CN105634730B - A kind of financial IC card key management system - Google Patents
A kind of financial IC card key management system Download PDFInfo
- Publication number
- CN105634730B CN105634730B CN201511019247.9A CN201511019247A CN105634730B CN 105634730 B CN105634730 B CN 105634730B CN 201511019247 A CN201511019247 A CN 201511019247A CN 105634730 B CN105634730 B CN 105634730B
- Authority
- CN
- China
- Prior art keywords
- credit card
- key
- card issuer
- key management
- center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/409—Device specific authentication in transaction processing
- G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
- G06Q20/40975—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- Software Systems (AREA)
- General Business, Economics & Management (AREA)
- Strategic Management (AREA)
- Finance (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
This application provides a kind of financial IC card key management systems, in order to guarantee the safety of the financial IC card, credit card issuer Key Management Center will initiate credit card issuer root certificate signature request to authentication center, to make the authentication center that credit card issuer certificate be fed back to the credit card issuer Key Management Center accordingly, so that the credit card issuer Key Management Center signs and issues IC card certificate accordingly, simultaneously, the credit card issuer Key Management Center can also generate the certification private key for meeting financial IC card needs, such as various consumption keys, and these key informations that will be obtained, such as authenticate private key, IC card certificate and credit card issuer certificate etc. pass through hair fastener center loaded to financial IC card, to guarantee the safety of the financial IC card;Meanwhile the authentication center can also send obtained certification public key to and receive uniline Key Management Center, so that the receipts uniline Key Management Center is loaded into various accepting terminals, to guarantee that financial IC card carries out the safety in process of exchange in the accepting terminal.
Description
Technical field
Present application relates generally to safety management fields, more particularly to a kind of financial IC card key management system.
Background technique
With the continuous expansion of bank card business scale, the requirement for bank card risk control is increasingly improved, traditional
Magnetic stripe card is no longer satisfied the requirement of bank card risk control, and card image is usurped and pseudo- card event happens occasionally, to holding
People and card sending mechanism cause very big loss.
In order to solve this problem, with the release of international chip card EMV standard, China is gradually replaced using financial IC card
For traditional magnetic stripe card, this financial IC card is a kind of bank card using chip as medium, and memory capacity is very big, additionally it is possible to
The information such as key, digital certificate, fingerprint are stored, very strong anti-attack ability is made it have, is difficult to be replicated and forge, to make
What holder's interests obtained ensures.
It wherein, is thus, how to guarantee finance on the safety based on its association key due to the safety of financial IC card
The safety of IC card association key becomes the key for guaranteeing financial IC card safety.
Summary of the invention
In view of this, the present invention provides a kind of financial IC card key management system, to financial IC card hair fastener and make
The safety that ensure that the financial IC card in process of exchange is carried out with it.
To achieve the goals above, this application provides following technical schemes:
A kind of financial IC card key management system, the system comprises authentication centers, and connect with the authentication center
Credit card issuer Key Management Center and receive uniline Key Management Center, in which:
The authentication center is used for the credit card issuer root certificate sent based on the credit card issuer Key Management Center received
Signature request determines credit card issuer certificate, and the credit card issuer certificate is fed back to the credit card issuer Key Management Center, to sign and issue
IC card certificate, the credit card issuer certificate include certification public key information;
The credit card issuer Key Management Center is for generating certification private key information, and by the certification private key information, described
It authenticates public key information, the credit card issuer certificate and the IC card certificate and passes through hair fastener center loaded to financial IC card;
The uniline Key Management Center of receiving is used to receive the certification public key information that the authentication center sends, and will be described
Certification public key information is issued to each accepting terminal.
Preferably, the credit card issuer Key Management Center includes: credit card issuer control device, and is controlled with the credit card issuer
Multiple first keys that device is connected with the authentication center manage branch, each first key management branch includes
Credit card issuer Key Management server, and the credit card issuer cipher machine being connect with the credit card issuer Key Management server, in which:
The credit card issuer cipher machine is for certification private key information needed for generating financial IC card;
The credit card issuer control device generates credit card issuer root for controlling the corresponding credit card issuer Key Management server
Certificate Signature Request, and it is sent to the authentication center;
The credit card issuer Key Management server is used to receive certification public key information and hair fastener that the authentication center sends
Row certificate, and pass through hair fastener center loaded to financial IC card.
Preferably, the receipts uniline Key Management Center includes: to receive uniline control device, and control with the receipts uniline
Multiple second key managements branch that device is connected with the authentication center, each second key management branch include
Receive uniline Key Management server, and the receipts uniline cipher machine connecting with the receipts uniline Key Management server, in which:
The uniline Key Management server of receiving receives the certification public key information that the authentication center sends, and in the receipts
After uniline control device is verified the certification public key information, the certification public key information is issued to and respectively accepts end
End;
The financial IC card progress key authentication received uniline encryption equipment and be used to read card-reading apparatus.
Preferably, the system also includes: with it is described receipts uniline Key Management Center integrate financial IC card friendship
Easy authentication center, for being authenticated to the Transaction Information between the financial IC card and the accepting terminal.
Preferably, the credit card issuer Key Management Center is also used to generate credit card issuer itself using preset-key algorithm
Multiple master control keys, and it is issued to the hair fastener center, so that finance IC is replaced using the master control key in the hair fastener center
Manufacturer's key in master card.
Preferably, the credit card issuer Key Management Center is also used to issuing the certification private key information, the credit card issuer
Before certificate and the IC card certificate, to the certification private key information, the credit card issuer certificate and the IC card certificate into
Row encryption.
Preferably, the receipts uniline Key Management Center is also used to respectively accept end the certification public key information to be issued to
Before end, the certification public key information is encrypted.
Preferably, the system also includes:
Safety equipment protects key for preset master key to be separated into multiple transmission, to realize to multiple to be protected
Key carries out corresponding encryption, and the key to be protected includes the certification private key information, the certification public key information, the hair fastener
Row certificate and/or the IC card certificate.
It can be seen that compared with prior art, this application provides a kind of financial IC card key management systems, in order to guarantee
The safety of the financial IC card, credit card issuer Key Management Center will initiate credit card issuer root certificate signature request to authentication center, thus
Make the authentication center that credit card issuer certificate be fed back to the credit card issuer Key Management Center accordingly, so that in the credit card issuer key management
The heart signs and issues IC card certificate accordingly, meanwhile, which can also generate the certification private for meeting financial IC card needs
Key, such as various consumption keys, and these key informations that will be obtained such as authenticate private key, IC card certificate and credit card issuer certificate
Etc. by hair fastener center loaded to financial IC card, to guarantee the safety of the financial IC card;Meanwhile the authentication center can also incite somebody to action
To certification public key be sent to receive uniline Key Management Center, so as to the receipts uniline Key Management Center be loaded into it is various by
Terminal is managed, to guarantee that financial IC card carries out the safety in process of exchange in the accepting terminal.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of structural schematic diagram of financial IC card key management system embodiment provided by the present application;
Fig. 2 is a kind of structural schematic diagram of credit card issuer Key Management Center embodiment provided by the present application;
Fig. 3 is a kind of structural schematic diagram of financial IC card system provided by the present application;
Fig. 4 is the structural schematic diagram of another financial IC card key management system embodiment provided by the present application.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
This application provides a kind of financial IC card key management systems, in order to guarantee the safety of the financial IC card, credit card issuer
Key Management Center will initiate credit card issuer root certificate signature request to authentication center, to make the authentication center accordingly by credit card issuer
Certificate and certification public key feed back to the credit card issuer Key Management Center, so that the credit card issuer Key Management Center determines therefrom that IC
Card certificate, meanwhile, which can also generate the certification private key for meeting financial IC card needs, such as various consumption
Key etc., and these key informations that will be obtained, such as certification public key, certification private key, IC card certificate and credit card issuer certificate
By hair fastener center loaded to financial IC card, to guarantee the safety of the financial IC card;Meanwhile the certification that the authentication center obtains is public
Key, which can be also sent to, receives uniline Key Management Center, various accepts end so that the receipts uniline Key Management Center is loaded into
End, to guarantee that financial IC card carries out the safety in process of exchange in the accepting terminal.
In order to keep the above objects, features and advantages of the present invention more obvious and easy to understand, with reference to the accompanying drawing and specifically
The present invention is described in further detail for embodiment.
As shown in Figure 1, be a kind of structural schematic diagram of financial IC card key management system embodiment provided by the present application, it should
System may include: authentication center 100 and the credit card issuer Key Management Center 200 connecting with the authentication center 100 and receive
Uniline Key Management Center 300, in which:
The credit card issuer root card that authentication center 100 is used to send based on the credit card issuer Key Management Center 200 received
Bookmark name request, determines credit card issuer certificate, and the credit card issuer certificate is fed back to the credit card issuer Key Management Center 200.
In the present embodiment, which specifically can be China's finance authentication center (China Financial
Certification Authority, abbreviation CFCA), it is through People's Bank of China and national information Security Administration Department batch
The authoritative security authority of national level that standard is set up, is important one of the Financial information safety infrastructure of country, but not office
It is limited to this.
Wherein, CA (Certification Authority, certification authority) is the machine for providing, managing, abolishing digital certificate
Structure is mainly used to check the legitimacy of certificate holder's identity, and grant a certificate, is forged or distorts to prevent certificate, and is real
Now to the management of certificate and key.
In practical applications, any user wants have a one's own certificate, needs first to file an application to CA, in CA
After distinguishing applicant's identity, a public key is distributed for it, and after the identity information of the public key and applicant is bound together, be
Signature form certificate after feed back to applicant.Based on this, in the present embodiment, when credit card issuer needs the certificate of oneself, will produce
Raw corresponding credit card issuer certificates of recognition signature request, and authentication center is sent it to, to obtain corresponding credit card issuer certificate.
Optionally, credit card issuer certificate may include the information of the authentication center, the relevant information of credit card issuer and its signature, have
Effect phase and public key etc., the application is not construed as limiting this.
In addition, in this application, for credit card issuer, credit card issuer Key Management Center may include credit card issuer certification
The encryption equipment of the credit card issuer Key Management Center is called at center, generates the public key and private key of credit card issuer, and generates credit card issuer certification
Bookmark name request is sent to the i.e. above-mentioned CFCA of authentication center, to determine the credit card issuer certificate.
Wherein, the credit card issuer certificates of recognition signature request which sends can carry the hair of above-mentioned generation
Card row public key information, however, it is not limited to this.
In addition, after the credit card issuer certificate that credit card issuer authentication center receives CFCA feedback, it will demonstrate,proved using the credit card issuer
Bookmark sends out IC card certificate, and the certificate by these keys or after signing and issuing is sent to the card sending system of financial IC card, such as passes through hair fastener
Row Key Management Center 200 will sign and issue after credit card issuer certificate and the information such as IC card certificate be sent to hair fastener center data it is quasi-
Standby system, and then be loaded onto financial IC card, while for example various applications of the certification private key of generation or consumption key directly being passed through
Personalization system is loaded onto financial IC card.
It can be seen that in the present embodiment, since certificate is believed using its private key the public key of entity, identity by authentication center
Breath and other relevant informations are signed, the data that can not be forged of formation, thus, the application is by generating and signing and issuing hair fastener
Row certificate and IC card certificate guarantee that the related data of the financial IC card can not forge, improve the financial IC card using safe
Property.
It wherein, is actually to be converted to a kind of asymmetric encryption of data to the signature of certificate, which can make data
Recipient confirms that the source of data and integrality, the data for protecting the data sender side of sending and receiving to receive are not usurped by third party
Change, the data for also protecting data sender to issue not distort by the side of being received, and further ensures the safety of the financial IC card data
Property.
In this application, asymmetric encryption techniques are the encryption technologies using two kinds of correlating transforms, that is, disclose transformation (by public affairs
Key definition) and privately owned transformation (being defined by private key), presence of both transformation make in the case where obtaining open convert, cannot
By the way that the characteristic of privately owned transformation is calculated, the characteristic that can not be forged of certificate is improved.
In addition, on the basis of the above embodiments, authentication center 100 obtains issuing card public key information authentication authorization and accounting public key information
Afterwards, in order to guarantee safety that financial IC card is traded using the accepting terminals such as such as POS machine, ATM machine, authentication center 100 can will
The certification public key information, which is sent to, receives uniline Key Management Center, that is to say, that is sent to credit card issuer public key information and respectively accepts
The key management system of the affiliated bank of terminal.
Therefore, in the present embodiment, the certification public key letter that uniline Key Management Center 300 receives authentication center's transmission is received
After breath, it can be issued to corresponding each accepting terminal, to guarantee that the financial IC card of credit card issuer carries out in these accepting terminals
When transaction, the safety of the financial IC card.
Optionally, as shown in Fig. 2, the credit card issuer Key Management Center 200 in the application may include: credit card issuer control dress
210 are set, and the multiple first keys management branch connecting with the credit card issuer control device 210 and the authentication center 100
220, each described first key management branch includes credit card issuer Key Management server 221, and with the credit card issuer
The credit card issuer cipher machine 222 that Key Management server 221 connects, in which:
Credit card issuer control device 210 can be used for controlling the corresponding credit card issuer Key Management server 221 and generate hair
Card row root certificate signature request, and it is sent to authentication center 100.
In the present embodiment, which is actually to manage and monitor the credit card issuer key management
The console at center, staff can intervene and audit to the course of work of the credit card issuer Key Management Center using it
Deng to guarantee the reliability of its course of work.
Credit card issuer Key Management server 221 is used to receive certification public key information and hair that the authentication center 100 sends
Card row certificate, and pass through hair fastener center loaded to financial IC card.
In practical applications, Key Management Center (Key Management Center, KMC) is in Public Key Infrastructure
An important component, be mainly responsible for key and generate and management, for certification authority provide the generation of key, preservation, backup,
The cipher key services such as disaster recovery, to solve key pipe brought by extensive cryptographic applications in distributed-distribution system environment
Reason problem.
Wherein, the key management that there is corresponding Key Management Center in each usual authentication center to be responsible in its region
Task, the Key Management Center can be according to required public key scale flexible setting be applied, i.e. the Key Management Center can be with
Specific installation can also directly be run on certification authority's server using inserted, and the application is not construed as limiting this.
Optionally, in the present embodiment, card-reading apparatus can be connect with the credit card issuer Key Management server 221, with
Just the information such as obtained various keys or certificate are loaded into the card-reading apparatus and read by the credit card issuer Key Management server 221
IC card, in SD card or other cards, the application is not construed as limiting this.
Credit card issuer cipher machine 222 is for certification private key information needed for generating financial IC card, such as various application keys, consumption
Key etc., the application are not construed as limiting this.
In practical applications, encryption equipment is to be identified by national commercial cipher authorities and ratify the country used independently
The host of exploitation encrypts equipment, communicates between encryption equipment and host usually using ICP/IP protocol, mainly includes hardware encryption
Component, key management menu, encryption equipment background process, encryption equipment monitoring programme and background monitoring process and encryption equipment foreground
The modules such as API composition.
Wherein, hardware encryption unit is mainly used for realizing various cryptographic algorithms (such as public key algorithm and symmetry algorithm, but simultaneously
It is not limited to this), safe preservation key, such as the root key of certification authority.Key management menu is for managing main frame encryption
The key of machine manages the password card of key administrator and operator;And encryption equipment background process will receive the information of foreground API,
To provide the security services such as encryption, digital signature for application system;Encryption equipment monitoring programme is responsible for controlling encryption equipment background process
And monitoring hardware encryption unit, it alarms immediately if encryption unit error;Encryption equipment foreground API is mainly mentioned to application system
The encryption development interface of confession, application system pass through the cryptographic services encryption equipment foreground API using encryption.Encryption equipment foreground at present
The standard interface that API is supported can be with are as follows: PKCS#11, Bsafe, CDSA etc., the application are not construed as limiting this.
In addition, in practical applications, credit card issuer encryption equipment 222 usually can connect key printer, the application to this not
It limits.
It should be noted that for the key of the authentication center in the various embodiments described above, such as above-mentioned certification public key information,
It is usually all to be generated in system installation, and storage can be encrypted after generation because it is the vital strategic secrets of whole system
Into the database or hardware host encryption server of storage server.And financial IC is taken for the key of user, such as user
The login key etc. being arranged after card, is usually generated by the client of user, thus, after it is generated, it can add
It is close to be stored in client native file or operating system security area.
In addition, about key informations such as various keys obtained above or certificates, when filing to it and backing up, this implementation
Example can also be filed and be backed up by the way of encryption, such as be encrypted using hardware, can be by key administrator's identity IC card
Backup and management;If can use the encryption that cryptographic algorithm carries out high intensity to these key informations using software cryptography and deposit
Storage and backup, the application are not construed as limiting this.
Moreover, in order to further increase safety of the various key informations of above-mentioned generation in transmission process, Ke Yishe
It sets the corresponding transmission protection corresponding key information of key pair to be encrypted, the application is not construed as limiting its cipher mode.
Optionally, similar with the composed structure of above-mentioned credit card issuer Key Management Center 200, the receipts uniline in above-described embodiment
Code key administrative center 300 may include: receive uniline control device, and with the receipts uniline control device and the authentication center
Multiple second key managements branch of connection, each second key management branch, which may each comprise, receives uniline key management
Server, and the receipts uniline cipher machine being connect with the receipts uniline Key Management server, in which:
Receiving uniline Key Management server can be used for receiving the certification public key information that the authentication center 100 sends, and
After the receipts uniline control device is verified the certification public key information, the certification public key information is issued to
Each accepting terminal.
In conjunction with foregoing description it is found that the certification public key information that authentication center 100 sends can be used with the public key information of credit card issuer
To guarantee that the safety of transaction of the financial IC card of credit card issuer distribution in the accepting terminal of other rows needs to illustrate certainly
It is that the safety of transaction of the financial IC card in the accepting terminal does not only rely on the certification public key information to guarantee.
It receives the financial IC card that uniline encryption equipment is used to read card-reading apparatus and carries out key authentication.
In practical applications, when card-reading apparatus corresponding with the receipts uniline encryption equipment reads financial IC card, the receipts uniline
Encryption equipment is mainly used for carrying out encryption and decryption to the financial IC card, to ensure the safety during the financial IC card transaction.
Based on above-mentioned analysis, the uniline code key administrative center of receiving in the application transmits the certification public key information of authentication center
Into accepting terminal, and it ensure that the confirmability of the integrality of information and information source in the transmittance process.
Wherein, in the receipts uniline code key administrative center after receiving certification public key information, it usually needs providing it
Corresponding accepting terminal is installed in time, as in various payment terminals, if the certification public key information is expired, it is still necessary to by its
All above-mentioned accepting terminals managed by it are withdrawn from the stipulated time, the application is not construed as limiting the stipulated time, specifically may be used
Determine according to actual needs.
In addition, key printer can also be connect by the application with above-mentioned receipts single machine encryption equipment, add to print the receipts uniline
The various key informations etc. that close machine generates, to be used to these key informations are filed and be backed up etc..
In addition, in practical applications, as shown in figure 3, the financial IC card system of bank be typically provided with transaction system 400,
Multiple subsystems such as hair fastener center 500 and code key management system, and key management system (the i.e. above-mentioned credit card issuer key management
Receive uniline Key Management Center 300 in center 200/) it is connect with other subsystems and paying centre 600, it can be these systems
The information transmitted in the course of work provides the transmission mechanism of reliable safety.
Moreover, the financial IC card system of bank would generally support one or more on-line transactions, pass through above-mentioned authentication center
Safety certification is carried out to Transaction Information.Certainly, it is contemplated that the service efficiency and reusability of system, the code key management system can be with
One financial IC card transaction authentication center integrated with the receipts uniline Key Management Center 300 is set, for institute
The Transaction Information stated between financial IC card and the accepting terminal is authenticated, thus reduce the overlapping investment of system and save at
This.
Optionally, on the basis of the various embodiments described above, which be can be also used for using pre-
If key algorithm, multiple master control keys of credit card issuer itself are generated, and are issued to the hair fastener center, so that the hair fastener center
Utilize manufacturer's key in master control key replacement finance IC master card.
In practical applications, cipher key management structure schematic diagram as shown in connection with fig. 4 should in financial IC card production process
All manufacturer's code key can be arranged in its master card in financial IC card production firm 700, control transporting safely for the financial IC card master card, with
It prevents from being replaced between financial IC card manufacturer and card sending mechanism.And issuing bank receives a collection of finance IC of the production firm
After card master card, it will manufacturer's code key in the master card is substituted for by way of washing card the master control code key of credit card issuer oneself,
At the same time it can also distribute Application Serial Number to each financial IC card according to default Unified number, at this point, credit card issuer code key management
Center will utilize preset Secret key arithmetic, multiple master control code keys be generated, using its credit card issuer encryption equipment to each financial IC card
Master card is encrypted, to substitute the code key of production firm.
In addition, to the hair fastener mode with financial IC card, be generally divided into real-time hair fastener mode and subsequent hair fastener mode, no matter which
Kind mode obtains the personal information etc. opened in card application form that user fills in, and can all be added in card sending system host, and
It is written into the financial IC card, realizes the individualized processing of the financial IC card, so that the user uses the financial IC card.
And for offline transaction and on-line transaction two major classes in the process of exchange of the financial IC card, can be divided into, wherein off line
The transaction system that transaction does not need for Transaction Information to be sent to credit card issuer financial IC card carries out authorization identifying, can be directly by accepting
Terminal and financial IC card cooperation are completed;And on-line transaction then needs for Transaction Information to be sent to credit card issuer financial IC card transaction system
Carry out authorization identifying, it usually needs the transaction system, accepting terminal and financial IC card cooperation are realized, if inter-bank is traded, are also needed
Switching centre and/or the Trade Agents cooperative system of receiving party, the application is wanted to be not construed as limiting this, it specifically can be according to practical feelings
Condition determines.
It should be noted that in the process of exchange of financial IC card, for some management category informations, such as key exchange class letter
When the transmitting such as breath, classification transaction can be carried out to it, and is guaranteed in every a kind of process of exchange using corresponding key code system
Safety.
Wherein, as the Certification system of one of key code system, commonly used to guarantee the safety of financial IC card offline transaction,
Upper layer certificate is usually used to sign and issue lower layer's certificate, i.e., using the private key of the corresponding cipher key pair of upper layer certificate in certificate
The information such as public key carry out signature realization.Specifically, authentication center's certificate of switching centre is to credit card issuer certificate signature, i.e., in exchange
Heart private key is to credit card issuer certificate signature, and in turn, the credit card issuer certificate is to user's IC card certificate signature, i.e. credit card issuer private key is to user
IC card certificate signature can also sign to user's IC card static data.It should be noted that being handed over for static data authentication off line
Easily, then it does not need using user's IC card certificate, only with authentication center's certificate of switching centre and credit card issuer certificate this two layers of certificates
?.
Moreover, either switching centre or credit card issuer can have multiple certificates, which uses the currently active
Certificate issuance credit card issuer certificate, and credit card issuer use currently valid certificate issuance IC card certificate.It should be noted that the IC
Block only one certificate, and its only one validity period, each above-mentioned certificate corresponds to unique public private key pair.
Optionally, in order to guarantee the safety of key information transmission process, in the above embodiments, credit card issuer code key pipe
It, can be to these key informations or certificate before reason center 200 issues certification private key information, credit card issuer certificate and IC card certificate
It is encrypted;Similarly, it can also be carried out before issuing certification public key information by receiving uniline code key administrative center 300
Encryption, to guarantee that it arrives the safety of each accepting terminal transmission process.
In this regard, preset master key can be separated into multiple transmission protections by setting safety equipment close for the present embodiment
Key carries out corresponding encryption to multiple keys to be protected to realize, which can believe for certification public key mentioned above
Breath and private key information, credit card issuer certificate and/or IC card certificate etc., the application is not construed as limiting this, and for it is different types of to
Protect the cipher mode of key can be different, the application is not construed as limiting this, can such as be saved in the key information transmitted
Off line transmission is carried out in file, the key that this can also be transmitted is stored in progress off line transmission in the IC card of transmission, when
So, other modes can also be used, the application will not enumerate herein.
It should be noted that protecting code key can be by multiple at division by the transmission of transmission key for protecting about above-mentioned
At, and these ingredients can be controlled by different people, to substantially increase the safety of transmission protection key.
In conclusion the function of financial IC card code key management system provided by the present application include key generate, key it is standby
Part, key recovery, cipher key service, cipher key delivery, key imported into the overall process of the key lifetimes of cipher key destruction, Neng Gouzhi
Holding a variety of different key algorithms, digest algorithm and asymmetric arithmetic can after determining the target cipher key scheme of current application
By key, algorithm and its association attributes in template file flexible customization key management system and cipher key transmitting process, therefore
Can very easily extension system to adapt to the demand of different intelligent card project.Wherein, the key that system is managed can be by right
The key template description answered, the attributes such as key title, mark, type, length, protection code key of user and code key can root
Needing to modify, increase and delete according to client.
In addition, the application can also use double-pipe type person to control, password and IC card two-factor authentication are carried out to administrator,
That is will by the modes such as authentication medium, multiple-enciphered guarantee system user log in safety, by function,
Design data licensing scheme allows user according to demand for security, designs function and data that each user can check, increases
The safeties of data.Certainly, the application can also illegally be visited by the modes such as application system " white list ", anti-locking system
It asks, the danger such as Replay Attack, increases the safety of system attitude.Further, it is also possible to by operator's management and log management, it is full
Different business demand in pedal system implementation process;Moreover, the password of the application can generate or artificial synthesized at random, more
Add flexible and practical.
Finally, it should be noted that about in the various embodiments described above, such as first, second or the like relational terms are only
Only it is used to an operation, unit or module and another is operated, unit or module distinguish, and not necessarily requires or secretly
Show that there are any actual relationship or orders between these units, operation or module.Moreover, term " includes ", " packet
Containing " or any other variant thereof is intended to cover non-exclusive inclusion, so that including the process, method of a series of elements
Or system not only includes those elements, but also including other elements that are not explicitly listed, or it is this for further including
Process, method or the intrinsic element of system.In the absence of more restrictions, being limited by sentence "including a ..."
Element, it is not excluded that include the element process, method or system in there is also other identical elements.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other
The difference of embodiment, the same or similar parts in each embodiment may refer to each other.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (8)
1. a kind of financial IC card key management system, which is characterized in that the system comprises authentication centers, and recognize with described
The credit card issuer Key Management Center and receipts uniline Key Management Center of card center connection, in which:
The credit card issuer root certificate signature that the authentication center is used to send based on the credit card issuer Key Management Center received
Request, determines credit card issuer certificate, and the credit card issuer certificate is fed back to the credit card issuer Key Management Center, to sign and issue IC card
Certificate, the credit card issuer certificate include certification public key information;
The credit card issuer Key Management Center is for generating certification private key information, and by the certification private key information, the certification
Public key information, the credit card issuer certificate and the IC card certificate pass through hair fastener center loaded to financial IC card;
The uniline Key Management Center of receiving is used to receive the certification public key information that the authentication center sends, and by the certification
Public key information is issued to each accepting terminal.
2. system according to claim 1, which is characterized in that the credit card issuer Key Management Center includes: credit card issuer control
Device processed, and the multiple first keys management branch being connect with the credit card issuer control device and the authentication center, it is each
A first key management branch includes credit card issuer Key Management server, and with the credit card issuer cipher key management services
The credit card issuer cipher machine of device connection, in which:
The credit card issuer cipher machine is for certification private key information needed for generating financial IC card;
The credit card issuer control device generates credit card issuer root certificate for controlling the corresponding credit card issuer Key Management server
Signature request, and it is sent to the authentication center;
The credit card issuer Key Management server is used to receive the certification public key information that the authentication center sends and credit card issuer card
Book, and pass through hair fastener center loaded to financial IC card.
3. system according to claim 1, which is characterized in that the receipts uniline Key Management Center includes: to receive uniline control
Device processed, and the multiple second key managements branch being connect with the receipts uniline control device and the authentication center, it is each
A second key management branch include receive uniline Key Management server, and with the receipts uniline cipher key management services
The receipts uniline cipher machine of device connection, in which:
The uniline Key Management server of receiving receives the certification public key information that the authentication center sends, and in the receipts uniline
After control device is verified the certification public key information, the certification public key information is issued to each accepting terminal;
The financial IC card progress key authentication received uniline encryption equipment and be used to read card-reading apparatus.
4. system according to claim 1, which is characterized in that the system also includes: with the receipts uniline key management
The financial IC card transaction authentication center that center integrates, for the friendship between the financial IC card and the accepting terminal
Easy information is authenticated.
5. system according to claim 1, which is characterized in that the credit card issuer Key Management Center is also used to using default
Key algorithm, generates multiple master control keys of credit card issuer itself, and is issued to the hair fastener center, so that the hair fastener center is sharp
With manufacturer's key in master control key replacement finance IC master card.
6. system according to claim 1, which is characterized in that the credit card issuer Key Management Center is also used to issuing
Before stating certification private key information, the credit card issuer certificate and the IC card certificate, to the certification private key information, the hair fastener
Row certificate and the IC card certificate are encrypted.
7. system according to claim 1, which is characterized in that the receipts uniline Key Management Center is also used to will be described
Certification public key information is issued to before each accepting terminal, is encrypted to the certification public key information.
8. system according to claim 6 or 7, which is characterized in that the system also includes:
Safety equipment protects key for preset master key to be separated into multiple transmission, to realize to multiple keys to be protected
Corresponding encryption is carried out, the key to be protected includes the certification private key information, the certification public key information, credit card issuer card
Book and/or the IC card certificate.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511019247.9A CN105634730B (en) | 2015-12-29 | 2015-12-29 | A kind of financial IC card key management system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511019247.9A CN105634730B (en) | 2015-12-29 | 2015-12-29 | A kind of financial IC card key management system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105634730A CN105634730A (en) | 2016-06-01 |
CN105634730B true CN105634730B (en) | 2019-03-12 |
Family
ID=56049286
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201511019247.9A Active CN105634730B (en) | 2015-12-29 | 2015-12-29 | A kind of financial IC card key management system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105634730B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR3063365B1 (en) * | 2017-02-27 | 2019-04-05 | Jacques GASCUEL | SEGMENTED KEY AUTHENTICATION SYSTEM |
CN110119946B (en) * | 2018-02-05 | 2022-12-13 | 库币科技有限公司 | Pairing authentication method for electronic transaction device |
CN108460597B (en) * | 2018-03-23 | 2022-03-15 | 银联商务股份有限公司 | Key management system and method |
CN109218293B (en) * | 2018-08-21 | 2021-09-21 | 西安得安信息技术有限公司 | Use method of distributed password service platform key management |
CN111585758A (en) * | 2020-05-07 | 2020-08-25 | 成都农村商业银行股份有限公司 | Key management platform and key management method |
CN111818032B (en) * | 2020-06-30 | 2021-09-07 | 腾讯科技(深圳)有限公司 | Data processing method and device based on cloud platform and computer program |
CN111565206B (en) * | 2020-07-16 | 2020-10-16 | 飞天诚信科技股份有限公司 | Method and terminal for safely transmitting secret key |
CN114172649B (en) * | 2022-02-11 | 2022-05-13 | 厚普智慧物联科技有限公司 | Cloud key management method and system based on intelligent IC card security authentication |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20050079951A (en) * | 2005-06-17 | 2005-08-11 | 주식회사 에프엔에스티 | Authetification system using public certification with smart card that includes i.c chip |
CN101673434A (en) * | 2009-09-29 | 2010-03-17 | 上海捷惠达网络科技有限公司 | Secret key management method of IC card terminal |
CN102693455A (en) * | 2012-05-04 | 2012-09-26 | 武汉天喻信息产业股份有限公司 | Fully automatic system and method of data preparation based on financial IC card |
CN103778713A (en) * | 2012-10-24 | 2014-05-07 | 航天信息股份有限公司 | Financial ic card system |
-
2015
- 2015-12-29 CN CN201511019247.9A patent/CN105634730B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20050079951A (en) * | 2005-06-17 | 2005-08-11 | 주식회사 에프엔에스티 | Authetification system using public certification with smart card that includes i.c chip |
CN101673434A (en) * | 2009-09-29 | 2010-03-17 | 上海捷惠达网络科技有限公司 | Secret key management method of IC card terminal |
CN102693455A (en) * | 2012-05-04 | 2012-09-26 | 武汉天喻信息产业股份有限公司 | Fully automatic system and method of data preparation based on financial IC card |
CN103778713A (en) * | 2012-10-24 | 2014-05-07 | 航天信息股份有限公司 | Financial ic card system |
Non-Patent Citations (1)
Title |
---|
金融IC卡认证体系及其安全性分析;冯志兴等;《信息安全与通信保密》;20090310;引言及第1节 |
Also Published As
Publication number | Publication date |
---|---|
CN105634730A (en) | 2016-06-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105634730B (en) | A kind of financial IC card key management system | |
US6892300B2 (en) | Secure communication system and method of operation for conducting electronic commerce using remote vault agents interacting with a vault controller | |
CN103714639B (en) | A kind of method and system that realize the operation of POS terminal security | |
KR100493885B1 (en) | Electronic Registration and Verification System of Smart Card Certificate For Users in A Different Domain in a Public Key Infrastructure and Method Thereof | |
CN102959559B (en) | For the method producing certificate | |
US7549057B2 (en) | Secure transactions with passive storage media | |
US20060123465A1 (en) | Method and system of authentication on an open network | |
US20060136332A1 (en) | System and method for electronic check verification over a network | |
US20020016913A1 (en) | Modifying message data and generating random number digital signature within computer chip | |
US20040199469A1 (en) | Biometric transaction system and method | |
CA2914956C (en) | System and method for encryption | |
KR100411448B1 (en) | public-key infrastructure based digital certificate methods of issuing and system thereof | |
JPH10274926A (en) | Cipher data restoration method, key registration system and data restoration system | |
JP2003296685A (en) | Smart card | |
WO2007121631A1 (en) | System and method of electronic bank safety certification based on cpk | |
CN102118251A (en) | Security authentication method for internet banking remote payment based on multi-interface intelligent safety card | |
CN107135081A (en) | A kind of double certificate CA systems and its implementation | |
US20190005480A1 (en) | Method of configuring or changing a configuration of a pos terminal and/or assignment of the pos terminal to an operator | |
US8898462B2 (en) | Method and device for authenticating components within an automatic teller machine | |
JP3365599B2 (en) | Electronic check system | |
KR20100006004A (en) | Autentification processing method and system using card, card terminal for authentification processing using card | |
CN101577656A (en) | Control display and network system substituting integrated circuit card | |
CN1319024C (en) | Electronic information inquiring method | |
WO2001022373A1 (en) | Method and system for performing a transaction between a client and a server over a network | |
KR102407432B1 (en) | A custody and federated service apparatus for the digital identity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |