CN105634730B - A kind of financial IC card key management system - Google Patents

A kind of financial IC card key management system Download PDF

Info

Publication number
CN105634730B
CN105634730B CN201511019247.9A CN201511019247A CN105634730B CN 105634730 B CN105634730 B CN 105634730B CN 201511019247 A CN201511019247 A CN 201511019247A CN 105634730 B CN105634730 B CN 105634730B
Authority
CN
China
Prior art keywords
credit card
key
card issuer
key management
center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201511019247.9A
Other languages
Chinese (zh)
Other versions
CN105634730A (en
Inventor
向民
信怀义
王艳华
沈东明
徐超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp filed Critical China Construction Bank Corp
Priority to CN201511019247.9A priority Critical patent/CN105634730B/en
Publication of CN105634730A publication Critical patent/CN105634730A/en
Application granted granted Critical
Publication of CN105634730B publication Critical patent/CN105634730B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Accounting & Taxation (AREA)
  • Software Systems (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

This application provides a kind of financial IC card key management systems, in order to guarantee the safety of the financial IC card, credit card issuer Key Management Center will initiate credit card issuer root certificate signature request to authentication center, to make the authentication center that credit card issuer certificate be fed back to the credit card issuer Key Management Center accordingly, so that the credit card issuer Key Management Center signs and issues IC card certificate accordingly, simultaneously, the credit card issuer Key Management Center can also generate the certification private key for meeting financial IC card needs, such as various consumption keys, and these key informations that will be obtained, such as authenticate private key, IC card certificate and credit card issuer certificate etc. pass through hair fastener center loaded to financial IC card, to guarantee the safety of the financial IC card;Meanwhile the authentication center can also send obtained certification public key to and receive uniline Key Management Center, so that the receipts uniline Key Management Center is loaded into various accepting terminals, to guarantee that financial IC card carries out the safety in process of exchange in the accepting terminal.

Description

A kind of financial IC card key management system
Technical field
Present application relates generally to safety management fields, more particularly to a kind of financial IC card key management system.
Background technique
With the continuous expansion of bank card business scale, the requirement for bank card risk control is increasingly improved, traditional Magnetic stripe card is no longer satisfied the requirement of bank card risk control, and card image is usurped and pseudo- card event happens occasionally, to holding People and card sending mechanism cause very big loss.
In order to solve this problem, with the release of international chip card EMV standard, China is gradually replaced using financial IC card For traditional magnetic stripe card, this financial IC card is a kind of bank card using chip as medium, and memory capacity is very big, additionally it is possible to The information such as key, digital certificate, fingerprint are stored, very strong anti-attack ability is made it have, is difficult to be replicated and forge, to make What holder's interests obtained ensures.
It wherein, is thus, how to guarantee finance on the safety based on its association key due to the safety of financial IC card The safety of IC card association key becomes the key for guaranteeing financial IC card safety.
Summary of the invention
In view of this, the present invention provides a kind of financial IC card key management system, to financial IC card hair fastener and make The safety that ensure that the financial IC card in process of exchange is carried out with it.
To achieve the goals above, this application provides following technical schemes:
A kind of financial IC card key management system, the system comprises authentication centers, and connect with the authentication center Credit card issuer Key Management Center and receive uniline Key Management Center, in which:
The authentication center is used for the credit card issuer root certificate sent based on the credit card issuer Key Management Center received Signature request determines credit card issuer certificate, and the credit card issuer certificate is fed back to the credit card issuer Key Management Center, to sign and issue IC card certificate, the credit card issuer certificate include certification public key information;
The credit card issuer Key Management Center is for generating certification private key information, and by the certification private key information, described It authenticates public key information, the credit card issuer certificate and the IC card certificate and passes through hair fastener center loaded to financial IC card;
The uniline Key Management Center of receiving is used to receive the certification public key information that the authentication center sends, and will be described Certification public key information is issued to each accepting terminal.
Preferably, the credit card issuer Key Management Center includes: credit card issuer control device, and is controlled with the credit card issuer Multiple first keys that device is connected with the authentication center manage branch, each first key management branch includes Credit card issuer Key Management server, and the credit card issuer cipher machine being connect with the credit card issuer Key Management server, in which:
The credit card issuer cipher machine is for certification private key information needed for generating financial IC card;
The credit card issuer control device generates credit card issuer root for controlling the corresponding credit card issuer Key Management server Certificate Signature Request, and it is sent to the authentication center;
The credit card issuer Key Management server is used to receive certification public key information and hair fastener that the authentication center sends Row certificate, and pass through hair fastener center loaded to financial IC card.
Preferably, the receipts uniline Key Management Center includes: to receive uniline control device, and control with the receipts uniline Multiple second key managements branch that device is connected with the authentication center, each second key management branch include Receive uniline Key Management server, and the receipts uniline cipher machine connecting with the receipts uniline Key Management server, in which:
The uniline Key Management server of receiving receives the certification public key information that the authentication center sends, and in the receipts After uniline control device is verified the certification public key information, the certification public key information is issued to and respectively accepts end End;
The financial IC card progress key authentication received uniline encryption equipment and be used to read card-reading apparatus.
Preferably, the system also includes: with it is described receipts uniline Key Management Center integrate financial IC card friendship Easy authentication center, for being authenticated to the Transaction Information between the financial IC card and the accepting terminal.
Preferably, the credit card issuer Key Management Center is also used to generate credit card issuer itself using preset-key algorithm Multiple master control keys, and it is issued to the hair fastener center, so that finance IC is replaced using the master control key in the hair fastener center Manufacturer's key in master card.
Preferably, the credit card issuer Key Management Center is also used to issuing the certification private key information, the credit card issuer Before certificate and the IC card certificate, to the certification private key information, the credit card issuer certificate and the IC card certificate into Row encryption.
Preferably, the receipts uniline Key Management Center is also used to respectively accept end the certification public key information to be issued to Before end, the certification public key information is encrypted.
Preferably, the system also includes:
Safety equipment protects key for preset master key to be separated into multiple transmission, to realize to multiple to be protected Key carries out corresponding encryption, and the key to be protected includes the certification private key information, the certification public key information, the hair fastener Row certificate and/or the IC card certificate.
It can be seen that compared with prior art, this application provides a kind of financial IC card key management systems, in order to guarantee The safety of the financial IC card, credit card issuer Key Management Center will initiate credit card issuer root certificate signature request to authentication center, thus Make the authentication center that credit card issuer certificate be fed back to the credit card issuer Key Management Center accordingly, so that in the credit card issuer key management The heart signs and issues IC card certificate accordingly, meanwhile, which can also generate the certification private for meeting financial IC card needs Key, such as various consumption keys, and these key informations that will be obtained such as authenticate private key, IC card certificate and credit card issuer certificate Etc. by hair fastener center loaded to financial IC card, to guarantee the safety of the financial IC card;Meanwhile the authentication center can also incite somebody to action To certification public key be sent to receive uniline Key Management Center, so as to the receipts uniline Key Management Center be loaded into it is various by Terminal is managed, to guarantee that financial IC card carries out the safety in process of exchange in the accepting terminal.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of structural schematic diagram of financial IC card key management system embodiment provided by the present application;
Fig. 2 is a kind of structural schematic diagram of credit card issuer Key Management Center embodiment provided by the present application;
Fig. 3 is a kind of structural schematic diagram of financial IC card system provided by the present application;
Fig. 4 is the structural schematic diagram of another financial IC card key management system embodiment provided by the present application.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
This application provides a kind of financial IC card key management systems, in order to guarantee the safety of the financial IC card, credit card issuer Key Management Center will initiate credit card issuer root certificate signature request to authentication center, to make the authentication center accordingly by credit card issuer Certificate and certification public key feed back to the credit card issuer Key Management Center, so that the credit card issuer Key Management Center determines therefrom that IC Card certificate, meanwhile, which can also generate the certification private key for meeting financial IC card needs, such as various consumption Key etc., and these key informations that will be obtained, such as certification public key, certification private key, IC card certificate and credit card issuer certificate By hair fastener center loaded to financial IC card, to guarantee the safety of the financial IC card;Meanwhile the certification that the authentication center obtains is public Key, which can be also sent to, receives uniline Key Management Center, various accepts end so that the receipts uniline Key Management Center is loaded into End, to guarantee that financial IC card carries out the safety in process of exchange in the accepting terminal.
In order to keep the above objects, features and advantages of the present invention more obvious and easy to understand, with reference to the accompanying drawing and specifically The present invention is described in further detail for embodiment.
As shown in Figure 1, be a kind of structural schematic diagram of financial IC card key management system embodiment provided by the present application, it should System may include: authentication center 100 and the credit card issuer Key Management Center 200 connecting with the authentication center 100 and receive Uniline Key Management Center 300, in which:
The credit card issuer root card that authentication center 100 is used to send based on the credit card issuer Key Management Center 200 received Bookmark name request, determines credit card issuer certificate, and the credit card issuer certificate is fed back to the credit card issuer Key Management Center 200.
In the present embodiment, which specifically can be China's finance authentication center (China Financial Certification Authority, abbreviation CFCA), it is through People's Bank of China and national information Security Administration Department batch The authoritative security authority of national level that standard is set up, is important one of the Financial information safety infrastructure of country, but not office It is limited to this.
Wherein, CA (Certification Authority, certification authority) is the machine for providing, managing, abolishing digital certificate Structure is mainly used to check the legitimacy of certificate holder's identity, and grant a certificate, is forged or distorts to prevent certificate, and is real Now to the management of certificate and key.
In practical applications, any user wants have a one's own certificate, needs first to file an application to CA, in CA After distinguishing applicant's identity, a public key is distributed for it, and after the identity information of the public key and applicant is bound together, be Signature form certificate after feed back to applicant.Based on this, in the present embodiment, when credit card issuer needs the certificate of oneself, will produce Raw corresponding credit card issuer certificates of recognition signature request, and authentication center is sent it to, to obtain corresponding credit card issuer certificate.
Optionally, credit card issuer certificate may include the information of the authentication center, the relevant information of credit card issuer and its signature, have Effect phase and public key etc., the application is not construed as limiting this.
In addition, in this application, for credit card issuer, credit card issuer Key Management Center may include credit card issuer certification The encryption equipment of the credit card issuer Key Management Center is called at center, generates the public key and private key of credit card issuer, and generates credit card issuer certification Bookmark name request is sent to the i.e. above-mentioned CFCA of authentication center, to determine the credit card issuer certificate.
Wherein, the credit card issuer certificates of recognition signature request which sends can carry the hair of above-mentioned generation Card row public key information, however, it is not limited to this.
In addition, after the credit card issuer certificate that credit card issuer authentication center receives CFCA feedback, it will demonstrate,proved using the credit card issuer Bookmark sends out IC card certificate, and the certificate by these keys or after signing and issuing is sent to the card sending system of financial IC card, such as passes through hair fastener Row Key Management Center 200 will sign and issue after credit card issuer certificate and the information such as IC card certificate be sent to hair fastener center data it is quasi- Standby system, and then be loaded onto financial IC card, while for example various applications of the certification private key of generation or consumption key directly being passed through Personalization system is loaded onto financial IC card.
It can be seen that in the present embodiment, since certificate is believed using its private key the public key of entity, identity by authentication center Breath and other relevant informations are signed, the data that can not be forged of formation, thus, the application is by generating and signing and issuing hair fastener Row certificate and IC card certificate guarantee that the related data of the financial IC card can not forge, improve the financial IC card using safe Property.
It wherein, is actually to be converted to a kind of asymmetric encryption of data to the signature of certificate, which can make data Recipient confirms that the source of data and integrality, the data for protecting the data sender side of sending and receiving to receive are not usurped by third party Change, the data for also protecting data sender to issue not distort by the side of being received, and further ensures the safety of the financial IC card data Property.
In this application, asymmetric encryption techniques are the encryption technologies using two kinds of correlating transforms, that is, disclose transformation (by public affairs Key definition) and privately owned transformation (being defined by private key), presence of both transformation make in the case where obtaining open convert, cannot By the way that the characteristic of privately owned transformation is calculated, the characteristic that can not be forged of certificate is improved.
In addition, on the basis of the above embodiments, authentication center 100 obtains issuing card public key information authentication authorization and accounting public key information Afterwards, in order to guarantee safety that financial IC card is traded using the accepting terminals such as such as POS machine, ATM machine, authentication center 100 can will The certification public key information, which is sent to, receives uniline Key Management Center, that is to say, that is sent to credit card issuer public key information and respectively accepts The key management system of the affiliated bank of terminal.
Therefore, in the present embodiment, the certification public key letter that uniline Key Management Center 300 receives authentication center's transmission is received After breath, it can be issued to corresponding each accepting terminal, to guarantee that the financial IC card of credit card issuer carries out in these accepting terminals When transaction, the safety of the financial IC card.
Optionally, as shown in Fig. 2, the credit card issuer Key Management Center 200 in the application may include: credit card issuer control dress 210 are set, and the multiple first keys management branch connecting with the credit card issuer control device 210 and the authentication center 100 220, each described first key management branch includes credit card issuer Key Management server 221, and with the credit card issuer The credit card issuer cipher machine 222 that Key Management server 221 connects, in which:
Credit card issuer control device 210 can be used for controlling the corresponding credit card issuer Key Management server 221 and generate hair Card row root certificate signature request, and it is sent to authentication center 100.
In the present embodiment, which is actually to manage and monitor the credit card issuer key management The console at center, staff can intervene and audit to the course of work of the credit card issuer Key Management Center using it Deng to guarantee the reliability of its course of work.
Credit card issuer Key Management server 221 is used to receive certification public key information and hair that the authentication center 100 sends Card row certificate, and pass through hair fastener center loaded to financial IC card.
In practical applications, Key Management Center (Key Management Center, KMC) is in Public Key Infrastructure An important component, be mainly responsible for key and generate and management, for certification authority provide the generation of key, preservation, backup, The cipher key services such as disaster recovery, to solve key pipe brought by extensive cryptographic applications in distributed-distribution system environment Reason problem.
Wherein, the key management that there is corresponding Key Management Center in each usual authentication center to be responsible in its region Task, the Key Management Center can be according to required public key scale flexible setting be applied, i.e. the Key Management Center can be with Specific installation can also directly be run on certification authority's server using inserted, and the application is not construed as limiting this.
Optionally, in the present embodiment, card-reading apparatus can be connect with the credit card issuer Key Management server 221, with Just the information such as obtained various keys or certificate are loaded into the card-reading apparatus and read by the credit card issuer Key Management server 221 IC card, in SD card or other cards, the application is not construed as limiting this.
Credit card issuer cipher machine 222 is for certification private key information needed for generating financial IC card, such as various application keys, consumption Key etc., the application are not construed as limiting this.
In practical applications, encryption equipment is to be identified by national commercial cipher authorities and ratify the country used independently The host of exploitation encrypts equipment, communicates between encryption equipment and host usually using ICP/IP protocol, mainly includes hardware encryption Component, key management menu, encryption equipment background process, encryption equipment monitoring programme and background monitoring process and encryption equipment foreground The modules such as API composition.
Wherein, hardware encryption unit is mainly used for realizing various cryptographic algorithms (such as public key algorithm and symmetry algorithm, but simultaneously It is not limited to this), safe preservation key, such as the root key of certification authority.Key management menu is for managing main frame encryption The key of machine manages the password card of key administrator and operator;And encryption equipment background process will receive the information of foreground API, To provide the security services such as encryption, digital signature for application system;Encryption equipment monitoring programme is responsible for controlling encryption equipment background process And monitoring hardware encryption unit, it alarms immediately if encryption unit error;Encryption equipment foreground API is mainly mentioned to application system The encryption development interface of confession, application system pass through the cryptographic services encryption equipment foreground API using encryption.Encryption equipment foreground at present The standard interface that API is supported can be with are as follows: PKCS#11, Bsafe, CDSA etc., the application are not construed as limiting this.
In addition, in practical applications, credit card issuer encryption equipment 222 usually can connect key printer, the application to this not It limits.
It should be noted that for the key of the authentication center in the various embodiments described above, such as above-mentioned certification public key information, It is usually all to be generated in system installation, and storage can be encrypted after generation because it is the vital strategic secrets of whole system Into the database or hardware host encryption server of storage server.And financial IC is taken for the key of user, such as user The login key etc. being arranged after card, is usually generated by the client of user, thus, after it is generated, it can add It is close to be stored in client native file or operating system security area.
In addition, about key informations such as various keys obtained above or certificates, when filing to it and backing up, this implementation Example can also be filed and be backed up by the way of encryption, such as be encrypted using hardware, can be by key administrator's identity IC card Backup and management;If can use the encryption that cryptographic algorithm carries out high intensity to these key informations using software cryptography and deposit Storage and backup, the application are not construed as limiting this.
Moreover, in order to further increase safety of the various key informations of above-mentioned generation in transmission process, Ke Yishe It sets the corresponding transmission protection corresponding key information of key pair to be encrypted, the application is not construed as limiting its cipher mode.
Optionally, similar with the composed structure of above-mentioned credit card issuer Key Management Center 200, the receipts uniline in above-described embodiment Code key administrative center 300 may include: receive uniline control device, and with the receipts uniline control device and the authentication center Multiple second key managements branch of connection, each second key management branch, which may each comprise, receives uniline key management Server, and the receipts uniline cipher machine being connect with the receipts uniline Key Management server, in which:
Receiving uniline Key Management server can be used for receiving the certification public key information that the authentication center 100 sends, and After the receipts uniline control device is verified the certification public key information, the certification public key information is issued to Each accepting terminal.
In conjunction with foregoing description it is found that the certification public key information that authentication center 100 sends can be used with the public key information of credit card issuer To guarantee that the safety of transaction of the financial IC card of credit card issuer distribution in the accepting terminal of other rows needs to illustrate certainly It is that the safety of transaction of the financial IC card in the accepting terminal does not only rely on the certification public key information to guarantee.
It receives the financial IC card that uniline encryption equipment is used to read card-reading apparatus and carries out key authentication.
In practical applications, when card-reading apparatus corresponding with the receipts uniline encryption equipment reads financial IC card, the receipts uniline Encryption equipment is mainly used for carrying out encryption and decryption to the financial IC card, to ensure the safety during the financial IC card transaction.
Based on above-mentioned analysis, the uniline code key administrative center of receiving in the application transmits the certification public key information of authentication center Into accepting terminal, and it ensure that the confirmability of the integrality of information and information source in the transmittance process.
Wherein, in the receipts uniline code key administrative center after receiving certification public key information, it usually needs providing it Corresponding accepting terminal is installed in time, as in various payment terminals, if the certification public key information is expired, it is still necessary to by its All above-mentioned accepting terminals managed by it are withdrawn from the stipulated time, the application is not construed as limiting the stipulated time, specifically may be used Determine according to actual needs.
In addition, key printer can also be connect by the application with above-mentioned receipts single machine encryption equipment, add to print the receipts uniline The various key informations etc. that close machine generates, to be used to these key informations are filed and be backed up etc..
In addition, in practical applications, as shown in figure 3, the financial IC card system of bank be typically provided with transaction system 400, Multiple subsystems such as hair fastener center 500 and code key management system, and key management system (the i.e. above-mentioned credit card issuer key management Receive uniline Key Management Center 300 in center 200/) it is connect with other subsystems and paying centre 600, it can be these systems The information transmitted in the course of work provides the transmission mechanism of reliable safety.
Moreover, the financial IC card system of bank would generally support one or more on-line transactions, pass through above-mentioned authentication center Safety certification is carried out to Transaction Information.Certainly, it is contemplated that the service efficiency and reusability of system, the code key management system can be with One financial IC card transaction authentication center integrated with the receipts uniline Key Management Center 300 is set, for institute The Transaction Information stated between financial IC card and the accepting terminal is authenticated, thus reduce the overlapping investment of system and save at This.
Optionally, on the basis of the various embodiments described above, which be can be also used for using pre- If key algorithm, multiple master control keys of credit card issuer itself are generated, and are issued to the hair fastener center, so that the hair fastener center Utilize manufacturer's key in master control key replacement finance IC master card.
In practical applications, cipher key management structure schematic diagram as shown in connection with fig. 4 should in financial IC card production process All manufacturer's code key can be arranged in its master card in financial IC card production firm 700, control transporting safely for the financial IC card master card, with It prevents from being replaced between financial IC card manufacturer and card sending mechanism.And issuing bank receives a collection of finance IC of the production firm After card master card, it will manufacturer's code key in the master card is substituted for by way of washing card the master control code key of credit card issuer oneself, At the same time it can also distribute Application Serial Number to each financial IC card according to default Unified number, at this point, credit card issuer code key management Center will utilize preset Secret key arithmetic, multiple master control code keys be generated, using its credit card issuer encryption equipment to each financial IC card Master card is encrypted, to substitute the code key of production firm.
In addition, to the hair fastener mode with financial IC card, be generally divided into real-time hair fastener mode and subsequent hair fastener mode, no matter which Kind mode obtains the personal information etc. opened in card application form that user fills in, and can all be added in card sending system host, and It is written into the financial IC card, realizes the individualized processing of the financial IC card, so that the user uses the financial IC card.
And for offline transaction and on-line transaction two major classes in the process of exchange of the financial IC card, can be divided into, wherein off line The transaction system that transaction does not need for Transaction Information to be sent to credit card issuer financial IC card carries out authorization identifying, can be directly by accepting Terminal and financial IC card cooperation are completed;And on-line transaction then needs for Transaction Information to be sent to credit card issuer financial IC card transaction system Carry out authorization identifying, it usually needs the transaction system, accepting terminal and financial IC card cooperation are realized, if inter-bank is traded, are also needed Switching centre and/or the Trade Agents cooperative system of receiving party, the application is wanted to be not construed as limiting this, it specifically can be according to practical feelings Condition determines.
It should be noted that in the process of exchange of financial IC card, for some management category informations, such as key exchange class letter When the transmitting such as breath, classification transaction can be carried out to it, and is guaranteed in every a kind of process of exchange using corresponding key code system Safety.
Wherein, as the Certification system of one of key code system, commonly used to guarantee the safety of financial IC card offline transaction, Upper layer certificate is usually used to sign and issue lower layer's certificate, i.e., using the private key of the corresponding cipher key pair of upper layer certificate in certificate The information such as public key carry out signature realization.Specifically, authentication center's certificate of switching centre is to credit card issuer certificate signature, i.e., in exchange Heart private key is to credit card issuer certificate signature, and in turn, the credit card issuer certificate is to user's IC card certificate signature, i.e. credit card issuer private key is to user IC card certificate signature can also sign to user's IC card static data.It should be noted that being handed over for static data authentication off line Easily, then it does not need using user's IC card certificate, only with authentication center's certificate of switching centre and credit card issuer certificate this two layers of certificates ?.
Moreover, either switching centre or credit card issuer can have multiple certificates, which uses the currently active Certificate issuance credit card issuer certificate, and credit card issuer use currently valid certificate issuance IC card certificate.It should be noted that the IC Block only one certificate, and its only one validity period, each above-mentioned certificate corresponds to unique public private key pair.
Optionally, in order to guarantee the safety of key information transmission process, in the above embodiments, credit card issuer code key pipe It, can be to these key informations or certificate before reason center 200 issues certification private key information, credit card issuer certificate and IC card certificate It is encrypted;Similarly, it can also be carried out before issuing certification public key information by receiving uniline code key administrative center 300 Encryption, to guarantee that it arrives the safety of each accepting terminal transmission process.
In this regard, preset master key can be separated into multiple transmission protections by setting safety equipment close for the present embodiment Key carries out corresponding encryption to multiple keys to be protected to realize, which can believe for certification public key mentioned above Breath and private key information, credit card issuer certificate and/or IC card certificate etc., the application is not construed as limiting this, and for it is different types of to Protect the cipher mode of key can be different, the application is not construed as limiting this, can such as be saved in the key information transmitted Off line transmission is carried out in file, the key that this can also be transmitted is stored in progress off line transmission in the IC card of transmission, when So, other modes can also be used, the application will not enumerate herein.
It should be noted that protecting code key can be by multiple at division by the transmission of transmission key for protecting about above-mentioned At, and these ingredients can be controlled by different people, to substantially increase the safety of transmission protection key.
In conclusion the function of financial IC card code key management system provided by the present application include key generate, key it is standby Part, key recovery, cipher key service, cipher key delivery, key imported into the overall process of the key lifetimes of cipher key destruction, Neng Gouzhi Holding a variety of different key algorithms, digest algorithm and asymmetric arithmetic can after determining the target cipher key scheme of current application By key, algorithm and its association attributes in template file flexible customization key management system and cipher key transmitting process, therefore Can very easily extension system to adapt to the demand of different intelligent card project.Wherein, the key that system is managed can be by right The key template description answered, the attributes such as key title, mark, type, length, protection code key of user and code key can root Needing to modify, increase and delete according to client.
In addition, the application can also use double-pipe type person to control, password and IC card two-factor authentication are carried out to administrator, That is will by the modes such as authentication medium, multiple-enciphered guarantee system user log in safety, by function, Design data licensing scheme allows user according to demand for security, designs function and data that each user can check, increases The safeties of data.Certainly, the application can also illegally be visited by the modes such as application system " white list ", anti-locking system It asks, the danger such as Replay Attack, increases the safety of system attitude.Further, it is also possible to by operator's management and log management, it is full Different business demand in pedal system implementation process;Moreover, the password of the application can generate or artificial synthesized at random, more Add flexible and practical.
Finally, it should be noted that about in the various embodiments described above, such as first, second or the like relational terms are only Only it is used to an operation, unit or module and another is operated, unit or module distinguish, and not necessarily requires or secretly Show that there are any actual relationship or orders between these units, operation or module.Moreover, term " includes ", " packet Containing " or any other variant thereof is intended to cover non-exclusive inclusion, so that including the process, method of a series of elements Or system not only includes those elements, but also including other elements that are not explicitly listed, or it is this for further including Process, method or the intrinsic element of system.In the absence of more restrictions, being limited by sentence "including a ..." Element, it is not excluded that include the element process, method or system in there is also other identical elements.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other The difference of embodiment, the same or similar parts in each embodiment may refer to each other.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (8)

1. a kind of financial IC card key management system, which is characterized in that the system comprises authentication centers, and recognize with described The credit card issuer Key Management Center and receipts uniline Key Management Center of card center connection, in which:
The credit card issuer root certificate signature that the authentication center is used to send based on the credit card issuer Key Management Center received Request, determines credit card issuer certificate, and the credit card issuer certificate is fed back to the credit card issuer Key Management Center, to sign and issue IC card Certificate, the credit card issuer certificate include certification public key information;
The credit card issuer Key Management Center is for generating certification private key information, and by the certification private key information, the certification Public key information, the credit card issuer certificate and the IC card certificate pass through hair fastener center loaded to financial IC card;
The uniline Key Management Center of receiving is used to receive the certification public key information that the authentication center sends, and by the certification Public key information is issued to each accepting terminal.
2. system according to claim 1, which is characterized in that the credit card issuer Key Management Center includes: credit card issuer control Device processed, and the multiple first keys management branch being connect with the credit card issuer control device and the authentication center, it is each A first key management branch includes credit card issuer Key Management server, and with the credit card issuer cipher key management services The credit card issuer cipher machine of device connection, in which:
The credit card issuer cipher machine is for certification private key information needed for generating financial IC card;
The credit card issuer control device generates credit card issuer root certificate for controlling the corresponding credit card issuer Key Management server Signature request, and it is sent to the authentication center;
The credit card issuer Key Management server is used to receive the certification public key information that the authentication center sends and credit card issuer card Book, and pass through hair fastener center loaded to financial IC card.
3. system according to claim 1, which is characterized in that the receipts uniline Key Management Center includes: to receive uniline control Device processed, and the multiple second key managements branch being connect with the receipts uniline control device and the authentication center, it is each A second key management branch include receive uniline Key Management server, and with the receipts uniline cipher key management services The receipts uniline cipher machine of device connection, in which:
The uniline Key Management server of receiving receives the certification public key information that the authentication center sends, and in the receipts uniline After control device is verified the certification public key information, the certification public key information is issued to each accepting terminal;
The financial IC card progress key authentication received uniline encryption equipment and be used to read card-reading apparatus.
4. system according to claim 1, which is characterized in that the system also includes: with the receipts uniline key management The financial IC card transaction authentication center that center integrates, for the friendship between the financial IC card and the accepting terminal Easy information is authenticated.
5. system according to claim 1, which is characterized in that the credit card issuer Key Management Center is also used to using default Key algorithm, generates multiple master control keys of credit card issuer itself, and is issued to the hair fastener center, so that the hair fastener center is sharp With manufacturer's key in master control key replacement finance IC master card.
6. system according to claim 1, which is characterized in that the credit card issuer Key Management Center is also used to issuing Before stating certification private key information, the credit card issuer certificate and the IC card certificate, to the certification private key information, the hair fastener Row certificate and the IC card certificate are encrypted.
7. system according to claim 1, which is characterized in that the receipts uniline Key Management Center is also used to will be described Certification public key information is issued to before each accepting terminal, is encrypted to the certification public key information.
8. system according to claim 6 or 7, which is characterized in that the system also includes:
Safety equipment protects key for preset master key to be separated into multiple transmission, to realize to multiple keys to be protected Corresponding encryption is carried out, the key to be protected includes the certification private key information, the certification public key information, credit card issuer card Book and/or the IC card certificate.
CN201511019247.9A 2015-12-29 2015-12-29 A kind of financial IC card key management system Active CN105634730B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511019247.9A CN105634730B (en) 2015-12-29 2015-12-29 A kind of financial IC card key management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511019247.9A CN105634730B (en) 2015-12-29 2015-12-29 A kind of financial IC card key management system

Publications (2)

Publication Number Publication Date
CN105634730A CN105634730A (en) 2016-06-01
CN105634730B true CN105634730B (en) 2019-03-12

Family

ID=56049286

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511019247.9A Active CN105634730B (en) 2015-12-29 2015-12-29 A kind of financial IC card key management system

Country Status (1)

Country Link
CN (1) CN105634730B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3063365B1 (en) * 2017-02-27 2019-04-05 Jacques GASCUEL SEGMENTED KEY AUTHENTICATION SYSTEM
CN110119946B (en) * 2018-02-05 2022-12-13 库币科技有限公司 Pairing authentication method for electronic transaction device
CN108460597B (en) * 2018-03-23 2022-03-15 银联商务股份有限公司 Key management system and method
CN109218293B (en) * 2018-08-21 2021-09-21 西安得安信息技术有限公司 Use method of distributed password service platform key management
CN111585758A (en) * 2020-05-07 2020-08-25 成都农村商业银行股份有限公司 Key management platform and key management method
CN111818032B (en) * 2020-06-30 2021-09-07 腾讯科技(深圳)有限公司 Data processing method and device based on cloud platform and computer program
CN111565206B (en) * 2020-07-16 2020-10-16 飞天诚信科技股份有限公司 Method and terminal for safely transmitting secret key
CN114172649B (en) * 2022-02-11 2022-05-13 厚普智慧物联科技有限公司 Cloud key management method and system based on intelligent IC card security authentication

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050079951A (en) * 2005-06-17 2005-08-11 주식회사 에프엔에스티 Authetification system using public certification with smart card that includes i.c chip
CN101673434A (en) * 2009-09-29 2010-03-17 上海捷惠达网络科技有限公司 Secret key management method of IC card terminal
CN102693455A (en) * 2012-05-04 2012-09-26 武汉天喻信息产业股份有限公司 Fully automatic system and method of data preparation based on financial IC card
CN103778713A (en) * 2012-10-24 2014-05-07 航天信息股份有限公司 Financial ic card system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050079951A (en) * 2005-06-17 2005-08-11 주식회사 에프엔에스티 Authetification system using public certification with smart card that includes i.c chip
CN101673434A (en) * 2009-09-29 2010-03-17 上海捷惠达网络科技有限公司 Secret key management method of IC card terminal
CN102693455A (en) * 2012-05-04 2012-09-26 武汉天喻信息产业股份有限公司 Fully automatic system and method of data preparation based on financial IC card
CN103778713A (en) * 2012-10-24 2014-05-07 航天信息股份有限公司 Financial ic card system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
金融IC卡认证体系及其安全性分析;冯志兴等;《信息安全与通信保密》;20090310;引言及第1节

Also Published As

Publication number Publication date
CN105634730A (en) 2016-06-01

Similar Documents

Publication Publication Date Title
CN105634730B (en) A kind of financial IC card key management system
US6892300B2 (en) Secure communication system and method of operation for conducting electronic commerce using remote vault agents interacting with a vault controller
CN103714639B (en) A kind of method and system that realize the operation of POS terminal security
KR100493885B1 (en) Electronic Registration and Verification System of Smart Card Certificate For Users in A Different Domain in a Public Key Infrastructure and Method Thereof
CN102959559B (en) For the method producing certificate
US7549057B2 (en) Secure transactions with passive storage media
US20060123465A1 (en) Method and system of authentication on an open network
US20060136332A1 (en) System and method for electronic check verification over a network
US20020016913A1 (en) Modifying message data and generating random number digital signature within computer chip
US20040199469A1 (en) Biometric transaction system and method
CA2914956C (en) System and method for encryption
KR100411448B1 (en) public-key infrastructure based digital certificate methods of issuing and system thereof
JPH10274926A (en) Cipher data restoration method, key registration system and data restoration system
JP2003296685A (en) Smart card
WO2007121631A1 (en) System and method of electronic bank safety certification based on cpk
CN102118251A (en) Security authentication method for internet banking remote payment based on multi-interface intelligent safety card
CN107135081A (en) A kind of double certificate CA systems and its implementation
US20190005480A1 (en) Method of configuring or changing a configuration of a pos terminal and/or assignment of the pos terminal to an operator
US8898462B2 (en) Method and device for authenticating components within an automatic teller machine
JP3365599B2 (en) Electronic check system
KR20100006004A (en) Autentification processing method and system using card, card terminal for authentification processing using card
CN101577656A (en) Control display and network system substituting integrated circuit card
CN1319024C (en) Electronic information inquiring method
WO2001022373A1 (en) Method and system for performing a transaction between a client and a server over a network
KR102407432B1 (en) A custody and federated service apparatus for the digital identity

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant