CN103873241A - Safety shield, and digital-certificate management system and method - Google Patents

Safety shield, and digital-certificate management system and method Download PDF

Info

Publication number
CN103873241A
CN103873241A CN201210530742.6A CN201210530742A CN103873241A CN 103873241 A CN103873241 A CN 103873241A CN 201210530742 A CN201210530742 A CN 201210530742A CN 103873241 A CN103873241 A CN 103873241A
Authority
CN
China
Prior art keywords
safety shield
financial institution
processing unit
client device
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201210530742.6A
Other languages
Chinese (zh)
Other versions
CN103873241B (en
Inventor
彭敏
周钰
严翔翔
郑建宾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN201210530742.6A priority Critical patent/CN103873241B/en
Publication of CN103873241A publication Critical patent/CN103873241A/en
Application granted granted Critical
Publication of CN103873241B publication Critical patent/CN103873241B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a safety shield, and a digital-certificate management system and method. The safety shield includes a communication interface and an intelligent chip. The intelligent chip includes a storage unit which is connected with the communication interface and receives and stores an activation data subkey (ADK) subkey and a certificate public key (CPK); an activation unit which is connected with the communication interface so as to receive the activation data and use the ADK subkey to decipher the activation data so as to activate the intelligent chip; and a processing unit which is connected with the communication interface so as to receive an application installation certificate AIC and a public key infrastructure (PKI) application and verify the AIC according to the CPK and install the PKI application under a condition that the verification of the AIC is passed. Through use of the safety shield, and the digital-certificate management system and method, management of at least one digital certificate can be realized.

Description

Safety shield, digital certificate management system and method
Technical field
The present invention relates to financial field, relate in particular to a kind of safety shield, a kind of digital certificate management system and method.
Background technology
Social nowadays, the fewer and feweri employing cash of people is concluded the business, and instead, concludes the business with Web bank and Mobile banking.But safety problem is restricting further developing of Web bank and Mobile banking.
For Web bank, the mode conventionally adopting is U shield.But, now send out a U shield for the U shield Dou Shiyijia bank of Web bank, a this mode on the one hand user often has multiple U shields simultaneously, is unfavorable for management, is also the significant wastage of resource simultaneously.
For Mobile banking, in order to guarantee the safety of mobile-phone payment, some banks adopt by phone number and account binding, while consumption at every turn, send by note the safety that the compound mode of identifying code and user password is guaranteed payment, and reduce risk by the mode that maximum consumption amount is set.Also the mode that has relevant third party's payment company to adopt the mode of SD card to introduce digital certificate is guaranteed the safety paying.
By the mode of phone number and user account binding, although can protect to a certain extent the safety of Mobile banking, but the smart mobile phone itself based on Android and IOS system just has a lot of safe leaks now, further because not having industrial security test stone, the client application of present various exploitations itself just reaches the standard grade, leak is many and uncontrollable, its short message content and Mobile banking's client application, being very easy to victim monitors and forges, the password of the each input of user, short-message verification code, account information etc. can be under assailant's monitoring, and Mobile banking generally also can carry out the money transfer transactions of wholesale, there is huge risk in it, once the also further victim of information leakage occurs transfers accounts, user's loss is limitless.And the mode that adopts SD card is introduced digital certificate and is had equally above-mentioned risk, because in the time that digital certificate exists with the form of SD card, its most of the time is to connect together with mobile phone, if assailant adopts the mode of monitoring to obtain access password or the key of access SD card, assailant can access SD card completely in the unwitting situation of user so, and causes corresponding various security threats to user.And introduce the pattern of digital certificate with SD mode card, if mobile phone is lost, can cause huge potential risk to user equally.And, safety certificate existing way based on SD mode card now, only support the safety certification of a bank or a payment company, if its user mobile phone has been installed Mobile banking's application of different bank simultaneously, be bound to such an extent that carry multiple SD cards, so clearly can bring very large inconvenience to user.
Summary of the invention
In view of this, the present invention proposes safety shield, digital certificate management system and method, for realizing the management to digital certificate.
The invention provides a kind of safety shield.This safety shield comprises communication interface and intelligent chip, and preferably, this communication interface is audio interface or USB interface, and wherein intelligent chip comprises:
Memory cell, is connected with communication interface and receives and store activation data sub-key ADK sub-key and certificate PKI CPK;
Activate unit, be connected to receive activation data, utilize ADK sub-key to decipher activation data to activate intelligent chip with communication interface; And
Processing unit, is connected with communication interface to receive application install certificate AIC and PKIX PKI application, verifies AIC and PKI application is installed in the situation that being verified according to CPK.
Preferably, in safety shield of the present invention, processing unit receives the digital certificate of at least one financial institution and will be kept at memory cell from communication interface in the situation that PKI application being installed, and preferably, digital certificate can be deleted and upgrade to processing unit.
Preferably, in safety shield of the present invention, processing unit calls the digital certificate of corresponding financial institution according to certificates identified symbol AID.
Preferably, in safety shield of the present invention, processing unit receives application from communication interface and deletes certificate ADC, verifies ADC and in the time being verified, deletes PKI application according to CPK.
Preferably, this safety shield also comprises the physical keyboard being connected with processing unit, for output safety shield access password to processing unit, preferably, this safety shield also comprises trade confirmation secondary or physical bond, and user concludes the business enable signal to processing unit by this trade confirmation secondary or physical bond input.
Preferably, safety shield also comprises encryption/decryption element and digital-to-analogue-AD conversion unit, wherein
Encryption/decryption element, it is connected with processing unit, is back to processing unit for encrypting from the data of processing unit and by the data after encrypting; And
Digital-to-analogue-AD conversion unit, it is connected between processing unit and communication interface.
The present invention also provides a kind of digital certificate management system.This digital certificate management system comprises certificate management center C MS, credible Service Management center TSM, at least one financial institution server, client device, above-mentioned safety shield, wherein
CMS generates activation data key A DK, certificate PKI CPK and certificate private key CSK;
Utilize decentralized algorithm to disperse ADK to obtain ADK sub-key take chip parameter UID as dispersion factor;
ADK sub-key and CPK are write in the memory cell of intelligent chip;
The first financial institution server obtains UID;
The first financial institution server sends chip registration request and UID to CMS;
CMS generates and sends activation data to the first financial institution server according to UID;
Activation data is forwarded to TSM by the first financial institution server;
User sends the safety shield activation request that comprises subscriber identity information to TSM through client device;
TSM is sent to activation data the activation unit of safety shield in the situation that subscriber identity information is verified through client device;
Activation data is deciphered to activate safety shield according to ADK sub-key in the activation unit of safety shield;
The second financial institution server sends the PKI application registration request that comprises PKIX PKI application parameter file to CMS;
CMS generates with this PKI and applies corresponding application install certificate AIC and send it to the second financial institution server according to PKI application parameter file and CSK;
AIC and PKI application are sent to TSM by the second financial institution server;
User sends the application installation request that comprises second financial institution's identifier to TSM through client device;
TSM is sent to the AIC corresponding with the second financial institution and PKI application the processing unit of safety shield through client device according to second financial institution's identifier;
The processing unit of safety shield is according to CPK checking AIC and PKI application is installed in the situation that being verified.
Preferably, in digital certificate management system of the present invention, user sends the digital certificate download request that comprises subscriber identity information to the second financial institution server through client device;
The second financial institution server identity verification information is also sent to digital certificate the processing unit of safety shield in the situation that being verified through client device.
Preferably, in digital certificate management system of the present invention, user concludes the business enable signal to processing unit by the input of trade confirmation secondary or physical bond.
Preferably, in digital certificate management system of the present invention, the application identities symbol AID that processing unit sends according to client device in the time processing transaction request calls corresponding digital certificate.
Preferably, in digital certificate management system of the present invention, CMS also generates application deletion certificate ADC and ADC is sent to the second financial institution server according to PKI application parameter file and CSK;
ADC is forwarded to TSM by the second financial institution server;
User sends the application removal request that comprises second financial institution's identifier to TSM through client device;
TSM is sent to corresponding ADC the processing unit of safety shield through client device according to second financial institution's identifier;
The processing unit of safety shield is according to CPK checking ADC and in the situation that being verified, delete corresponding PKI application.
Preferably, in digital certificate management system of the present invention, user inputted the processing unit of safety shield access password to intelligent chip through physical keyboard before each use safety shield,
Processing unit is verified the safety shield access password of inputting through physical keyboard according to default safety shield access password.
Preferably, in digital certificate management system of the present invention, the first and second financial institutions are identical or different financial institution.
Preferably, in digital certificate management system of the present invention, this client device is mobile phone, personal digital assistant PDA, notebook computer or desktop computer.
The present invention also provides a kind of digital certificate management method.This digital certificate management method is applied to the system that comprises certificate management center C MS, credible Service Management center TSM, at least one financial institution server, client device, above-mentioned safety shield, and described method comprises:
CMS generates activation data key A DK, certificate PKI CPK and certificate private key CSK;
Utilize decentralized algorithm to disperse ADK to obtain ADK sub-key take chip parameter UID as dispersion factor;
ADK sub-key and CPK are write in the memory cell of intelligent chip;
The first financial institution server obtains UID;
The first financial institution server sends chip registration request and UID to CMS;
CMS generates and sends activation data to the first financial institution server according to UID;
Activation data is forwarded to TSM by the first financial institution server;
User sends the safety shield activation request that comprises subscriber identity information to TSM through client device;
TSM is sent to activation data the activation unit of safety shield in the situation that subscriber identity information is verified through client device;
Activation data is deciphered to activate safety shield according to ADK sub-key in the activation unit of safety shield;
The second financial institution server sends the PKI application registration request that comprises PKIX PKI application parameter file to CMS;
CMS generates with this PKI and applies corresponding application install certificate AIC and send it to the second financial institution server according to PKI application parameter file and CSK;
AIC and PKI application are sent to TSM by the second financial institution server;
User sends the application installation request that comprises second financial institution's identifier to TSM through client device;
TSM is sent to the AIC corresponding with the second financial institution and PKI application the processing unit of safety shield through client device according to second financial institution's identifier;
The processing unit of safety shield is according to CPK checking AIC and PKI application is installed in the situation that being verified.
Preferably, digital certificate management method of the present invention also comprises:
User sends the digital certificate download request that comprises subscriber identity information to the second financial institution server through client device;
Second financial institution's identity verification information is also sent to digital certificate the processing unit of safety shield in the situation that being verified through client device.
Preferably, digital certificate management method of the present invention also comprises: user concludes the business enable signal to processing unit by the input of trade confirmation secondary or physical bond.
Preferably, digital certificate management method of the present invention also comprises: the application identities symbol AID that processing unit sends according to client device in the time processing transaction request calls corresponding digital certificate.
Preferably, digital certificate management method of the present invention also comprises:
CMS also generates application deletion certificate ADC and ADC is sent to the second financial institution server according to PKI application parameter file and CSK;
ADC is forwarded to TSM by the second financial institution server;
User sends the application removal request that comprises second financial institution's identifier to TSM through client device;
TSM is sent to corresponding ADC the processing unit of safety shield through client device according to second financial institution's identifier;
The processing unit of safety shield is according to CPK checking ADC and in the situation that being verified, delete corresponding PKI application.
Preferably, digital certificate management method of the present invention also comprises:
User inputted the processing unit of safety shield access password to intelligent chip through physical keyboard before each use safety shield,
Processing unit is verified the safety shield access password of inputting through physical keyboard according to default safety shield access password.
Preferably, in digital certificate management method of the present invention, the first and second financial institutions are identical or different financial institution.
Preferably, in digital certificate management method of the present invention, this client device is mobile phone, personal digital assistant PDA, notebook computer or desktop computer.
Utilize the present invention, can realize the management to digital certificate.This mobile phone safety shield can inter-bank use, and user only needs a shield just can support the authentication of Duo Jia financial institution, can greatly meet the portable requirement of mobile payment.
Accompanying drawing explanation
Fig. 1 shows the structural representation according to safety shield of the present invention;
Fig. 2 shows the structural representation according to digital certificate management system of the present invention; And
Fig. 3 shows the schematic flow diagram according to digital certificate management method of the present invention.
Embodiment
Describe the preferred embodiments of the present invention in detail below in conjunction with accompanying drawing, identical reference number represents identical element in the accompanying drawings.
Fig. 1 schematically shows the structural representation according to safety shield of the present invention.As shown in Figure 1, safety shield 1 comprises communication interface 10 and intelligent chip 11.Communication interface 10 is for example and without limitation to audio interface or USB interface.The compatibility of this type of communication interface is strong, can support communicating by letter of safety shield and most client device.This safety shield 1 can also comprise power supply (not shown), is used to other parts power supply.
Intelligent chip 11 comprises memory cell 111, activates unit 112 and processing unit 113.Memory cell 111 is for example ROM.
Memory cell 111 is connected with communication interface 10, receives and store activation data sub-key ADK sub-key and certificate PKI CPK by communication interface 10.Activate unit 112 and be connected to receive activation data, utilize ADK sub-key to decipher activation data to activate intelligent chip with communication interface 10.Processing unit 113 is connected with communication interface 10 to receive application install certificate AIC and PKIX PKI application, verifies AIC and PKI application is installed in the situation that being verified according to CPK.
Processing unit 113 is received the digital certificate of at least one financial institution and will be kept in memory cell 110 by communication interface 10 in the situation that PKI application is installed.Further, digital certificate can be deleted and upgrade to processing unit 113.This mobile phone safety shield can inter-bank use, and user only needs a shield just can support the authentication of Duo Jia financial institution, can greatly meet the portable requirement of mobile payment.
Processing unit 113 can also receive application by communication interface 10 and delete certificate ADC, verifies ADC and in the time being verified, deletes PKI application according to CPK.
When user is in the time concluding the business, the digital certificate that processing unit 113 calls corresponding financial institution according to the certificates identified symbol AID sending through communication interface 10 from client device is to conclude the business.
Preferably, safety shield 1 also comprises the physical keyboard 12 being connected with processing unit 113, for output safety shield access password to processing unit 113.Processing unit 113 can be verified received safety shield access password according to default safety shield access password.Physical keyboard 12 is such as but not limited to comprising numerical key or letter key.Physical keyboard 12 can also comprise input cancel key and input validation key.It should be known that above description is only exemplary description, those skilled in the art can arrange the structure of physical keyboard according to actual needs.
Compared with existing U shield, the present invention, by the input of safety shield password is transferred to the physical keyboard of safety shield itself from client device, can stop the monitoring to password of various virus and Malware, has improved fail safe.
Preferably, physical keyboard 12 comprises trade confirmation secondary or physical bond.User for example, by this trade confirmation secondary or physical bond (, press trade confirmation secondary or physical bond or press trade confirmation secondary or physical bond predetermined long-time etc.) input transaction enable signal to processing unit 113.Processing unit 113 only just can be processed the transaction request of sending from client device in the time receiving transaction enable signal.Can guarantee that like this transaction must be initiated by user's physical behavio(u)r.If do not press trade confirmation secondary or physical bond, even if assailant has obtained digital certificate information, also cannot carry out false attack operation.Further guarantee the fail safe of transaction.
Safety shield 1 also comprises encryption/decryption element 14.Encryption/decryption element 14 is connected with processing unit 113, is back to processing unit 113 for encrypting or decipher from the data of processing unit 113 and by the data after encrypting or after deciphering.Such as processing unit 113 can utilize encryption/decryption element 14 to carry out enciphered data, generate the work such as signed data and Hash verification in the time processing transaction request.
Although encryption/decryption element 14 is shown in to the outside of intelligent chip 11 in Fig. 1, but those skilled in the art replys and know, it can be positioned at the inside of intelligent chip 11 equally.
Safety shield 1 also comprises digital-to-analogue-AD conversion unit 15.Digital-to-analogue-AD conversion unit 15 is connected between processing unit 113 and communication interface 10.Digital-to-analogue-AD conversion unit 15 is for the digital-to-analogue conversion of data.For example, in the time will exporting data from processing unit, digital signal is converted to analog signal, and in the time that communication interface receives data, analog signal is converted to data-signal in data.
Safety shield 1 also comprises display unit 13, and it is connected with processing unit 113, for showing the data to be shown from processing unit 113.
Fig. 2 schematically shows the structural representation according to digital certificate management system of the present invention.As shown in Figure 2, this digital certificate management system comprises that certificate management center C MS 20, credible Service Management center TSM 21, financial institution server 22,23, client device 24 and safety shield 1(are shown in Fig. 1).Client device 24 is for example but is not limited to mobile phone, personal digital assistant PDA, notebook computer or desktop computer.Safety shield of the present invention manufactured go out after, communicate by letter with client device through communication interface, and then communicate by client device and other entity.
CMS 20 generates activation data key A DK, certificate PKI CPK and certificate private key CSK.Manufacturer utilizes decentralized algorithm to disperse ADK to obtain ADK sub-key take chip parameter UID as dispersion factor; Manufacturer writes ADK sub-key and CPK in the memory cell 111 of intelligent chip 11 afterwards.
The first financial institution server 111 obtains UID from manufacturer.The first financial institution server 111 sends chip registration request and UID to CMS 20 afterwards.CMS 20 generates and sends activation data to the first financial institution server 22 according to UID.Activation data is forwarded to TSM 21 by the first financial institution server 22.
User sends the safety shield activation request that comprises subscriber identity information to TSM 21 through client device 24.TSM 21 is sent to activation data the activation unit 112 of safety shield 1 in the situation that subscriber identity information is verified through client device 24.Activation data is deciphered to activate safety shield according to ADK sub-key in the activation unit 112 of safety shield 1.Preferably, activate unit 112 and can also in the situation that success activates, send successful activation notification to the first financial institution server 22 by communication interface 12 through client device 24.
The second financial institution server 23 sends to CMS 20 the PKI application registration request that comprises PKIX PKI application parameter file.CMS 20 generates with this PKI and applies corresponding application install certificate AIC and send it to the second financial institution server 23 according to PKI application parameter file and CSK.AIC and PKI application are sent to TSM 21 by the second financial institution server 23.
User sends the application installation request that comprises second financial institution's identifier to TSM 21 through client device 24.TSM 21 is sent to the AIC corresponding with the second financial institution and PKI application the processing unit 113 of safety shield 1 through client device 24 according to second financial institution's identifier.The processing unit 113 of safety shield 1 is according to CPK checking AIC and PKI application is installed in the situation that being verified.Preferably, in the time of successful installation, processing unit 113 generates and sends PKI application successful installation message to the second financial institution server 23.
User sends to the second financial institution server 23 the digital certificate download request that comprises subscriber identity information through client device 24.The second financial institution server identity verification information is also sent to the processing unit 113 of safety shield 1 by digital certificate (it can, for the digital certificate of encrypting, now can utilize encryption/decryption element 14 to be decrypted equally) in the situation that being verified through client device 24.
Safety shield of the present invention can should be used for realizing safety by different PKI, the multiple digital certificates of independent installation are.Digital certificate can only be arranged in corresponding PKI application.
Similar with existing U shield, user can delete and upgrade digital certificate.While deleting certificate, user can independently delete, and then will delete result and notify corresponding financial institution server (for example the second financial institution server 23).When updating digital certificate, send updating digital certificate request through client device to the second financial institution server.The second financial institution server by new digital certificate through being sent to client device.Client device is forwarded to safety shield by new digital certificate to upgrade the former digital certificate in digital certificate.
Further, CMS 20 also generates application deletion certificate ADC and ADC is sent to the second financial institution server 23 according to PKI application parameter file and CSK.ADC is forwarded to TSM 21 by the second financial institution server 23.
User sends the application removal request that comprises second financial institution's identifier to TSM through client device 24.TSM 21 is sent to corresponding ADC the processing unit 113 of safety shield 1 through client device 24 according to second financial institution's identifier.The processing unit 113 of safety shield 1 is according to CPK checking ADC and in the situation that being verified, delete corresponding PKI application.Preferably, in the time deleting successfully, processing unit 113 generates and sends PKI application unloading message to the second financial institution server 23.
Safety shield 1 is in the time processing the transaction request sending through client device 24, and the application identities symbol AID sending according to client device 24 calls corresponding digital certificate.Further, before call number certificate, user concludes the business enable signal to processing unit 113 by the input of trade confirmation secondary or physical bond.
Preferably, user inputs safety shield access password to the processing unit 113 of intelligent chip 11 through physical keyboard 12 before using safety shield 1 and carries out password authentication each.
Fig. 3 shows the schematic flow diagram according to digital certificate management method of the present invention.As shown in the figure, in step 301, manufacture safety shield.Particularly, CMS 20 generates activation data key A DK, certificate PKI CPK and certificate private key CSK.Manufacturer utilizes decentralized algorithm to disperse ADK to obtain ADK sub-key take chip parameter UID as dispersion factor; Manufacturer writes ADK sub-key and CPK in the memory cell 111 of intelligent chip 11 afterwards.
In step 302, activate safety shield.Particularly, the first financial institution server 111 obtains UID from manufacturer.The first financial institution server 111 sends chip registration request and UID to CMS 20 afterwards.CMS 20 generates and sends activation data to the first financial institution server 22 according to UID.Activation data is forwarded to TSM 21 by the first financial institution server 22.
User sends the safety shield activation request that comprises subscriber identity information to TSM 21 through client device 24.TSM 21 is sent to activation data the activation unit 112 of safety shield 1 in the situation that subscriber identity information is verified through client device 24.Activation data is deciphered to activate safety shield according to ADK sub-key in the activation unit 112 of safety shield 1.Preferably, activate unit 112 and can also in the situation that success activates, send successful activation notification to the first financial institution server 22 by communication interface 12 through client device 24.
In step 303, process PKI application.Particularly, the second financial institution server 23 sends to CMS 20 the PKI application registration request that comprises PKIX PKI application parameter file.CMS 20 generates with this PKI and applies corresponding application install certificate AIC and send it to the second financial institution server 23 according to PKI application parameter file and CSK.AIC and PKI application are sent to TSM 21 by the second financial institution server 23.
User sends the application installation request that comprises second financial institution's identifier to TSM 21 through client device 24.TSM 21 is sent to the AIC corresponding with the second financial institution and PKI application the processing unit 113 of safety shield 1 through client device 24 according to second financial institution's identifier.The processing unit 113 of safety shield 1 is according to CPK checking AIC and PKI application is installed in the situation that being verified.Preferably, in the time of successful installation, processing unit 113 generates and sends PKI application successful installation message to the second financial institution server 23.
Further, CMS 20 also generates application deletion certificate ADC and ADC is sent to the second financial institution server 23 according to PKI application parameter file and CSK.ADC is forwarded to TSM 21 by the second financial institution server 23.
User sends the application removal request that comprises second financial institution's identifier to TSM through client device 24.TSM 21 is sent to corresponding ADC the processing unit 113 of safety shield 1 through client device 24 according to second financial institution's identifier.The processing unit 113 of safety shield 1 is according to CPK checking ADC and in the situation that being verified, delete corresponding PKI application.Preferably, in the time deleting successfully, processing unit 113 generates and sends PKI application unloading message to the second financial institution server 23.
In step 304, the processing of combine digital certificate.Particularly, user sends to the second financial institution server 23 the digital certificate download request that comprises subscriber identity information through client device 24.The second financial institution server identity verification information is also sent to the processing unit 113 of safety shield 1 by digital certificate (it can, for the digital certificate of encrypting, now can utilize encryption/decryption element 14 to be decrypted equally) in the situation that being verified through client device 24.
Safety shield of the present invention can should be used for realizing safety by different PKI, the multiple digital certificates of independent installation are.Digital certificate can only be arranged in corresponding PKI application.
Similar with existing U shield, user can delete and upgrade digital certificate.While deleting certificate, user can independently delete, and then will delete result and notify corresponding financial institution server (for example the second financial institution server 23).When updating digital certificate, send updating digital certificate request through client device to the second financial institution server.The second financial institution server by new digital certificate through being sent to client device.Client device is forwarded to safety shield by new digital certificate to upgrade the former digital certificate in digital certificate.
Preferably, safety shield 1 is in the time processing the transaction request sending through client device 24, and the application identities symbol AID sending according to client device 24 calls corresponding digital certificate.Further, before call number certificate, user concludes the business enable signal to processing unit 113 by the input of trade confirmation secondary or physical bond.
Preferably, user inputs safety shield access password to the processing unit 113 of intelligent chip 11 through physical keyboard 12 before using safety shield 1 and carries out password authentication each.
In above-mentioned exemplary embodiment, for simplified characterization, the first and second financial institutions are described as to different financial institutions.But should know that the first and second financial institutions can be identical financial institution.Equally also should know that the present invention is not limited to Liang Ge financial institution, it is equally applicable to plural financial institution.
This utilizes technical staff should know that above description, only for exemplary, can increase, omits or adjust some step and/or parts according to actual needs.
In view of these instructions, those of ordinary skill in the art will easily expect other embodiments of the invention, combination and modification.Therefore,, in the time reading in conjunction with above-mentioned explanation and accompanying drawing, the present invention is only defined by the claims.

Claims (22)

1. a safety shield, is characterized in that, this safety shield comprises communication interface and intelligent chip, and preferably, this communication interface is audio interface or USB interface, and wherein intelligent chip comprises:
Memory cell, is connected with communication interface and receives and store activation data sub-key ADK sub-key and certificate PKI CPK;
Activate unit, be connected to receive activation data, utilize ADK sub-key to decipher activation data to activate intelligent chip with communication interface; And
Processing unit, is connected with communication interface to receive application install certificate AIC and PKIX PKI application, verifies AIC and PKI application is installed in the situation that being verified according to CPK.
2. safety shield as claimed in claim 1, it is characterized in that, processing unit receives the digital certificate of at least one financial institution and will be kept at memory cell from communication interface in the situation that PKI application being installed, and preferably, digital certificate can be deleted and upgrade to processing unit.
3. safety shield as claimed in claim 2, is characterized in that, processing unit calls the digital certificate of corresponding financial institution according to certificates identified symbol AID.
4. safety shield as claimed in claim 1, is characterized in that, processing unit receives application from communication interface and deletes certificate ADC, verifies ADC and in the time being verified, deletes PKI application according to CPK.
5. the safety shield as described in one of claim 1-4, it is characterized in that, this safety shield also comprises the physical keyboard being connected with processing unit, be used for output safety shield access password to processing unit, preferably, this safety shield also comprises trade confirmation secondary or physical bond, and user concludes the business enable signal to processing unit by this trade confirmation secondary or physical bond input.
6. the safety shield as described in claim 1-4, is characterized in that, safety shield also comprises encryption/decryption element and digital-to-analogue-AD conversion unit, wherein
Encryption/decryption element, it is connected with processing unit, is back to processing unit for encrypting from the data of processing unit and by the data after encrypting; And
Digital-to-analogue-AD conversion unit, it is connected between processing unit and communication interface.
7. a digital certificate management system, is characterized in that, comprises certificate management center C MS, credible Service Management center TSM, at least one financial institution server, client device, safety shield as described in one of the claims, wherein
CMS generates activation data key A DK, certificate PKI CPK and certificate private key CSK;
Utilize decentralized algorithm to disperse ADK to obtain ADK sub-key take chip parameter UID as dispersion factor;
ADK sub-key and CPK are write in the memory cell of intelligent chip;
The first financial institution server obtains UID;
The first financial institution server sends chip registration request and UID to CMS;
CMS generates and sends activation data to the first financial institution server according to UID;
Activation data is forwarded to TSM by the first financial institution server;
User sends the safety shield activation request that comprises subscriber identity information to TSM through client device;
TSM is sent to activation data the activation unit of safety shield in the situation that subscriber identity information is verified through client device;
Activation data is deciphered to activate safety shield according to ADK sub-key in the activation unit of safety shield;
The second financial institution server sends the PKI application registration request that comprises PKIX PKI application parameter file to CMS;
CMS generates with this PKI and applies corresponding application install certificate AIC and send it to the second financial institution server according to PKI application parameter file and CSK;
AIC and PKI application are sent to TSM by the second financial institution server;
User sends the application installation request that comprises second financial institution's identifier to TSM through client device;
TSM is sent to the AIC corresponding with the second financial institution and PKI application the processing unit of safety shield through client device according to second financial institution's identifier;
The processing unit of safety shield is according to CPK checking AIC and PKI application is installed in the situation that being verified.
8. digital certificate management system as claimed in claim 7, is characterized in that,
User sends the digital certificate download request that comprises subscriber identity information to the second financial institution server through client device;
The second financial institution server identity verification information is also sent to digital certificate the processing unit of safety shield in the situation that being verified through client device.
9. digital certificate management system as claimed in claim 8, is characterized in that, user concludes the business enable signal to processing unit by the input of trade confirmation secondary or physical bond.
10. digital certificate management system as claimed in claim 8, is characterized in that, the application identities symbol AID that processing unit sends according to client device in the time processing transaction request calls corresponding digital certificate.
11. digital certificate management systems as claimed in claim 7, is characterized in that,
CMS also generates application deletion certificate ADC and ADC is sent to the second financial institution server according to PKI application parameter file and CSK;
ADC is forwarded to TSM by the second financial institution server;
User sends the application removal request that comprises second financial institution's identifier to TSM through client device;
TSM is sent to corresponding ADC the processing unit of safety shield through client device according to second financial institution's identifier;
The processing unit of safety shield is according to CPK checking ADC and in the situation that being verified, delete corresponding PKI application.
12. digital certificate management systems as described in one of claim 7-11, is characterized in that,
User inputted the processing unit of safety shield access password to intelligent chip through physical keyboard before each use safety shield,
Processing unit is verified the safety shield access password of inputting through physical keyboard according to default safety shield access password.
13. digital certificate management systems as described in one of claim 7-11, is characterized in that, the first and second financial institutions are identical or different financial institution.
14. digital certificate management systems as described in one of claim 7-11, is characterized in that, this client device is mobile phone, personal digital assistant PDA, notebook computer or desktop computer.
15. 1 kinds of digital certificate management methods, it is characterized in that, be applied to the system that comprises certificate management center C MS, credible Service Management center TSM, at least one financial institution server, client device, safety shield as described in one of claim 1-6, described method comprises:
CMS generates activation data key A DK, certificate PKI CPK and certificate private key CSK;
Utilize decentralized algorithm to disperse ADK to obtain ADK sub-key take chip parameter UID as dispersion factor;
ADK sub-key and CPK are write in the memory cell of intelligent chip;
The first financial institution server obtains UID;
The first financial institution server sends chip registration request and UID to CMS;
CMS generates and sends activation data to the first financial institution server according to UID;
Activation data is forwarded to TSM by the first financial institution server;
User sends the safety shield activation request that comprises subscriber identity information to TSM through client device;
TSM is sent to activation data the activation unit of safety shield in the situation that subscriber identity information is verified through client device;
Activation data is deciphered to activate safety shield according to ADK sub-key in the activation unit of safety shield;
The second financial institution server sends the PKI application registration request that comprises PKIX PKI application parameter file to CMS;
CMS generates with this PKI and applies corresponding application install certificate AIC and send it to the second financial institution server according to PKI application parameter file and CSK;
AIC and PKI application are sent to TSM by the second financial institution server;
User sends the application installation request that comprises second financial institution's identifier to TSM through client device;
TSM is sent to the AIC corresponding with the second financial institution and PKI application the processing unit of safety shield through client device according to second financial institution's identifier;
The processing unit of safety shield is according to CPK checking AIC and PKI application is installed in the situation that being verified.
16. methods as claimed in claim 15, is characterized in that, described method also comprises:
User sends the digital certificate download request that comprises subscriber identity information to the second financial institution server through client device;
Second financial institution's identity verification information is also sent to digital certificate the processing unit of safety shield in the situation that being verified through client device.
17. methods as claimed in claim 16, is characterized in that, described method also comprises: user concludes the business enable signal to processing unit by the input of trade confirmation secondary or physical bond.
18. methods as claimed in claim 16, is characterized in that, described method also comprises: the application identities symbol AID that processing unit sends according to client device in the time processing transaction request calls corresponding digital certificate.
19. methods as claimed in claim 15, is characterized in that, described method also comprises:
CMS also generates application deletion certificate ADC and ADC is sent to the second financial institution server according to PKI application parameter file and CSK;
ADC is forwarded to TSM by the second financial institution server;
User sends the application removal request that comprises second financial institution's identifier to TSM through client device;
TSM is sent to corresponding ADC the processing unit of safety shield through client device according to second financial institution's identifier;
The processing unit of safety shield is according to CPK checking ADC and in the situation that being verified, delete corresponding PKI application.
20. methods as described in one of claim 15-19, is characterized in that, described method comprises:
User inputted the processing unit of safety shield access password to intelligent chip through physical keyboard before each use safety shield,
Processing unit is verified the safety shield access password of inputting through physical keyboard according to default safety shield access password.
21. methods as described in one of claim 15-19, is characterized in that, the first and second financial institutions are identical or different financial institution.
22. methods as described in one of claim 15-19, is characterized in that, this client device is mobile phone, personal digital assistant PDA, notebook computer or desktop computer.
CN201210530742.6A 2012-12-11 2012-12-11 safety shield, digital certificate management system and method Active CN103873241B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210530742.6A CN103873241B (en) 2012-12-11 2012-12-11 safety shield, digital certificate management system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210530742.6A CN103873241B (en) 2012-12-11 2012-12-11 safety shield, digital certificate management system and method

Publications (2)

Publication Number Publication Date
CN103873241A true CN103873241A (en) 2014-06-18
CN103873241B CN103873241B (en) 2017-06-23

Family

ID=50911391

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210530742.6A Active CN103873241B (en) 2012-12-11 2012-12-11 safety shield, digital certificate management system and method

Country Status (1)

Country Link
CN (1) CN103873241B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105244052A (en) * 2015-11-25 2016-01-13 天津市府易科技有限公司 Safe shield with USB 3.0 interface with storing function
CN106060788A (en) * 2016-05-24 2016-10-26 中国科学院信息工程研究所 Short message-based security TF card issuing method applicable to circuit domain encrypted communication
CN107705198A (en) * 2017-03-24 2018-02-16 广东网金控股股份有限公司 A kind of method and system for securely delivering U-shield
CN108737112A (en) * 2018-06-04 2018-11-02 北京艾丕科技有限责任公司 A kind of system for the shield that Activates Phone
CN110519062A (en) * 2019-09-19 2019-11-29 腾讯科技(深圳)有限公司 Identity identifying method, Verification System and storage medium based on block chain
CN114079571A (en) * 2020-08-11 2022-02-22 深圳市文鼎创数据科技有限公司 Digital certificate verification method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101127111A (en) * 2006-08-18 2008-02-20 中信银行 Internet bank U disc KEY ciphering, authentication device and method
US20080168544A1 (en) * 2007-01-05 2008-07-10 Ebay Inc. Token device re-synchronization through a network solution
CN101394615A (en) * 2007-09-20 2009-03-25 中国银联股份有限公司 Mobile payment terminal and payment method based on PKI technique
CN202548880U (en) * 2012-01-10 2012-11-21 北京海泰方圆科技有限公司 USB key

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101127111A (en) * 2006-08-18 2008-02-20 中信银行 Internet bank U disc KEY ciphering, authentication device and method
US20080168544A1 (en) * 2007-01-05 2008-07-10 Ebay Inc. Token device re-synchronization through a network solution
CN101394615A (en) * 2007-09-20 2009-03-25 中国银联股份有限公司 Mobile payment terminal and payment method based on PKI technique
CN202548880U (en) * 2012-01-10 2012-11-21 北京海泰方圆科技有限公司 USB key

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105244052A (en) * 2015-11-25 2016-01-13 天津市府易科技有限公司 Safe shield with USB 3.0 interface with storing function
CN106060788A (en) * 2016-05-24 2016-10-26 中国科学院信息工程研究所 Short message-based security TF card issuing method applicable to circuit domain encrypted communication
CN106060788B (en) * 2016-05-24 2019-06-11 中国科学院信息工程研究所 A kind of safe TF card short message hair fastener method suitable for circuit domain coded communication
CN107705198A (en) * 2017-03-24 2018-02-16 广东网金控股股份有限公司 A kind of method and system for securely delivering U-shield
CN108737112A (en) * 2018-06-04 2018-11-02 北京艾丕科技有限责任公司 A kind of system for the shield that Activates Phone
CN110519062A (en) * 2019-09-19 2019-11-29 腾讯科技(深圳)有限公司 Identity identifying method, Verification System and storage medium based on block chain
CN110519062B (en) * 2019-09-19 2021-10-29 腾讯科技(深圳)有限公司 Identity authentication method, authentication system and storage medium based on block chain
CN114079571A (en) * 2020-08-11 2022-02-22 深圳市文鼎创数据科技有限公司 Digital certificate verification method and device

Also Published As

Publication number Publication date
CN103873241B (en) 2017-06-23

Similar Documents

Publication Publication Date Title
CN113396569B (en) System and method for second factor authentication of customer support calls
CA2865148C (en) Multi-issuer secure element partition architecture for nfc enabled devices
US20210192881A1 (en) Contactless card personal identification system
CN111404696B (en) Collaborative signature method, security service middleware, related platform and system
CN103793815A (en) Mobile intelligent terminal acquirer system and method suitable for bank cards and business cards
US20150310427A1 (en) Method, apparatus, and system for generating transaction-signing one-time password
US9332007B2 (en) Method for secure, entryless login using internet connected device
CN102202306B (en) Mobile security authentication terminal and method
JP2015519637A (en) System and method for secure transaction processing by a mobile device
CN109412812A (en) Data safe processing system, method, apparatus and storage medium
CN103873241B (en) safety shield, digital certificate management system and method
US20150295714A1 (en) Data security verification method and device
CN102667800A (en) Method for securely interacting with a security element
TWI715833B (en) Air card issuing method, device, computing equipment, computer readable storage medium and computer program product
CN104429036A (en) System for secure ID authentication
CN110100411B (en) Cryptographic system management
US9832649B1 (en) Secure ID authentication
CN105574720A (en) Secure information processing method and secure information processing apparatus
KR101498120B1 (en) Digital certificate system for cloud-computing environment and method thereof
CN104143142A (en) Payment system with mobile payment unit and security payment method
KR20240024112A (en) System and method for contactless card communication and multi-device key pair cryptographic authentication
KR101604459B1 (en) Method, apparatus and system for generating transaction related otp
KR20100114796A (en) Method of controlling financial transaction by financial transaction device and computing device
WO2015117326A1 (en) Method and device for achieving remote payment, and smart card
KR101272358B1 (en) Security and access controlling device for mobile terminal and financial trading method using the same

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant