CN104537298B - The method and apparatus authorized is carried out based on microprocessor card - Google Patents
The method and apparatus authorized is carried out based on microprocessor card Download PDFInfo
- Publication number
- CN104537298B CN104537298B CN201410734293.6A CN201410734293A CN104537298B CN 104537298 B CN104537298 B CN 104537298B CN 201410734293 A CN201410734293 A CN 201410734293A CN 104537298 B CN104537298 B CN 104537298B
- Authority
- CN
- China
- Prior art keywords
- identifying code
- card
- session key
- terminal
- business
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention relates to a kind of method and apparatus carrying out based on microprocessor card and authorizing.Said method comprising the steps of: send the verification command comprising the first identifying code to microprocessor card, wherein, described first identifying code is according to the first session key, to the write data of described microprocessor card and write card information and generate, and described first session key is the card image according to microprocessor card and the first common key generates;Receive the second identifying code returned according to described verification command after described first identifying code is verified by described microprocessor card, wherein, write data according to described second identifying code and the first session key generates;Described second identifying code is verified, after being verified, terminal is authorized.Providing cost savings, safety is higher.
Description
Technical field
The present invention relates to information security field, particularly relate to a kind of side carrying out based on microprocessor card and authorizing
Method and device.
Background technology
Along with computer technology and the development of network technology, increasing people passes through real-time performance online shopping,
And carry out on-line payment, need during by on-line payment to verify user identity, carry out after being verified authorizing and prop up
Pay, or during by gate control system, need to verify user identity, authorize by gate inhibition after being verified, or
When person logs in certain application system, need to verify user identity, after being verified, authorized login etc..
Traditional verification mode mainly uses fingerprint authentication, and fingerprint authentication mainly utilizes everyone fingerprint not
The same feature, reaches to authorize the purpose that cannot forge, but needs built-in fingerprint sensor in the terminal,
Collection fingerprint is identified, and its fingerprint sensor is expensive, considerably increases the cost of terminal.
Summary of the invention
Based on this, it is necessary to need built-in fingerprint sensor increase in the terminal to become for traditional fingerprint authentication
This problem, it is provided that a kind of energy is cost-effective and safety is higher carries out, based on microprocessor card, the side that authorizes
Method and device.
A kind of method carrying out based on microprocessor card authorizing, comprises the following steps:
Send the verification command comprising the first identifying code to microprocessor card, wherein, described first identifying code is
According to the first session key, to the write data of described microprocessor card and write card information and generate, described first
Session key is the card image according to microprocessor card and the generation of the first common key;
Receive after described first identifying code is verified by described microprocessor card and return according to described verification command
The second identifying code, write data and the first session key according to described second identifying code and generate;
Described second identifying code is verified, after being verified, terminal is authorized.
A kind of method carrying out based on microprocessor card authorizing, comprises the following steps:
Receiving the verification command comprising the first identifying code that terminal sends, described first identifying code is according to first
Session key, microprocessor card is write data and write card information generate, described first session key is
Card image according to described microprocessor card and the first common key generate;
Card image and the first common key according to described microprocessor card generate the first session key, and
According to write data, write card information, the first session key generates the first identifying code;
First identifying code of the first identifying code generated with reception is compared, if identical, is then verified,
Generate the second identifying code according to said write data and the first session key and the second identifying code returned to described
Terminal, so that described second identifying code is verified by described terminal, and after being verified, to described terminal
Authorize.
A kind of device carrying out based on microprocessor card authorizing, including:
Order sending module, for sending the verification command comprising the first identifying code to described microprocessor card,
Wherein, described first identifying code be according to the first session key, to the write data of described microprocessor card and
Writing card information to generate, described first session key is the card image according to microprocessor card and first the closeest
Key generates;
Information receiving module, is used for receiving described microprocessor card and described first identifying code is verified rear root
The second identifying code returned according to described verification command, wherein, according to described second identifying code write data and
First session key generates,;
Authentication module, for verifying described second identifying code, after being verified, awards terminal
Power.A kind of device carrying out based on microprocessor card authorizing, including:
Order receiver module, for receiving the verification command comprising the first identifying code that terminal sends, described the
One identifying code is according to the first session key, microprocessor card writes data and writes card information generation,
According to described first session key, the card image of described microprocessor card and the first common key generate;
Information generating module, generates for the card image according to described microprocessor card and the first common key
First session key, and according to write data, write card information, the first session key generates the first identifying code;
Comparison module, for comparing the first identifying code of the first identifying code generated with reception;
Described information generating module is additionally operable to when the first identifying code identical table of the first identifying code generated with reception
Show when being verified, generate the second identifying code according to said write data and the first session key;
Return module, for described second identifying code being returned to described terminal, so that described terminal is to described
Second identifying code is verified, and after being verified, authorizes described terminal.
The above-mentioned method and apparatus carrying out based on microprocessor card authorizing, by according to card image and first altogether
Generate the first session key with key, generate the first identifying code according to the first session key, send and comprise first
The verification command of identifying code, the first identifying code that microprocessor card generates the first identifying code and terminal compares
Relatively, identical after, return according to verification command response the second identifying code, the second identifying code is tested by terminal
Card, after being verified, i.e. achieves the checking to terminal by bi-directional authentification and authorizes, being not required at end
Fingerprint sensor is set in end, also can realize authorizing, provide cost savings, and safety is higher.
Accompanying drawing explanation
Fig. 1 is the applied environment schematic diagram carrying out the method authorized in an embodiment based on microprocessor card;
Fig. 2 is the flow chart carrying out the method authorized in an embodiment based on microprocessor card;
Fig. 3 is the flow chart carrying out the method authorized in another embodiment based on microprocessor card;
Fig. 4 is the structural representation carrying out the device authorized in an embodiment based on microprocessor card;
Fig. 5 is the structural representation carrying out the device authorized in another embodiment based on microprocessor card.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and reality
Execute example, the present invention is further elaborated.Only should be appreciated that specific embodiment described herein
Only in order to explain the present invention, it is not intended to limit the present invention.
Fig. 1 is the applied environment schematic diagram carrying out the method authorized in an embodiment based on microprocessor card.
As it is shown in figure 1, this applied environment includes microprocessor card 110 and terminal 120.
Microprocessor card 110, can be CPU (Central Processing Unit, central processing unit) card or
This contains the SD card of NFC (Near Field Communication, near-field communication) chip or containing NFC
The SIM etc. of chip, it is applicable in gate inhibition, payment, admission ticket, air ticket, member card etc., has and deposit
Storage space is big, reading speed fast, support the features such as one card for multiple uses.Wherein, the safety of CPU card is than common
IC-card (Integrated Circuit Card, integrated circuit card) is much higher, because CPU card is contained within random number
Generator, DES (Data Encryption Standard, data encryption standards), 3DES AES etc.,
Compounding practice system, safe class is high.CPU card is utilized to be difficult to the feature being forged, can be as application program
Log in or pay or gate inhibition's checking etc. carries out the important means that checking authorizes.
Terminal 120 can be the equipment with NFC chip, as can be that smart mobile phone, panel computer, gate inhibition beat
Card device, ticket validation device etc..
Microprocessor card 110 and terminal 120 are interacted by NFC radio communication.
Fig. 2 is the flow chart carrying out the method authorized in an embodiment based on microprocessor card.In Fig. 2
In the applied environment that the method carrying out authorizing based on microprocessor card runs in Fig. 1, describe with terminal point.
As in figure 2 it is shown, this carries out the method authorized based on microprocessor card, comprise the following steps:
Step 202, sends to microprocessor card and comprises the verification command of the first identifying code, and wherein, this first is tested
Card code is according to the first session key, to the write data of this microprocessor card and write card information and generate, and this is the years old
One session key is the card image according to microprocessor card and the generation of the first common key.
Concrete, write data can be Arbitrary Digit.Write card information include type of service, terminal iidentification, first
Business date and time etc..Type of service can be 06, and terminal iidentification can be 001122334455, the first business
Date can be 20120229, and the first business hours can be 135100 etc..
The card image of microprocessor card includes microprocessor card business sequence number and random number etc..The length of random number
Spend variable.Further, card image may also include card balance, the limit of overdrawn account, key version number, calculation
Method mark etc..Such as card image can be 00000000,0000,000000,01,00,11223344,
Wherein, 00000000 is card balance, and 0000 is microprocessor card business sequence number, and 000000 is the limit of overdrawn account,
01 be key version number, 00 be algorithm mark, 11223344 is random number.The variable-length of this random number.
In one embodiment, before step 202, also include: send to microprocessor card and initialize life
Order;Receive the card image that this microprocessor card returns according to this initialization command.
Concrete, this initialization command includes writing data, terminal iidentification etc..Write data can be 00001000;
Terminal iidentification can be terminal number, such as 001122334455 etc..Further, initialization command may also include
Classes of instructions, order code, parameter, data length, pass key index etc., such as initialization command can be 80,
50、01、02、0B、01、00001000、001122334455.80 is CLA i.e. classes of instructions;50
For INS i.e. order code;01 is P1,02 be P2, P1 and P2 be parameter;0B is LC i.e. data length;
01 is Key Index, i.e. closes key index;00001000 is write data;001122334455 compiles for terminal
Number.
The first session key is generated according to this card image and the first common key.Concrete, by card image
In random number, microprocessor card business sequence number, terminal traffic sequence number as first input data, use 3DES
First input data and the first common key are encrypted and obtain the first session key by AES
(SessionKey).Such as, the first common key is 11223344556677888877665544332211,
Random number is 11223344, microprocessor card business serial number 0000, and latter four of terminal traffic sequence number are
0001, input data are 11,223,344 0,000 0001, and the first session key is 3DESEnypt (the first input
Data, the first common key) obtain 003238ABC57659DD.
According to these write data, write card information, the first session key generates the first identifying code.
Concrete, using write data with write card information as the second input data, input data and the to second
One session key does MAC (Message Authentication Codes) computing and obtains the first identifying code, i.e.
MAC1.Such as second input data are 00,001,000 06 001,122,334,455 20120229135100,
First session key is 003238ABC57659DD, and the first identifying code MAC1 is by MAC (the second input
Data, the first session key) it is calculated, the first identifying code MAC1 is F15CAB75.
Verification command includes the first identifying code, terminal traffic sequence number, the second business date and time etc..Enter one
Step, verification command may also include classes of instructions, order code, parameter, data length etc..Such as 80 54 01
00 0F 00,000,001 20111221214822 F15CAB75, wherein, 80 is CLA i.e. instruction class
Not;54 is INS i.e. order code;01 is P1,00 be P2, P1 and P2 be parameter;0F is that LC is several
According to length, 00000001 is terminal traffic sequence number, and 20111221 was the second business date, and 214822 is second
Business hours, F15CAB75 is MAC1.
Step 204, receives after this first identifying code is verified by this microprocessor card and returns according to this verification command
The second identifying code returned, writes data according to the second identifying code and the first session key generates.
Concrete, microprocessor card generates the first session key according to this card image and the first common key,
And according to write data, write card information, the first session key generates the first identifying code, then by generate
The first identifying code that first identifying code and terminal are sent out compares, and after being verified, then confirms that terminal is legal,
Then generate the second identifying code according to these write data and the first session key, the second identifying code is returned to end
End, the second identifying code is verified by terminal, after being verified, authorizes terminal, and it is right i.e. to achieve
The checking mandate of terminal.If the first identifying code that the first identifying code generated and terminal are sent out compares, two
Person is different, then verify not over, microprocessor card can return MAC error ending business, it is impossible to completes to award
Power.
Such as, write data can be 00001000, and the first session key is 003238ABC57659DD, uses
Write data are done MAC operation and are obtained the second identifying code by the first session key, are 56988A13.
Additionally, receive the business authentication code that this microprocessor card returns, wherein, this industry according to this verification command
The second session key that this verification command according to business authentication code, write data and the second common key generate is raw
Become.
Second common key can be authentication code key, i.e. TAC (Transaction Authentication Code,
Transaction verification code) high 8 bytes and low 8 bytes of the second common key are done XOR and are obtained by Key
Two session keys (TACSessionKey).
Such as, TACKey=00112233445566778899AABBCCDDEEFF,
TACSessionKey=XOR (Left (8), Right (8))=8888888888888888.
Obtain terminal iidentification, type of service, will write data, type of service, terminal iidentification, terminal traffic
Sequence number, the second business date and time, as the 3rd input data, use the second session key to the 3rd input
Data are done MAC operation and are obtained business authentication code.Wherein, terminal traffic sequence number, the second business date and time
Can obtain from verification command.Such as write data are 00001000, and type of service is 01, and terminal iidentification is
001122334455, terminal traffic serial number 00000001, the second business date was 20111221, the second industry
The business time is 214822, will write data, type of service, terminal iidentification, terminal traffic sequence number, the second industry
Business date and time, as the 3rd input data, uses the second session key that the 3rd input data are done MAC fortune
Calculation obtains business authentication code and is 3FF7A28A.Business authentication code is as this checking business datum true and false and complete
The important evidence of whole property, is saved in terminal together with business record.
Step 206, verifies this second identifying code, after being verified, authorizes terminal.
Concrete, terminal generates the second identifying code according to write data and the first session key, the will generated
Two identifying codes compare with the second identifying code of reception, if identical, are then verified, award terminal
Power, if differing, then authentication failed, to authorization terminal failure.
The above-mentioned method carrying out based on microprocessor card authorizing, by according to card image and the first common key
Generate the first session key, generate the first identifying code according to the first session key, send and comprise the first identifying code
Verification command, the first identifying code that microprocessor card generates the first identifying code and terminal compares, phase
After Tong, returning the second identifying code according to verification command response, the second identifying code is verified, is tested by terminal
Card, by rear, i.e. achieve the checking to terminal by bi-directional authentification and authorizes, being not required to set in terminal
Put fingerprint sensor, also can realize authorizing, provide cost savings, and safety is higher.
Fig. 3 is the flow chart carrying out the method authorized in another embodiment based on microprocessor card.In Fig. 3
The method carrying out authorizing based on microprocessor card run in Fig. 1 applied environment in, with microprocessor card
Angle describes.As it is shown on figure 3, this carries out the method authorized based on microprocessor card, comprise the following steps:
Step 302, receives the verification command comprising the first identifying code that terminal sends, and this first identifying code is root
According to the first session key, microprocessor card writing data and writes what card information generated, this first session is close
According to key, the card image of this microprocessor card and the first common key generate.
Concrete, verification command includes the first identifying code, terminal traffic sequence number, the second business date and time
Deng.Further, verification command may also include classes of instructions, order code, parameter, data length etc..Such as
80 54 01 00 0F 00,000,001 20111221214822 F15CAB75, wherein, 80 are
CLA i.e. classes of instructions;54 is INS i.e. order code;01 is P1,00 be P2, P1 and P2 be parameter;
0F is LC i.e. data length, and 00000001 is terminal traffic sequence number, and 20111221 was the second business date,
214822 was the second business hours, and F15CAB75 is MAC1.
Write data can be Arbitrary Digit.Write card information and include type of service, terminal iidentification, the first business date
With the time etc..Type of service can be 06, and terminal iidentification can be 001122334455, and the first business date can be
20120229, the first business hours can be 135100 etc..
Card image includes microprocessor card business sequence number and random number etc..The variable-length of random number.Enter one
Step, card image may also include card balance, the limit of overdrawn account, key version number, algorithm mark etc..Example
If card image can be 00000000,0000,000000,01,00,11223344, wherein, 00000000
For card balance, 0000 is microprocessor card business sequence number, and 000000 is the limit of overdrawn account, and 01 is key version
Number, 00 be algorithm mark, 11223344 is random number.
In one embodiment, before step 302, also include: receive the initialization command that terminal sends;
Card image is returned according to this initialization command.
Concrete, this initialization command includes writing data, terminal iidentification etc..Write data can be 00001000;
Terminal iidentification can be terminal number, such as 001122334455 etc..Further, initialization command may also include
Classes of instructions, order code, parameter, data length, pass key index etc., such as initialization command can be 80,
50、01、02、0B、01、00001000、001122334455.80 is CLA i.e. classes of instructions;50
For INS i.e. order code;01 is P1,02 be P2, P1 and P2 be parameter;0B is LC i.e. data length;
01 is Key Index, i.e. closes key index;00001000 is write data;001122334455 compiles for terminal
Number.Step 304, card image and the first common key according to this microprocessor card generate the first session key,
And according to write data, write card information and the first session key generates the first identifying code.
Concrete, the random number in card image, microprocessor card business sequence number, terminal traffic sequence number are made
It is the first input data, uses 3DES AES that the first input data and the first common key are encrypted
Obtain the first session key.Such as, the first common key is
11223344556677888877665544332211, random number is 11223344, microprocessor card business sequence
Number being 0000, latter four of terminal traffic sequence number is 0001, and input data are 11,223,344 0,000 0001,
First session key is that 3DESEnypt (the first input data, the first common key) obtains
003238ABC57659DD。
Write data can be 00001000, writes card information and includes type of service, terminal iidentification, the first business day
Phase and time etc..Type of service can be 06, and terminal iidentification can be 001122334455, and the first business date can
Being 20120229, the first business hours can be 135100 etc..Using write data with to write card information defeated as second
Enter data, the second input data and the first session key are MAC (Message Authentication Codes)
Computing obtains the first identifying code, i.e. MAC1.Such as second input data are 00,001,000 06
001122334455 20120229135100, the first session key is 003238ABC57659DD, first
Identifying code MAC1 is calculated, the first identifying code by MAC (the second input data, the first session key)
MAC1 is F15CAB75.
Step 306, compares the first identifying code of the first identifying code generated with reception, if identical, then
It is verified, generates the second identifying code according to these write data and the first session key, and by the second identifying code
Return to this terminal, so that this second identifying code is verified by this terminal, and after being verified, to this eventually
End authorizes.
Concrete, the first identifying code that the first identifying code generated and terminal are sent out is compared by microprocessor card
Relatively, after being verified, then confirm that terminal is legal, then generate according to these write data and the first session key
Second identifying code, returns to terminal by the second identifying code, and the second identifying code is verified by terminal, and checking is logical
Later terminal is authorized, i.e. achieve the checking mandate to terminal by bi-directional authentification.If generate the
The first identifying code that one identifying code and terminal are sent out compares, and both are different, then verify not over, micro-
Processor card can return MAC error ending business, it is impossible to completes to authorize.
Such as, write data can be 00001000, and the first session key is 003238ABC57659DD, uses
Write data are done MAC operation and are obtained the second identifying code by the first session key, are 56988A13.
Additionally, in one embodiment, also include: generate the second session key according to the second common key,
And according to this verification command, write data and the business of the second session key generation of the second common key generation
Authentication code, returns to this terminal by described business authentication code.Second common key can be authentication code key, i.e.
TAC (Transaction Authentication Code, transaction verification code) Key.This second common key is raw
The step becoming the second session key includes: high 8 bytes and low 8 bytes of this second common key are done XOR
Computing obtains the second session key.Concrete, high 8 bytes and low 8 bytes of the second common key are done different
Or computing obtains the second session key (TACSessionKey).
Such as, TACKey=00112233445566778899AABBCCDDEEFF,
TACSessionKey=XOR (Left (8), Right (8))=8888888888888888.
Obtain terminal iidentification, type of service, will write data, type of service, terminal iidentification, terminal traffic
Sequence number, the second business date and time, as the 3rd input data, use the second session key to the 3rd input
Data are done MAC operation and are obtained business authentication code.Wherein, terminal traffic sequence number, the second business date and time
Can obtain from verification command.Such as write data are 00001000, and type of service is 01, and terminal iidentification is
001122334455, terminal traffic serial number 00000001, the second business date was 20111221, the second industry
The business time is 214822, will write data, type of service, terminal iidentification, terminal traffic sequence number, the second industry
Business date and time, as the 3rd input data, uses the second session key that the 3rd input data are done MAC fortune
Calculation obtains business authentication code and is 3FF7A28A.Business authentication code is as this checking business datum true and false and complete
The important evidence of whole property, is saved in terminal together with business record.
The above-mentioned method carrying out based on microprocessor card authorizing, microprocessor card receives and comprises the first identifying code
Verification command, generates the first session key according to card image and the first common key, close according to the first session
Key generates the first identifying code, then microprocessor card generates the first identifying code and the first identifying code of terminal generation
Compare, identical after, the second identifying code responded according to verification command is returned to terminal so that terminal
Second identifying code is verified, after being verified, terminal is authorized, i.e. realized by bi-directional authentification
To the checking of terminal and authorized, it is not required to arrange fingerprint sensor in terminal, also can realize authorizing,
Provide cost savings, and safety is higher.
Fig. 4 is the structural representation carrying out the device authorized in an embodiment based on microprocessor card.Fig. 4
In carry out in the plant running that the authorizes applied environment in Fig. 1 based on microprocessor card, with terminal point
Describe.Order sending module 410, information receiving module should be included based on the device that microprocessor card carries out authorizing
420 and authentication module 430.Wherein:
Order sending module 410 is used for sending, to microprocessor card, the verification command comprising the first identifying code, its
In, this first identifying code is according to the first session key, to the write data of this microprocessor card and write card letter
Breath generates, and this first session key is the card image according to microprocessor card and the generation of the first common key.
Concrete, write data can be Arbitrary Digit.Write card information include type of service, terminal iidentification, first
Business date and time etc..Type of service can be 06, and terminal iidentification can be 001122334455, the first business
Date can be 20120229, and the first business hours can be 135100 etc..
The card image of microprocessor card includes microprocessor card business sequence number and random number etc..The length of random number
Spend variable.Further, card image may also include card balance, the limit of overdrawn account, key version number, calculation
Method mark etc..Such as card image can be 00000000,0000,000000,01,00,11223344,
Wherein, 00000000 is card balance, and 0000 is microprocessor card business sequence number, and 000000 is the limit of overdrawn account,
01 be key version number, 00 be algorithm mark, 11223344 is random number.The variable-length of this random number.
The first session key is generated according to this card image and the first common key.Concrete, by card image
In random number, microprocessor card business sequence number, terminal traffic sequence number as first input data, use 3DES
First input data and the first common key are encrypted and obtain the first session key by AES
(SessionKey).Such as, the first common key is 11223344556677888877665544332211,
Random number is 11223344, microprocessor card business serial number 0000, and latter four of terminal traffic sequence number are
0001, input data are 11,223,344 0,000 0001, and the first session key is 3DESEnypt (the first input
Data, the first common key) obtain 003238ABC57659DD.
According to these write data, write card information, the first session key generates the first identifying code.
Concrete, using write data with write card information as the second input data, input data and the to second
One session key does MAC (Message Authentication Codes) computing and obtains the first identifying code, i.e.
MAC1.Such as second input data are 00,001,000 06 001,122,334,455 20120229135100,
First session key is 003238ABC57659DD, and the first identifying code MAC1 is by MAC (the second input
Data, the first session key) it is calculated, the first identifying code MAC1 is F15CAB75.
Verification command includes the first identifying code, terminal traffic sequence number, the second business date and time etc..Enter one
Step, verification command may also include classes of instructions, order code, parameter, data length etc..Such as 80 54 01
00 0F 00,000,001 20111221214822 F15CAB75, wherein, 80 is CLA i.e. instruction class
Not;54 is INS i.e. order code;01 is P1,00 be P2, P1 and P2 be parameter;0F is that LC is several
According to length, 00000001 is terminal traffic sequence number, and 20111221 was the second business date, and 214822 is second
Business hours, F15CAB75 is MAC1.
Information receiving module 420 is used for receiving this microprocessor card and this first identifying code is verified rear basis
The second identifying code that this verification command returns, writes data and the first session key according to this second identifying code
Generate.
Concrete, microprocessor card generates the first session key according to this card image and the first common key,
And according to write data, write card information, the first session key generates the first identifying code, then by generate
The first identifying code that first identifying code and terminal are sent out compares, and after being verified, then confirms that terminal is legal,
Then generate the second identifying code according to these write data and the first session key, the second identifying code is returned to end
End, the second identifying code is verified by terminal, after being verified, authorizes terminal, and it is right i.e. to achieve
The checking mandate of terminal.If the first identifying code that the first identifying code generated and terminal are sent out compares, two
Person is different, then verify not over, microprocessor card can return MAC error ending business, it is impossible to completes to award
Power.
Such as, write data can be 00001000, and the first session key is 003238ABC57659DD, uses
Write data are done MAC operation and are obtained the second identifying code by the first session key, are 56988A13.
Additionally, information receiving module 420 is additionally operable to receive what this microprocessor card returned according to this verification command
Business authentication code, wherein, this verification command according to this business authentication code, write data and second are the closeest
The second session key that key generates generates.
Second common key can be authentication code key, i.e. TAC (Transaction Authentication Code,
Transaction verification code) high 8 bytes and low 8 bytes of the second common key are done XOR and are obtained by Key
Two session keys (TACSessionKey).
Such as, TACKey=00112233445566778899AABBCCDDEEFF,
TACSessionKey=XOR (Left (8), Right (8))=8888888888888888.
Obtain terminal iidentification, type of service, will write data, type of service, terminal iidentification, terminal traffic
Sequence number, the second business date and time, as the 3rd input data, use the second session key to the 3rd input
Data are done MAC operation and are obtained business authentication code.Wherein, terminal traffic sequence number, the second business date and time
Can obtain from verification command.Such as write data are 00001000, and type of service is 01, and terminal iidentification is
001122334455, terminal traffic serial number 00000001, the second business date was 20111221, the second industry
The business time is 214822, will write data, type of service, terminal iidentification, terminal traffic sequence number, the second industry
Business date and time, as the 3rd input data, uses the second session key that the 3rd input data are done MAC fortune
Calculation obtains business authentication code and is 3FF7A28A.Business authentication code is as this checking business datum true and false and complete
The important evidence of whole property, is saved in terminal together with business record.
Terminal, for verifying this second identifying code, after being verified, is awarded by authentication module 430
Power.
Concrete, authentication module 430 generates the second identifying code according to write data and the first session key, will
The second identifying code generated compares with the second identifying code of reception, if identical, is then verified, to end
End authorizes, if differing, then authentication failed, to authorization terminal failure.
The above-mentioned device carrying out based on microprocessor card authorizing, by microprocessor card according to card image and
First common key generates the first session key, generates the first identifying code according to the first session key, sends bag
Containing the verification command of the first identifying code, microprocessor card is generated the first identifying code of the first identifying code and terminal
Compare, identical after, return according to verification command response the second identifying code, terminal is to the second identifying code
Verify, after being verified, i.e. achieve the checking to terminal by bi-directional authentification and authorize, no
Fingerprint sensor need to be set in terminal, also can realize authorizing, provide cost savings, and safety is higher.
In one embodiment, order sending module 410 is additionally operable to send initialization command to microprocessor card.
Concrete, this initialization command includes writing data, terminal iidentification etc..Write data can be 00001000;
Terminal iidentification can be terminal number, such as 001122334455 etc..Further, initialization command may also include
Classes of instructions, order code, parameter, data length, pass key index etc., such as initialization command can be 80,
50、01、02、0B、01、00001000、001122334455.80 is CLA i.e. classes of instructions;50
For INS i.e. order code;01 is P1,02 be P2, P1 and P2 be parameter;0B is LC i.e. data length;
01 is Key Index, i.e. closes key index;00001000 is write data;001122334455 compiles for terminal
Number.
Information receiving module 420 is additionally operable to receive the card that this microprocessor card returns according to this initialization command
Information.Concrete, card image includes microprocessor card business sequence number and random number etc..The length of random number
Variable.Additionally, the device carrying out authorizing based on microprocessor card in Fig. 4 is except including order sending module
410, information receiving module 420 and authentication module 430, also include generation module 440.Generation module 440
For generating the first session key according to this card image and the first common key.Concrete, by card image
In random number, microprocessor card business sequence number, terminal traffic sequence number as first input data, use 3DES
First input data and the first common key are encrypted and obtain the first session key by AES
(SessionKey).Such as, the first common key is 11223344556677888877665544332211,
Random number is 11223344, microprocessor card business serial number 0000, and latter four of terminal traffic sequence number are
0001, input data are 11,223,344 0,000 0001, and the first session key is 3DESEnypt (the first input
Data, the first common key) obtain 003238ABC57659DD.
This generation module 440 be additionally operable to according to these write data, write card information, the first session key generates the
One identifying code.Concrete, write data are inputted data with writing card information as second, to the second input number
The first identifying code is obtained according to doing MAC (Message Authentication Codes) computing with the first session key,
I.e. MAC1.Such as second input data are 00,001,000 06 001122334455
20120229135100, the first session key is 003238ABC57659DD, the first identifying code MAC1 by
MAC (the second input data, the first session key) is calculated, and the first identifying code MAC1 is
F15CAB75。
Fig. 5 is the structural representation carrying out the device authorized in another embodiment based on microprocessor card.Fig. 5
In carry out in the plant running that the authorizes applied environment in Fig. 1 based on microprocessor card, with microprocessor
Card angle describes.As it is shown in figure 5, this carries out the device authorized based on microprocessor card, receive including order
Module 510, information generating module 520, comparison module 530 and return module 540.Wherein:
Order receiver module 510 is for receiving the verification command comprising the first identifying code that terminal sends, and this is the years old
One identifying code is according to the first session key, microprocessor card writes data and writes card information generation,
According to this first session key, the card image of this microprocessor card and the first common key generate.
Concrete, verification command includes the first identifying code, terminal traffic sequence number, the second business date and time
Deng.Further, verification command may also include classes of instructions, order code, parameter, data length etc..Such as
80 54 01 00 0F 00,000,001 20111221214822 F15CAB75, wherein, 80 are
CLA i.e. classes of instructions;54 is INS i.e. order code;01 is P1,00 be P2, P1 and P2 be parameter;
0F is LC i.e. data length, and 00000001 is terminal traffic sequence number, and 20111221 was the second business date,
214822 was the second business hours, and F15CAB75 is MAC1.
Write data can be Arbitrary Digit.Write card information and include type of service, terminal iidentification, the first business date
With the time etc..Type of service can be 06, and terminal iidentification can be 001122334455, and the first business date can be
20120229, the first business hours can be 135100 etc..
Card image includes microprocessor card business sequence number and random number etc..The variable-length of random number.Enter one
Step, card image may also include card balance, the limit of overdrawn account, key version number, algorithm mark etc..Example
If card image can be 00000000,0000,000000,01,00,11223344, wherein, 00000000
For card balance, 0000 is microprocessor card business sequence number, and 000000 is the limit of overdrawn account, and 01 is key version
Number, 00 be algorithm mark, 11223344 is random number.
In one embodiment, before step 302, also include: receive the initialization command that terminal sends;
Card image is returned according to this initialization command.
Concrete, this initialization command includes writing data, terminal iidentification etc..Write data can be 00001000;
Terminal iidentification can be terminal number, such as 001122334455 etc..Further, initialization command may also include
Classes of instructions, order code, parameter, data length, pass key index etc., such as initialization command can be 80,
50、01、02、0B、01、00001000、001122334455.80 is CLA i.e. classes of instructions;50
For INS i.e. order code;01 is P1,02 be P2, P1 and P2 be parameter;0B is LC i.e. data length;
01 is Key Index, i.e. closes key index;00001000 is write data;001122334455 compiles for terminal
Number.
Information generating module 520 generates for the card image according to this microprocessor card and the first common key
First session key, and according to write data, write card information, the first session key generates the first identifying code.
Concrete, using the random number in card image, microprocessor card business sequence number, terminal traffic sequence number as the
One input data, use 3DES AES that the first input data and the first common key are encrypted and are obtained
First session key.Such as, the first common key is 11223344556677888877665544332211,
Random number is 11223344, microprocessor card business serial number 0000, and latter four of terminal traffic sequence number are
0001, input data are 11,223,344 0,000 0001, and the first session key is 3DESEnypt (the first input
Data, the first common key) obtain 003238ABC57659DD.Write data can be 00001000, writes
Card information includes type of service, terminal iidentification, the first business date and time etc..Type of service can be 06,
Terminal iidentification can be 001122334455, and the first business date can be 20120229, and the first business hours can be
135100 etc..Write data are inputted data with writing card information as second, to the second input data and first
Session key does MAC (Message Authentication Codes) computing and obtains the first identifying code, i.e.
MAC1.Such as second input data are 00,001,000 06 001,122,334,455 20120229135100,
First session key is 003238ABC57659DD, and the first identifying code MAC1 is by MAC (the second input
Data, the first session key) it is calculated, the first identifying code MAC1 is F15CAB75.
Comparison module 530 is for comparing the first identifying code of the first identifying code generated with reception.
The first identifying code that this information generating module 520 is additionally operable to when generating is identical with the first identifying code of reception
When expression is verified, generate the second identifying code according to these write data and the first session key.
Return module 540 for this second identifying code is returned to this terminal, so that this second is tested by this terminal
Card code is verified, and after being verified, authorizes this terminal.
Concrete, the comparison module 530 of microprocessor card the first identifying code generated and terminal are sent out the
One identifying code compares, and after being verified, then confirms that terminal is legal, then according to these write data and the
One session key generates the second identifying code, and the second identifying code is returned to terminal, and the second identifying code is entered by terminal
Row checking, authorizes terminal after being verified, i.e. achieves the checking to terminal by bi-directional authentification and award
Power.If the first identifying code that the first identifying code generated and terminal are sent out compares, both are different, then test
Demonstrate,prove not over, microprocessor card can return MAC error ending business, it is impossible to complete authorize.
Additionally, in one embodiment, also include: information generating module 520 is additionally operable to according to second common
Key generates the second session key, and generate according to this verification command, write data and the second common key
The business authentication code that second session key generates, returns to this terminal by described business authentication code.This information is raw
Module 520 is become to be additionally operable to high 8 bytes of this second common key and low 8 bytes to do XOR to obtain the
Two session keys.
The above-mentioned device carrying out based on microprocessor card authorizing, microprocessor card receives and comprises the first identifying code
Verification command, generates the first session key according to card image and the first common key, close according to the first session
Key generates the first identifying code, then microprocessor card generates the first identifying code and the first identifying code of terminal generation
Compare, identical after, the second identifying code responded according to verification command is returned to terminal so that terminal
Second identifying code is verified, after being verified, terminal is authorized, i.e. realized by bi-directional authentification
To the checking of terminal and authorize, it is not required to arrange fingerprint sensor in terminal, also can realize authorizing,
Provide cost savings, and safety is higher.
In one embodiment, order receiver module 510 is for receiving the initialization command that terminal sends.Tool
Body, this initialization command includes writing data, terminal iidentification etc..Write data can be 00001000;Eventually
End mark can be terminal number, such as 001122334455 etc..Further, initialization command may also include finger
Make classification, order code, parameter, data length, pass key index etc., such as initialization command can be 80,50,
01、02、0B、01、00001000、001122334455.80 is CLA i.e. classes of instructions;50 is INS
I.e. order code;01 is P1,02 be P2, P1 and P2 be parameter;0B is LC i.e. data length;01 is
Key Index, i.e. closes key index;00001000 is write data;001122334455 is terminal number.
Return module 540 for returning card image according to this initialization command.Concrete, card image bag
Include microprocessor card business sequence number and random number etc..The variable-length of random number.Further, card image
May also include card balance, the limit of overdrawn account, key version number, algorithm mark etc..Such as card image can be
00000000,0000,000000,01,00,11223344, wherein, 00000000 is card balance,
0000 is microprocessor card business sequence number, and 000000 is the limit of overdrawn account, 01 be key version number, 00 for calculate
Method identifies, and 11223344 is random number.
The above-mentioned method and apparatus carrying out authorizing based on microprocessor card can be applicable to payment verification mandate, member
Card checking mandate, air ticket mandate, admission ticket checking mandate, gate inhibition verify that mandate, application program login authentication are awarded
Power, unblock checking mandate etc. need in the scene of checking user identity, but are not limited to this.
The most above-mentioned method and apparatus carrying out authorizing based on microprocessor card is applied in mobile phone authority to pay,
Being attached on mobile phone by microprocessor card, mobile phone uses the above-mentioned method carrying out authorizing based on microprocessor card to micro-
Processor card is verified, detailed process includes: mobile phone sends initialization command to microprocessor card;Mobile phone
Receive the card image that this microprocessor card returns according to this initialization command;Mobile phone according to this card image and
First common key generates the first session key;Mobile phone obtains the write data to this microprocessor card and writes card
Information;Mobile phone according to these write data, write card information, the first session key generates the first identifying code;Mobile phone
The verification command comprising the first identifying code is sent to this microprocessor card;Microprocessor card is according to this card image
And first common key generate the first session key, according to write data, write card information, the first session key
Generate the first identifying code, the first identifying code of the first identifying code generated with reception is compared, if identical,
Then it is verified, generates the second identifying code according to these write data and the first session key, common according to second
Key generates the second session key, generates business according to this verification command, write data and the second session key
Authentication code, and the second identifying code and business authentication code are returned to mobile phone, mobile phone is authorized to, and completes to pay;
Checking is not passed through, then mobile phone cannot be authorized to, it is impossible to complete to pay.
The above-mentioned method and apparatus carrying out authorizing based on microprocessor card is applied to gate inhibition and verifies in mandate, specifically
Process includes: be attached on mobile phone by the access card comprising microprocessor, and mobile phone uses above-mentioned based on microprocessor
Microprocessor card is verified by the method that card carries out authorizing, and is verified, and mobile phone is authorized to, and passes through hands
Machine replaces access card checking opening gate, and checking is not passed through, then mobile phone cannot be authorized to, it is impossible to passes through mobile phone
Checking user identity.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method,
Can be by computer program and complete to instruct relevant hardware, described program can be stored in a computer
In read/write memory medium, in the embodiment of the present invention, this program can be stored in the storage of computer system and be situated between
In matter, and performed by least one processor in this computer system, to realize including such as above-mentioned each method
The flow process of embodiment.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body
(Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM)
Deng.
Embodiment described above only have expressed the several embodiments of the present invention, and it describes more concrete and detailed,
But therefore can not be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that, for this area
Those of ordinary skill for, without departing from the inventive concept of the premise, it is also possible to make some deformation and
Improving, these broadly fall into protection scope of the present invention.Therefore, the protection domain of patent of the present invention should be with appended
Claim is as the criterion.
Claims (8)
1. the method carrying out based on microprocessor card authorizing, comprises the following steps:
Send the verification command comprising the first identifying code to microprocessor card, wherein, described first identifying code is
According to the first session key, to the write data of described microprocessor card and write card information and generate, described first
Session key is the card image according to microprocessor card and the generation of the first common key;
Receive after described first identifying code is verified by described microprocessor card and return according to described verification command
The second identifying code, wherein, write data and the first session key according to described second identifying code and generate;
Described second identifying code is verified, after being verified, terminal is authorized;
Receive the business authentication code that described microprocessor card returns, wherein, described industry according to described verification command
The second session key that described verification command according to business authentication code, write data and the second common key generate
Generate.
Method the most according to claim 1, it is characterised in that described method also includes:
The second session key that described second common key generates includes high 8 words of described second common key
Joint and low 8 bytes are done XOR and are obtained the second session key;Described card image includes microprocessor card industry
Business sequence number and random number;Described write card information include type of service, terminal iidentification, the first business date and time
Between;Described verification command also includes terminal traffic sequence number, the second business date and time.
3. the method carrying out based on microprocessor card authorizing, comprises the following steps:
Receiving the verification command comprising the first identifying code that terminal sends, described first identifying code is according to first
Session key, microprocessor card is write data and write card information generate, described first session key is
Card image according to described microprocessor card and the first common key generate;
Card image and the first common key according to described microprocessor card generate the first session key, and
According to write data, write card information, the first session key generates the first identifying code;
First identifying code of the first identifying code generated with reception is compared, if identical, is then verified,
Generate the second identifying code according to said write data and the first session key, and the second identifying code is returned to institute
State terminal, so that described second identifying code is verified by described terminal, and after being verified, to described end
End authorizes;
Generate the second session key according to the second common key, and according to described verification command, write data and
The business authentication code that the second session key that second common key generates generates, returns described business authentication code
To described terminal.
Method the most according to claim 3, it is characterised in that described second common key generates second
Session key includes: high 8 bytes and low 8 bytes of described second common key is done XOR and obtains
Two session keys;Described card image includes microprocessor card business sequence number and random number;Described write card information
Including type of service, terminal iidentification, the first business date and time;Described verification command also includes terminal industry
Business sequence number, the second business date and time.
5. the device carrying out authorizing based on microprocessor card, it is characterised in that including:
Order sending module, for sending the verification command comprising the first identifying code to microprocessor card, wherein,
Described first identifying code is according to the first session key, to the write data of described microprocessor card and write card letter
Breath generates, and described first session key is the card image according to microprocessor card and the generation of the first common key;
Information receiving module, is used for receiving described microprocessor card and described first identifying code is verified rear root
The second identifying code returned according to described verification command, wherein, according to described second identifying code write data and
First session key generates;
Authentication module, for verifying described second identifying code, after being verified, awards terminal
Power;
Described information receiving module is additionally operable to receive the industry that described microprocessor card returns according to described verification command
Business authentication code, wherein, described verification command according to described business authentication code, write data and second are common
The second session key that key generates generates.
Device the most according to claim 5, it is characterised in that described second common key generate the
Two session keys include high 8 bytes and low 8 bytes of described second common key being done XOR and obtaining
Two session keys;Described card image includes microprocessor card business sequence number and random number;Described write card information
Including type of service, terminal iidentification, the first business date and time;Described verification command also includes terminal industry
Business sequence number, the second business date and time.
7. the device carrying out authorizing based on microprocessor card, it is characterised in that including:
Order receiver module, for receiving the verification command comprising the first identifying code that terminal sends, described the
One identifying code is according to the first session key, microprocessor card writes data and writes card information generation,
According to described first session key, the card image of described microprocessor card and the first common key generate;
Information generating module, generates for the card image according to described microprocessor card and the first common key
First session key, and according to write data, write card information, the first session key generates the first identifying code;
Comparison module, for comparing the first identifying code of the first identifying code generated with reception;
Described information generating module is additionally operable to when the first identifying code identical table of the first identifying code generated with reception
Show when being verified, generate the second identifying code according to said write data and the first session key;
Return module, for described second identifying code being returned to described terminal, so that described terminal is to described
Second identifying code is verified, and after being verified, authorizes described terminal;
Described information generating module is additionally operable to generate the second session key according to the second common key, and according to institute
State the business authentication code of the second session key generation that verification command, write data and the second common key generate,
Described business authentication code is returned to described terminal.
Device the most according to claim 7, it is characterised in that described information generating module be additionally operable to by
High 8 bytes of described second common key and low 8 bytes are done XOR and are obtained the second session key;Described
Card image includes microprocessor card business sequence number and random number;Described card information of writing includes type of service, end
End mark, the first business date and time;Described verification command also includes terminal traffic sequence number, the second business
Date and time.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410734293.6A CN104537298B (en) | 2014-12-04 | 2014-12-04 | The method and apparatus authorized is carried out based on microprocessor card |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410734293.6A CN104537298B (en) | 2014-12-04 | 2014-12-04 | The method and apparatus authorized is carried out based on microprocessor card |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104537298A CN104537298A (en) | 2015-04-22 |
CN104537298B true CN104537298B (en) | 2016-08-31 |
Family
ID=52852820
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410734293.6A Active CN104537298B (en) | 2014-12-04 | 2014-12-04 | The method and apparatus authorized is carried out based on microprocessor card |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104537298B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109862008B (en) * | 2019-01-31 | 2020-11-20 | 北京深思数盾科技股份有限公司 | Key recovery method and device, electronic equipment and storage medium |
CN111432373B (en) * | 2020-02-24 | 2022-08-30 | 吉利汽车研究院(宁波)有限公司 | Security authentication method and device and electronic equipment |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100596066C (en) * | 2004-10-20 | 2010-03-24 | 华为技术有限公司 | Entity identification method based on H323 system |
CN102307188A (en) * | 2011-08-17 | 2012-01-04 | 东信和平智能卡股份有限公司 | Subscriber identity module (SIM)-based universal serial bus (USB) key encryption/decryption system and encryption/decryption method |
CN103905388A (en) * | 2012-12-26 | 2014-07-02 | 中国移动通信集团广东有限公司 | Authentication method, authentication device, smart card, and server |
CN104077511B (en) * | 2014-07-09 | 2017-01-04 | 上海象形通讯科技股份有限公司 | A kind of contactless processor card based on Conbined public or double key certification and using method |
-
2014
- 2014-12-04 CN CN201410734293.6A patent/CN104537298B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN104537298A (en) | 2015-04-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6665217B2 (en) | Establish a secure session between the card reader and mobile device | |
CN103443813B (en) | System and method by mobile device authenticating transactions | |
CN101751629B (en) | Method and system for authenticating multifactor with changing unique values | |
US20130246281A1 (en) | Service providing system and unit device | |
CN109327457A (en) | A kind of internet of things equipment identity identifying method and system based on block chain | |
CN106465112A (en) | Offline authentication | |
US20210004786A1 (en) | Systems and methods for providing online and hybridcard interactions | |
EP4081963A1 (en) | Generating barcodes utilizing cryptographic techniques | |
AU2020414359B2 (en) | Steganographic image encoding of biometric template information on a card | |
JP2024054241A (en) | Secure authentication based on identity data stored on contactless cards | |
US11889480B2 (en) | Resource distribution hub generation on a mobile device | |
CN104835038A (en) | Networking payment device and networking payment method | |
CN104537298B (en) | The method and apparatus authorized is carried out based on microprocessor card | |
EP4113412A1 (en) | Device and method for virtual authorization code-based process authorization | |
CN105741117A (en) | Method and off-line transaction device based on security key | |
KR20200022194A (en) | System and Method for Identification Based on Finanace Card Possessed by User | |
CN106355404B (en) | Debit credit transaction system and method with security vulnerability protection mechanism | |
US20230090508A1 (en) | Device and method for virtual authentication code-based process authorization | |
KR20200103615A (en) | System and Method for Identification Based on Finanace Card Possessed by User | |
KR101349694B1 (en) | Finance system activating security code stored in finance card and method thereof | |
CN115829577A (en) | Authentication method, apparatus, system, medium, and program product |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |