain the information of the seed SIM card deployed in a secure environment. Instead, it obtains the information through the encrypted interface of the secure environment. That is, only programs trusted by the secure environment can obtain data in the secure environment or access applications in the secure environment through the encrypted interface. After obtaining the seed SIM card information through the interface, the first main program securely calls the application that simulates a soft SIM card to generate the seed SIM card. After the application that simulates a soft SIM card generates the seed SIM card, the terminal device accesses the operator's network through the seed SIM card. Alternatively, if the seed SIM card is a physical card, the terminal device can directly access the operator's network through the seed SIM card without the need for the application that simulates a soft SIM card. The first main program establishes a communication connection with the cloud server through the operator's network, then requests the information of the production card from the cloud server, and then securely sends the obtained production card information to the application that simulates a soft SIM card through the interface. This allows the application that simulates a soft SIM card to generate a production card based on the production card information, thereby enabling the terminal device to access the operator's network more appropriately using the production card, thus reducing international roaming fees. In the above process, the first main program securely obtains the information of the seed SIM card and calls the application that simulates the soft SIM card. Compared with the first main program, the seed SIM card and the application that simulates the soft SIM card are deployed in a secure environment, which reduces the probability of being attacked by technologies such as memory reading and program decompilation, and improves the security of cloud SIM communication.
[0102] The basic principles of this application have been described above with reference to specific embodiments. However, it should be noted that the advantages, benefits, and effects mentioned in this application are merely examples and not limitations, and should not be considered as essential features of each embodiment of this application. Furthermore, the specific details disclosed above are for illustrative and facilitative purposes only, and are not limitations. These details do not limit the application to the necessity of employing the aforementioned specific details for implementation.
[0103] It should be understood that although the steps in the flowcharts of the accompanying figures are shown sequentially as indicated by the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the accompanying figures may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily completed at the same time, but can be executed at different times, and their execution order is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the sub-steps or stages of other steps.
[0104] The block diagrams of devices, apparatuses, devices, and systems involved in this application are merely illustrative examples and are not intended to require or imply that they must be connected, arranged, or configured in the manner shown in the block diagrams. As those skilled in the art will recognize, these devices, apparatuses, devices, and systems can be connected, arranged, and configured in any manner. Words such as “comprising,” “including,” “having,” etc., are open-ended terms meaning “including but not limited to,” and are used interchangeably with them. The terms “or” and “and” as used herein refer to the terms “and / or,” and are used interchangeably with them unless the context clearly indicates otherwise. The term “such as” as used herein refers to the phrase “such as but not limited to,” and is used interchangeably with it.
[0105] It should also be noted that in the apparatus, equipment, and methods of this application, the components or steps can be disassembled and / or recombined. These disassemblies and / or recombinations should be considered as equivalent solutions of this application.
[0106] The above description of the disclosed aspects is provided to enable any person skilled in the art to make or use this application. Various modifications to these aspects will be readily apparent to those skilled in the art, and the general principles defined herein can be applied to other aspects without departing from the scope of this application. Therefore, this application is not intended to be limited to the aspects shown herein, but rather to be accorded the widest scope consistent with the principles and novel features disclosed herein.
[0107] The above description has been given for purposes of illustration and description. Furthermore, this description is not intended to limit the embodiments of this application to the forms disclosed herein. Although numerous exemplary aspects and embodiments have been discussed above, those skilled in the art will recognize certain variations, modifications, alterations, additions, and sub-combinations thereof.
Claims
1. A terminal device for cloud SIM communication, characterized in that, The terminal device includes a transmission module and a processor; The processor's operating environment includes a secure operating environment zone and a non-secure operating environment zone. The secure operating environment zone and the non-secure operating environment zone run in parallel and are independent of each other. The non-secure operating environment zone communicates with the secure operating environment zone through an interface, which is a portable interface that provides encryption operations. The secure operating environment zone is used to provide secure deployment of data and secure access to applications. The secure operating environment area is used to deploy applications that simulate soft SIM cards and provide secure access to these applications. These applications simulate the generation of soft SIM cards, which may include production cards or seed SIM cards. Before generating a production card, the application deletes the seed SIM card. The secure operating environment area is also used to deploy and protect the seed SIM card information. The seed SIM card is generated by the application that simulates the soft SIM card and is used to establish the network connection required for authentication on the cloud server. The production card is the optimal SIM card intelligently scheduled by the cloud server from the cloud card pool based on the information of the terminal device. The secure operating environment includes a first sub-partition and a second sub-partition. The first sub-partition and the second sub-partition run in parallel and are independent of each other. The seed SIM card information is deployed in the first sub-partition, the application that simulates the soft SIM card is deployed in the second sub-partition, and the production card is stored in the second sub-partition. The secure operating environment zone deployment manager is used to manage the scheduling of threads in the first sub-partition and threads in the second sub-partition, and the manager is also used for communication between the first sub-partition and the second sub-partition; The secure operating environment zone further includes a third sub-partition, which operates in parallel with and independently of the first sub-partition, and also operates in parallel with and independently of the second sub-partition. The third sub-partition is used to provide security services. The secure operating environment zone is used to provide secure deployment of data and secure access to applications, including: The secure operating environment zone is used to provide secure deployment of data and secure access to applications based on the security service; The manager is used to manage the security services of the third sub-partition; The first main program is deployed in an insecure operating environment area and is used to enable the terminal device to access the operator network through the simulated soft SIM card application. The transmission module is used for data transmission between the first main program and the cloud server; The secure operating environment zone is implemented based on the Platform Security Architecture (PSA); wherein, the first sub-partition and the second sub-partition are implemented based on the application trust root service of the platform security architecture, and the third sub-partition is implemented based on the trust platform root service of the platform security architecture.
2. A method for cloud SIM communication, utilizing the terminal device of claim 1, characterized in that, The terminal device includes a transmission module and a processor; The processor's operating environment includes a secure operating environment zone and a non-secure operating environment zone. The secure operating environment zone and the non-secure operating environment zone run in parallel and are independent of each other. The non-secure operating environment zone communicates with the secure operating environment zone through an interface, which is a portable interface that provides encryption operations. The secure operating environment zone is used to provide secure deployment of data and secure access to applications. The secure operating environment area is used to deploy applications that simulate soft SIM cards and provide secure access to these applications. These applications simulate the generation of soft SIM cards, which may include production cards or seed SIM cards. Before generating a production card, the application deletes the seed SIM card. The secure operating environment area is also used to deploy and protect the seed SIM card information. The seed SIM card is generated by the application that simulates the soft SIM card and is used to establish the network connection required for authentication on the cloud server. The production card is the optimal SIM card intelligently scheduled by the cloud server from the cloud card pool based on the information of the terminal device. The secure operating environment includes a first sub-partition and a second sub-partition. The first sub-partition and the second sub-partition run in parallel and are independent of each other. The information of the seed SIM card is deployed in the first sub-partition, and the application that simulates the soft SIM card is deployed in the second sub-partition. The secure operating environment zone deployment manager is used to manage the scheduling of threads in the first sub-partition and threads in the second sub-partition, and the manager is also used for communication between the first sub-partition and the second sub-partition; The secure operating environment zone further includes a third sub-partition, which operates in parallel with and independently of the first sub-partition, and also operates in parallel with and independently of the second sub-partition. The third sub-partition is used to provide security services. The secure operating environment zone is used to provide secure deployment of data and secure access to applications, including: The secure operating environment zone is used to provide secure deployment of data and secure access to applications based on the security service; The manager is used to manage the security services of the third sub-partition; The first main program is deployed in an insecure operating environment area and is used to enable the terminal device to access the operator network through the simulated soft SIM card application. The transmission module is used for data transmission between the first main program and the cloud server; The method includes: The terminal device accesses the operator's network via a seed SIM card; The first main program establishes a communication connection with the cloud server; The first main program sends a first request message to the cloud server, the first request message being used to obtain information about the production card; The first main program receives information about the production card from the cloud server; The first main program sends the production card information to the application that simulates the soft SIM card through the interface, so that the application that simulates the soft SIM card can simulate and generate a production card based on the production card information. The production card is used for the terminal device to reconnect to the operator network, and the production card is stored in the second sub-partition. The secure operating environment zone is implemented based on the Platform Security Architecture (PSA); wherein, the first sub-partition and the second sub-partition are implemented based on the application trust root service of the platform security architecture, and the third sub-partition is implemented based on the trust platform root service of the platform security architecture.
3. The method according to claim 2, characterized in that, The terminal device accesses the operator's network via a seed SIM card, including: The first main program obtains the information of the seed SIM card through the interface; The first main program, based on the information of the seed SIM card, calls the application program that simulates a soft SIM card through the interface to generate a seed SIM card, so that the terminal device can access the operator's network.
4. The method according to claim 2, characterized in that, The method further includes: The first main program re-establishes a communication connection with the cloud server; The first main program sends a second request message to the cloud server, the second request message being used to release the production card; The first main program calls the application that simulates the soft SIM card through the interface to stop the operation of the production card.