CN106027482B

CN106027482B - A kind of identity card card reading response method and device

Info

Publication number: CN106027482B
Application number: CN201610243204.7A
Authority: CN
Inventors: 李明
Original assignee: 李明
Current assignee: Tendyron Corp
Priority date: 2016-04-18
Filing date: 2016-04-18
Publication date: 2019-11-15
Anticipated expiration: 2036-04-18
Also published as: CN106027482A

Abstract

The present invention provides a kind of identity card card reading response method and device, which comprises identity card card reading responding device receives the identity card identification information that identity card card-reading terminal is sent；The first data packet obtained to the first certification factor safe handling of generation is sent to identity card card-reading terminal；The second data packet that identity card card-reading terminal is sent is verified, the first authentication data being verified is authenticated, the certification factor application request generated after certification is passed through is sent to identity card card-reading terminal；The 4th data packet that identity card card-reading terminal is sent is verified, the second certification factor being verified is handled, the 5th data packet that the second authentication data safe handling obtained to processing obtains is sent to identity card card-reading terminal；The 6th data packet that identity card card-reading terminal is sent is verified, decryption verification passes through obtained identity card data ciphertext, and the 7th data packet that the identity card data clear text safe handling obtained to decryption obtains is sent to identity card card-reading terminal.

Description

A kind of identity card card reading response method and device

Technical field

The present invention relates to a kind of electronic technology field more particularly to a kind of identity card card reading response methods and device.

Background technique

Existing ID card information is read in response scheme, and identity card card-reading terminal is needed with the use of can be to from identity card The ciphertext data of reading realize the identity card card reading responding device of decryption, the reading and display of Lai Shixian ID card information.For example, Bank, station etc. need the industry read using ID card information, it usually needs whole in a large amount of identity card card reading of local layout End and identity card card reading responding device, also need to be arranged corresponding between identity card card-reading terminal and identity card card reading responding device Corresponding relationship, scheme realize more complex, higher cost；Also, existing identity card card reading responding device will not be to the body of communication Part card related data carries out the processing such as additional encryption, signature, therefore causes the safety of communication not high.

Summary of the invention

The present invention is directed to one of at least solve the above problems.

The main purpose of the present invention is to provide a kind of identity card card reading response methods；

Another object of the present invention is to provide a kind of identity card card reading responding devices.

In order to achieve the above objectives, technical solution of the present invention is specifically achieved in that

One aspect of the present invention provides a kind of identity card card reading response method, comprising: identity card card reading responding device receives The card reading request data package that identity card card-reading terminal is sent, and safety verification is carried out to the card reading request data package, it tests safely After card passes through, identity card identification information is obtained；The first certification factor is generated, safe handling is carried out to the first certification factor, The first data packet is obtained, and first data packet is sent to the identity card card-reading terminal；Receive the identity card card reading The second data packet that terminal is sent, and safety verification is carried out to second data packet, after safety verification passes through, obtains first and recognize Demonstrate,prove data；First authentication data is authenticated, after certification passes through, generates certification factor application request；To the certification Factor application request carries out safe handling, obtains third data packet, and the third data packet is sent to the identity card and is read Card terminal；The 4th data packet that the identity card card-reading terminal is sent is received, and safety verification is carried out to the 4th data packet, After safety verification passes through, the second certification factor is obtained；The second certification factor is handled, the second authentication data is obtained； Safe handling is carried out to second authentication data, obtains the 5th data packet, and the 5th data packet is sent to the body Part card card-reading terminal；The 6th data packet that the identity card card-reading terminal is sent is received, and the 6th data packet is pacified Full verifying, after safety verification passes through, obtains identity card data ciphertext；The identity card data ciphertext is decrypted, body is obtained Part card data clear text；Safe handling is carried out to the identity card data clear text, obtains the 7th data packet, and by the 7th data Packet is sent to the identity card card-reading terminal.

In addition, the card reading request data package includes the label of card reading request data ciphertext and the card reading request data ciphertext Name value；Safety verification is carried out to the card reading request data package, after safety verification passes through, obtains identity card identification information, comprising: Signature verification, In are carried out to the signature value of the card reading request data ciphertext using the First Certificate of the identity card card-reading terminal In the case where being verified, the card reading request data ciphertext is decrypted using session key, obtains the identity card mark Know information；And/or first data packet includes the first encryption data and the first signed data；To it is described first certification the factor into Row safe handling, comprising: the first certification factor is encrypted using session key, obtains first encryption data, And signed using the private key of the identity card card reading responding device to first encryption data, obtain first signature Data；And/or second data packet includes the signature value of the first ciphertext and first ciphertext；To second data packet into Row safety verification after safety verification passes through, obtains the first authentication data, comprising: uses the first of the identity card card-reading terminal Certificate carries out signature verification to the signature value of first ciphertext, in the case where being verified, using session key to described First ciphertext is decrypted, and obtains first authentication data；And/or the third data packet includes the second encryption data and the Two signed datas；The certification factor application is requested to carry out safe handling, comprising: using session key to the certification factor Application request is encrypted, and obtains second encryption data, and using the private key of the identity card card reading responding device to institute It states the second encryption data to sign, obtains second signed data；And/or the 4th data packet include the second ciphertext and The signature value of second ciphertext；Safety verification is carried out to the 4th data packet, after safety verification passes through, obtains the second certification The factor, comprising: signature verification is carried out to the signature value of second ciphertext using the First Certificate of the identity card card-reading terminal, In the case where being verified, second ciphertext is decrypted using session key, obtains the second certification factor； And/or the 5th data packet includes third encryption data and third signed data；Safety is carried out to second authentication data Processing, comprising: second authentication data is encrypted using session key, obtains the third encryption data, and use The private key of the identity card card reading responding device signs to the third encryption data, obtains the third signed data； And/or the 6th data packet includes the signature value of third ciphertext and the third ciphertext；6th data packet is pacified Full verifying, after safety verification passes through, obtains identity card data ciphertext, comprising: uses the first card of the identity card card-reading terminal Book carries out signature verification to the signature value of the third ciphertext, in the case where being verified, using session key to described the Three ciphertexts are decrypted, and obtain the identity card data ciphertext；And/or the 7th data packet includes the 4th encryption data and the Four signed datas；Safe handling is carried out to the identity card data clear text, comprising: using session key to the identity card data It is encrypted in plain text, obtains the 4th encryption data, and using the private key of the identity card card reading responding device to described the Four encryption datas are signed, and the 4th signed data is obtained.

In addition, before carrying out safety verification to the card reading request data package, further includes: the identity card card reading response Device receives the session key request data package that the identity card card-reading terminal is sent, wherein the session key request data Packet includes the First Certificate of the first random factor, the signature value of first random factor and the identity card card-reading terminal；It is right The legitimacy of the First Certificate is verified, after being verified, using the First Certificate to first random factor Signature value carry out signature verification, in the case where signature verification passes through, generate the second random factor；To described first it is random because Sub and described second random factor is encrypted, and obtains the 5th encryption data, and use the identity card card reading responding device Private key signs to the 5th encryption data, obtains the 5th signed data；8th data packet is sent to the identity card Card-reading terminal, wherein the 8th data packet includes the 5th encryption data, the 5th signed data and the identity card The certificate of card reading responding device；Wherein, after generating the second random factor, further includes: according to first random factor and Second random factor generates session key.

In addition, before receiving the card reading request data package that identity card card-reading terminal is sent, further includes: the identity card is read Card responding device receives the card seeking request data package that the identity card card-reading terminal is sent, wherein the card seeking request data package First including card seeking request data ciphertext, the signature value of the card seeking request data ciphertext and the identity card card-reading terminal Certificate and the second certificate；The legitimacy of the First Certificate is verified, after being verified, uses the First Certificate pair The signature value of the card seeking request data ciphertext carries out signature verification and uses recognizing for acquisition in the case where signature verification passes through The card seeking request data ciphertext is decrypted in card decruption key, obtains card seeking request data；To the card seeking request data It is responded, generates card seeking request response data；The card seeking request response data is encrypted using session key, is obtained 6th encryption data encrypts the session key using second certificate, obtains session key ciphertext, and use institute The private key for stating identity card card reading responding device signs to the 6th encryption data and the session key ciphertext, obtains Six signed datas；Card seeking request response data packet is sent to the identity card card-reading terminal, wherein the card seeking request response Data packet includes the 6th encryption data and the 6th signed data.

In addition, after safety verification passes through, obtaining identity card mark carrying out safety verification to the card reading request data package After information, further includes: the identity card identification information is sent to dispatch server.

In addition, the card seeking request data includes timestamp and/or terminal counter；It is close being decrypted using the certification obtained The card seeking request data ciphertext is decrypted in key, after obtaining card seeking request data, further includes: by the timestamp and/ Or terminal counter is sent to dispatch server.

Another aspect of the present invention provides a kind of identity card card reading responding device, comprising: receiving module, for receiving identity Demonstrate,prove the card reading request data package that card-reading terminal is sent；Secure verification module, for carrying out safety to the card reading request data package Verifying, after safety verification passes through, obtains identity card identification information；First generation module, for generating the first certification factor；Safety Processing module obtains the first data packet for carrying out safe handling to the first certification factor；Sending module is used for institute It states the first data packet and is sent to the identity card card-reading terminal；It is whole to be also used to receive the identity card card reading for the receiving module Hold the second data packet sent；The secure verification module is also used to carry out safety verification to second data packet, test safely After card passes through, the first authentication data is obtained；Second generation module, for authenticating to first authentication data, certification is logical Later, certification factor application request is generated；The secure processing module is also used to request to pacify to the certification factor application Full processing, obtains third data packet；The sending module is also used to the third data packet being sent to the identity card card reading Terminal；The receiving module is also used to receive the 4th data packet that the identity card card-reading terminal is sent；The safety verification mould Block is also used to carry out safety verification to the 4th data packet, after safety verification passes through, obtains the second certification factor；Authentication department Module is managed, for handling the second certification factor, obtains the second authentication data；The secure processing module, is also used In carrying out safe handling to second authentication data, the 5th data packet is obtained；The sending module is also used to the described 5th Data packet is sent to the identity card card-reading terminal；The receiving module is also used to receive the identity card card-reading terminal and sends The 6th data packet；The secure verification module is also used to carry out safety verification to the 6th data packet, and safety verification passes through Afterwards, identity card data ciphertext is obtained；Deciphering module obtains identity card number for the identity card data ciphertext to be decrypted According in plain text；The secure processing module is also used to carry out safe handling to the identity card data clear text, obtains the 7th data Packet；The sending module is also used to the 7th data packet being sent to the identity card card-reading terminal.

In addition, the card reading request data package includes the label of card reading request data ciphertext and the card reading request data ciphertext Name value；The secure verification module, carries out safety verification to the card reading request data package in the following manner, and safety verification is logical Later, identity card identification information is obtained: close to the card reading request data using the First Certificate of the identity card card-reading terminal The signature value of text carries out signature verification, in the case where being verified, using session key to the card reading request data ciphertext It is decrypted, obtains the identity card identification information；And/or first data packet includes the first encryption data and the first signature Data；The secure processing module carries out safe handling to the first certification factor in the following manner, obtains the first data Packet: the first certification factor is encrypted using session key, obtains first encryption data, and use the identity The private key of card card reading responding device signs to first encryption data, obtains first signed data；And/or it is described Second data packet includes the signature value of the first ciphertext and first ciphertext；The secure verification module is right in the following manner Second data packet carries out safety verification, after safety verification passes through, obtains the first authentication data: using the identity card card reading The First Certificate of terminal carries out signature verification to the signature value of first ciphertext and uses session in the case where being verified First ciphertext described in key pair is decrypted, and obtains first authentication data；And/or the third data packet adds including second Ciphertext data and the second signed data；The secure processing module requests to carry out to the certification factor application in the following manner Safe handling obtains third data packet: being encrypted using session key to certification factor application request, obtains described the Two encryption datas, and signed using the private key of the identity card card reading responding device to second encryption data, it obtains Second signed data；And/or the 4th data packet includes the signature value of the second ciphertext and second ciphertext；The peace Full authentication module carries out safety verification to the 4th data packet in the following manner, after safety verification passes through, obtains second and recognize It demonstrate,proves the factor: signature verification, In being carried out to the signature value of second ciphertext using the First Certificate of the identity card card-reading terminal In the case where being verified, second ciphertext is decrypted using session key, obtains the second certification factor；With/ Or the 5th data packet includes third encryption data and third signed data；The secure processing module, in the following manner Safe handling is carried out to second authentication data, obtains the 5th data packet: using session key to second authentication data It is encrypted, obtains the third encryption data, and add to the third using the private key of the identity card card reading responding device Ciphertext data is signed, and the third signed data is obtained；And/or the 6th data packet includes third ciphertext and the third The signature value of ciphertext；The secure verification module carries out safety verification to the 6th data packet in the following manner, tests safely After card passes through, identity card data ciphertext is obtained: using the First Certificate of the identity card card-reading terminal to the third ciphertext Signature value is carried out signature verification and is decrypted, is obtained to the third ciphertext using session key in the case where being verified The identity card data ciphertext；And/or the 7th data packet includes the 4th encryption data and the 4th signed data；The safety Processing module carries out safe handling to the identity card data clear text in the following manner, obtains the 7th data packet: using session Identity card data clear text described in key pair is encrypted, and obtains the 4th encryption data, and ring using the identity card card reading It answers the private key of device to sign the 4th encryption data, obtains the 4th signed data.

Furthermore, further includes: the receiving module is also used in the secure verification module to the card reading request data package Before carrying out safety verification, the session key request data package that the identity card card-reading terminal is sent is received, wherein the session Key request data packet includes the signature value and the identity card card-reading terminal of the first random factor, first random factor First Certificate；The secure verification module is also used to verify the legitimacy of the First Certificate, and is being verified Afterwards, signature verification is carried out using signature value of the First Certificate to first random factor；4th generation module is used for In the case that signature verification passes through, the second random factor is generated；The secure processing module, be also used to described first it is random because Sub and described second random factor is encrypted, and obtains the 5th encryption data, and use the identity card card reading responding device Private key signs to the 5th encryption data, obtains the 5th signed data；The sending module is also used to the 8th data Packet is sent to the identity card card-reading terminal, wherein the 8th data packet includes the 5th encryption data, the 5th label The certificate of name data and the identity card card reading responding device；5th generation module, for being generated in the 4th generation module After second random factor, session key is generated according to first random factor and second random factor.

Furthermore, further includes: the receiving module is also used in the card reading request data for receiving the transmission of identity card card-reading terminal Before packet, the card seeking request data package that the identity card card-reading terminal is sent is received, wherein the card seeking request data package includes The First Certificate of card seeking request data ciphertext, the signature value of the card seeking request data ciphertext and the identity card card-reading terminal With the second certificate；The secure verification module is also used to verify the legitimacy of the First Certificate, be verified Afterwards, signature verification is carried out using signature value of the First Certificate to the card seeking request data ciphertext, passed through in signature verification In the case where, the card seeking request data ciphertext is decrypted using the certification decruption key of acquisition, obtains card seeking number of request According to；Third generation module generates card seeking request response data for responding to the card seeking request data；The safety Processing module is also used for session key and encrypts to the card seeking request response data, obtains the 6th encryption data, and The session key is encrypted using second certificate, obtains session key ciphertext；It is rung using the identity card card reading It answers the private key of device to sign the 6th encryption data and the session key ciphertext, obtains the 6th signed data；Institute Sending module is stated, is also used to for card seeking request response data packet to be sent to the identity card card-reading terminal, wherein the card seeking is asked Seeking response data packet includes the 6th encryption data and the 6th signed data.

In addition, the sending module, is also used to pacify the card reading request data package in the secure verification module The identity card identification information after safety verification passes through, after obtaining identity card identification information, is sent to scheduling clothes by full verifying Business device.

In addition, the card seeking request data includes timestamp and/or terminal counter；The sending module, is also used to The secure verification module is decrypted the card seeking request data ciphertext using the certification decruption key of acquisition, obtains card seeking After request data, the timestamp and/or terminal counter are sent to dispatch server.

As seen from the above technical solution provided by the invention, the present invention provides a kind of identity card card reading response methods And device.In identity card card-reading terminal and it is not provided with the identity that the ciphertext data read from identity card can be realized with decryption Card reading responding device is demonstrate,proved, but identity card card reading responding device is set in cloud authentication platform, identity card card-reading terminal can pass through Cloud authentication platform is linked into realize the reading to identity card, greatly reduces the cost of implementation of user, especially in bank, vehicle It stands, insure etc. and needing to be implemented the industry of ID card information read operation, only need to dispose the identity card card-reading terminal of respective numbers i.e. Can, without largely disposing identity card card reading responding device again, without a large amount of setting identity card card reading responding devices and identity The corresponding relationship between card-reading terminal is demonstrate,proved, implementation is simplified；Meanwhile it being read using identity card card reading responding device and identity card The safety communicated between identity card and identity card card reading responding device can be improved in the exit passageway established between card terminal, Guarantee the transmission safety of identity card data.Also, identity card and identity card card reading responding device pass through the first certification factor and the The interaction of the two certification factors completes two-way authentication, and identity card data ciphertext is decrypted to obtain in identity card card reading responding device To identity card data clear text, and it is sent to identity card card-reading terminal, to complete the reading of identity card data.

Detailed description of the invention

In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.

Fig. 1 is the flow diagram for the identity card card reading response method that the embodiment of the present invention 1 provides；

The process of session key request response is shown in the identity card card reading response method that Fig. 2 provides for the embodiment of the present invention 1 It is intended to；

The process of identity card card seeking request response in the identity card card reading response method that Fig. 3 provides for the embodiment of the present invention 1 Schematic diagram；

Fig. 4 is the structural schematic diagram for the identity card card reading responding device that the embodiment of the present invention 2 provides.

Specific embodiment

With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on this The embodiment of invention, every other implementation obtained by those of ordinary skill in the art without making creative efforts Example, belongs to protection scope of the present invention.

In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", "upper", "lower", The orientation or positional relationship of the instructions such as "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outside" is It is based on the orientation or positional relationship shown in the drawings, is merely for convenience of description of the present invention and simplification of the description, rather than instruction or dark Show that signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore should not be understood as pair Limitation of the invention.In addition, term " first ", " second " are used for description purposes only, it is not understood to indicate or imply opposite Importance or quantity or position.

In the description of the present invention, it should be noted that unless otherwise clearly defined and limited, term " installation ", " phase Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected；It can To be mechanical connection, it is also possible to be electrically connected；It can be directly connected, can also can be indirectly connected through an intermediary Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition Concrete meaning in invention.

The embodiment of the present invention is described in further detail below in conjunction with attached drawing.

Embodiment 1

Fig. 1 is a kind of flow diagram of identity card card reading response method provided in this embodiment, as shown in Figure 1, this reality The identity card card reading response method for applying example offer mainly includes the following steps that (S101-S111).

Step S101: identity card card reading responding device receives the card reading request data package that identity card card-reading terminal is sent, and Safety verification is carried out to card reading request data package, after safety verification passes through, obtains identity card identification information；

In the present embodiment, identity card identification information is the unique information of identity card, such as sequence number, the use of identity card The application data of the relevant information of application being arranged in instruction identity card, transport protocol are (for example, transport protocol type, bit Digit rate, maximum frame size) etc., identity card card-reading terminal can not need identity card reading with the Direct Recognition identity card identification information Card responding device is decrypted.

As a kind of optional embodiment of the present embodiment, card reading request data package includes card reading request data ciphertext and reading The signature value of card request data ciphertext；Wherein, card reading request data ciphertext is that identity card card-reading terminal utilizes session key to packet What the card reading request data of the identification information containing identity card was encrypted, the signature value of card reading request data ciphertext is identity card Card-reading terminal signs to card reading request data ciphertext using the first private key of itself；Specifically, identity card card reading Terminal calculates card reading request data ciphertext using HASH algorithm and obtains the abstract of card reading request data ciphertext, and is read using identity card First private key of card terminal encrypts the abstract of card reading request data ciphertext, obtains the signature of card reading request data ciphertext Value.Identity card card reading responding device carries out safety verification to card reading request data package, after safety verification passes through, obtains identity card mark Know information, comprising: identity card card reading responding device is using the First Certificate of identity card card-reading terminal to card reading request data ciphertext Signature value carry out signature verification；Specifically, First Certificate of the identity card card reading responding device first with identity card card-reading terminal In the first public key the signature value of card reading request data ciphertext is decrypted, obtain the abstract of card reading request data ciphertext, benefit The abstract that card reading request data ciphertext is calculated is carried out to the card reading request data ciphertext received with HASH algorithm, will be decrypted The abstract of obtained card reading request data ciphertext is compared with the abstract for the card reading request data ciphertext being calculated, if phase Together, then sign test passes through, and otherwise terminates identity card card reading responding process；In the case where being verified, using session key to reading Card request data ciphertext is decrypted, and obtains identity card identification information.Wherein, First Certificate includes at least identity card card-reading terminal The first public key, the first public key of identity card card-reading terminal and the first private key of identity card card-reading terminal are a pair of asymmetric close Key.If identity card card reading responding device can be to card reading request data ciphertext using the first public key of identity card card-reading terminal Signature value is decrypted, then illustrates that the signature value of received card reading request data ciphertext is issued by identity card card-reading terminal, Its data source is legal；If identity card card reading responding device cannot be to reading using the first public key of identity card card-reading terminal The signature value of card request data ciphertext is decrypted, then illustrates that the signature value of received card reading request data ciphertext is not by identity Demonstrate,prove card-reading terminal issue, data source be it is illegal, therefore, sign to the signature value of card reading request data ciphertext The legitimacy of data source can be confirmed in verifying.If card reading request data ciphertext is distorted in transmission process by illegal person, Then identity card card reading responding device can carry out HASH to the card reading request data ciphertext after distorting and be calculated during sign test Abstract, the abstract and identity card card reading responding device are using the first public key of identity card card-reading terminal to card reading request data ciphertext The abstract that is decrypted of signature value must be different, cause sign test that can not pass through, therefore, by close to card reading request data The signature value of text, which carries out sign test, may determine that whether card reading request data ciphertext is tampered, and guarantee that received card reading request data is close The integrality of text.If identity card card reading responding device cannot be right using the session key that itself just has with identity card card-reading terminal The card reading request data ciphertext received is decrypted, then illustrates that the card reading request data ciphertext is not identity card card-reading terminal It issues, therefore, card reading request data ciphertext is decrypted the legitimacy that data source can be confirmed；If third party intercepts To card reading request data ciphertext, since third party can not obtain identity card card reading responding device and identity card card-reading terminal just has Session key, therefore card reading request data ciphertext cannot be decrypted, card reading request data can not be obtained, therefore, to card reading Request data ciphertext, which is decrypted, can prevent card reading request data from illegally being stolen, being read in network transmission, guarantee card reading The transmission security of request data.Carrying out sign test by the signature value to card reading request data ciphertext may determine that the reading received Whether card request data ciphertext is distorted by illegal person；It can read card reading by card reading request data ciphertext is decrypted and ask Seek data.It should be noted that the sign test process in the present embodiment can be found in the embodiment, the mistake of sign test is referred to below Journey no longer will be repeated specifically.

As a kind of optional embodiment of the present embodiment, safety verification is being carried out to card reading request data package, is being tested safely After card passes through, after obtaining identity card identification information, further includes: identity card card reading responding device sends identity card identification information To dispatch server.Dispatch server is similarly disposed on cloud authentication platform.In this way, dispatch server can be according to identity card mark The identification information and preset strategy for knowing information, identity card card-reading terminal, judge whether identity card card-reading terminal Blacklist or control list is added in identification information.

Step S102: identity card card reading responding device generates the first certification factor, carries out safe place to the first certification factor Reason, obtains the first data packet, and the first data packet is sent to identity card card-reading terminal；

In the present embodiment, before the identity card data ciphertext that identity card card reading responding device receives that identity card is sent, identity Card should realize two-way authentication with identity card card reading responding device, which is that identity card and identity card card reading to be ensured is rung It is legal for answering device all.The first certification factor that identity card card reading responding device can use itself generation is realized to identity card Certification, wherein first certification the factor can be one or a string of random numbers, or can be one or a string of random characters, Or any combination of a string of random numbers and random character.

As a kind of optional embodiment of the present embodiment, the first data packet includes the first encryption data and the first number of signature According to；Identity card card reading responding device carries out safe handling to the first certification factor, comprising: identity card card reading responding device uses meeting Words key pair first authenticates the factor and is encrypted, and obtains the first encryption data, and use the private key of identity card card reading responding device It signs to the first encryption data, obtains the first signed data；Specifically, identity card card reading responding device utilizes HASH algorithm It calculates the first encryption data and obtains the abstract of the first encryption data, and added using the private key of identity card card reading responding device to first The abstract of ciphertext data is encrypted, and the first signed data is obtained.Identity card card reading responding device will comprising the first encryption data and First data packet of the first signed data is sent to identity card card-reading terminal.Identity card card reading responding device utilizes session key pair The first certification factor is encrypted to obtain the first encryption data, even if third party intercepts the first encryption data, can not also obtain the The one certification factor cannot be decrypted the first encryption data using the session key because of the not no session key of third party, The first certification factor is obtained, only equally the identity card card-reading terminal with the session key could decrypt the first encryption data, Therefore, the first certification factor can be effectively prevented illegally to be stolen, read in network transmission, guarantee the first certification factor transmission Safety.After first signed data is sent to identity card card-reading terminal by identity card card reading responding device, identity card card reading is whole End can execute sign test operation, if identity card card-reading terminal can be signed using the public key of identity card card reading responding device to first Data are decrypted, then illustrate that received first signed data is issued by identity card card reading responding device, data source It is legal；If identity card card-reading terminal cannot carry out the first signed data using the public key of identity card card reading responding device Decryption, then illustrate that received first signed data is issued by identity card card reading responding device, data source is not conform to Method, therefore, the legitimacy of identity card card-reading terminal confirmation data source can be made by signing to the first encryption data.If First encryption data is distorted in transmission process by illegal person, then identity card card-reading terminal, can be to distorting during sign test The first encryption data afterwards carries out HASH and abstract is calculated, and the abstract and identity card card-reading terminal are responded using identity card card reading The abstract that the first signed data is decrypted in the public key of device must be different, cause sign test that can not pass through, therefore, pass through Signing to the first encryption data can prevent the first encryption data to be tampered, and guarantee that identity card card-reading terminal receives first and adds The integrality of ciphertext data.In this optional embodiment, the certificate of identity card card reading responding device need to be sent to identity card card reading Terminal, the certificate include at least the public key of identity card card reading responding device, the private key of the public key and identity card card reading responding device It is a pair of of unsymmetrical key, identity card card-reading terminal can use the public key and carry out signature verification to the first signed data, when testing After card passes through, recycle session key that the first encryption data is decrypted, obtain the first certification factor, and by the first certification because Son is sent to identity card.It should be noted that the signature process in the present embodiment can be found in the embodiment, it is referred to below The process of signature no longer will be repeated specifically.

Step S103: identity card card reading responding device receives the second data packet that identity card card-reading terminal is sent, and to the Two data packets carry out safety verification, after safety verification passes through, obtain the first authentication data；

In the present embodiment, after identity card receives the first certification factor of identity card card-reading terminal transmission, in advance The Processing Algorithm for the Ministry of Public Security's authorization set handles the first certification factor, obtains the first authentication data, and first is authenticated Data are sent to identity card card-reading terminal.Identity card card-reading terminal carries out safe handling to the first authentication data, obtains the second number Identity card card reading responding device is sent to according to packet, and by the second data packet.Wherein, identity card handles the first certification factor Can use but be not limited to following manner: mode one: identity card carries out MAC meter to the first certification factor using using security key Calculation obtains MAC value, and MAC value is exactly the first authentication data；Mode two: identity card carries out the first certification factor using security key Encryption, obtains the first authentication data, which is preset configuration in legal identity card, only legal identity card Just there is the security key.

As a kind of optional embodiment of the present embodiment, the second data packet includes the signature of the first ciphertext and the first ciphertext Value；Wherein, the first ciphertext is encrypted using session key to the first authentication data by identity card card-reading terminal, the The signature value of one ciphertext is signed using the first private key of itself to the first ciphertext by identity card card-reading terminal.Body Part card card reading responding device carries out safety verification to the second data packet, after safety verification passes through, obtains the first authentication data, wraps Include: identity card card reading responding device carries out signature to the signature value of the first ciphertext using the First Certificate of identity card card-reading terminal and tests Card, in the case where being verified, is decrypted the first ciphertext using session key, obtains the first authentication data；Otherwise it ties Beam identity card card reading responding process.If identity card card reading responding device can be right using the first public key of identity card card-reading terminal The signature value of first ciphertext is decrypted, then illustrates that the signature value of received first ciphertext is issued by identity card card-reading terminal , data source is legal；If identity card card reading responding device cannot using the first public key of identity card card-reading terminal The signature value of first ciphertext is decrypted, then illustrates that the signature value of received first ciphertext is sent out by identity card card-reading terminal Out, data source is illegal, and therefore, carrying out signature verification to the signature value of the first ciphertext can be confirmed data source Legitimacy.If the first ciphertext is distorted in transmission process by illegal person, identity card card reading responding device is in sign test mistake Cheng Zhong can carry out HASH to the first ciphertext after distorting and abstract is calculated, and the abstract and identity card card reading responding device utilize The abstract that the signature value of the first ciphertext is decrypted in first public key of identity card card-reading terminal must be different, lead to sign test It can not pass through, therefore, carrying out sign test by the signature value to the first ciphertext may determine that whether the first ciphertext is tampered, and guarantee to connect The integrality for the first ciphertext received.If the session that identity card card reading responding device just has using itself with identity card card-reading terminal The first ciphertext received cannot be decrypted in key, illustrate that first ciphertext is not what identity card card-reading terminal issued, Therefore, the legitimacy that data source can be confirmed the first ciphertext is decrypted；If third party is truncated to the first ciphertext, due to The session key that third party can not obtain identity card card reading responding device and identity card card-reading terminal just has, therefore cannot be to first Ciphertext is decrypted, and can not obtain the first authentication data, and therefore, the first ciphertext, which is decrypted, can prevent the first authentication data It illegally stolen, read in network transmission, guarantee the transmission security of the first authentication data.

Step S104: identity card card reading responding device authenticates the first authentication data, after certification passes through, generates certification Factor application request；

In the present embodiment, the identifying algorithm that identity card card reading responding device is authorized using the Ministry of Public Security of preset configuration is to safety It verifies the first obtained authentication data to be authenticated, if certification passes through, realizes the certification to identity card legitimacy, i.e. body Part card is true legal；Then certification factor application request is generated.Wherein, identity card card reading responding device is to the first certification number Can use according to certification is carried out but be not limited to following manner: mode one: identity card card reading responding device utilizes and identity card identifies The first certification factor that the corresponding security key of information generates itself carries out that MAC value is calculated, the MAC value that will be calculated It is compared with the first authentication data that safety verification obtains, if identical, the certification of the first authentication data is passed through.Mode Two: identity card card reading responding device can use that security key corresponding with identity card identification information obtains safety verification One authentication data is decrypted, and obtains the certification factor, and compares the certification factor that decryption obtains and the first certification that itself is generated Whether the factor is identical, if identical, passes through to the certification of the first authentication data.Mode three: identity card card reading responding device can It is encrypted and is authenticated with the first certification factor generated using security key corresponding with identity card identification information to itself Data, and whether compare the first authentication data that the obtained authentication data of encryption and safety verification obtain identical, if identical, The certification of first authentication data is passed through.If the certification that identity card card reading responding device carries out the first authentication data passes through, Then illustrate that the security key that identity card uses is identical as the security key that identity card card reading responding device uses, illustrates that identity card is Legal identity card, identity card card reading responding device is by carrying out the legal of authenticate-acknowledge identity card to the first authentication data Property.Security key corresponding with identity card identification information is calculated to presupposed information in identity card card reading responding device.It can Choosing, if the certification carried out to the first authentication data is not over terminating identity card card reading responding process.

Step S105: identity card card reading responding device carries out safe handling to certification factor application request, obtains third number Identity card card-reading terminal is sent to according to packet, and by third data packet；

As a kind of optional embodiment of the present embodiment, third data packet includes the second encryption data and the second number of signature According to；Identity card card reading responding device carries out safe handling to certification factor application request, comprising: identity card card reading responding device makes Certification factor application request is encrypted with session key, obtains the second encryption data, and use identity card card reading response dress The private key set signs to the second encryption data, obtains the second signed data.Identity card card reading responding device will include second Encryption data and the third data packet of the second signed data are sent to identity card card-reading terminal.Identity card card reading responding device utilizes Session key is encrypted to obtain the second encryption data to certification factor application request, even if third party's interception the second encryption number According to, certification factor application request can not be also obtained, it, cannot be using the session key to the because of the not no session key of third party Two encryption datas are decrypted, and obtain certification factor application request, only equally the identity card card reading with the session key is whole End could decrypt the second encryption data, therefore, certification factor application request can be effectively prevented and illegally stolen in network transmission It takes, read, guarantee the safety of certification factor application request transmission.Identity card card reading responding device sends the second signed data To identity card card-reading terminal, identity card card-reading terminal can execute sign test operation, if identity card card-reading terminal utilizes identity card The second signed data can be decrypted in the public key of card reading responding device, then illustrates that received second signed data is by identity Demonstrate,prove what card reading responding device issued, data source is legal；If identity card card-reading terminal is responded using identity card card reading The second signed data cannot be decrypted in the public key of device, then illustrates that received second signed data is not by identity card card reading Responding device issue, data source be it is illegal, therefore, signing to the second encryption data can be such that identity card reads The legitimacy of card terminal check data source.If the second encryption data is distorted in transmission process by illegal person, identity Demonstrate,prove card-reading terminal during sign test, can to the second encryption data after distorting carry out HASH abstract be calculated, the abstract and Identity card card-reading terminal must using the abstract that the second signed data is decrypted in the public key of identity card card reading responding device Fixed difference, causes sign test that can not pass through, therefore, can prevent the second encryption data quilt by signing to the second encryption data It distorts, guarantees that identity card card-reading terminal receives the integrality of the second encryption data.In this optional embodiment, identity card card reading is whole The public key that end can use identity card card reading responding device carries out signature verification to the second signed data, after being verified, then The second encryption data is decrypted using session key, obtains certification factor application request, and will certification factor application request It is sent to identity card.

In the present embodiment, identity card receives the certification factor application request of identity card card-reading terminal transmission, generates second The factor is authenticated, and the second certification factor is sent to identity card card-reading terminal.Identity card card-reading terminal is recognized receive second It demonstrate,proves the factor and carries out safe handling, obtain the 4th data packet, and the 4th data packet is sent to identity card card reading responding device.Its In, the second certification factor can be one or a string of random numbers, perhaps can for one or a string of random characters or a string with Any combination of machine number and random character.Identity card can use the second certification factor and realize to identity card card reading responding device Certification.

Step S106: identity card card reading responding device receives the 4th data packet that identity card card-reading terminal is sent, and to the Four data packets carry out safety verification, after safety verification passes through, obtain the second certification factor；

As a kind of optional embodiment of the present embodiment, the 4th data packet includes the signature of the second ciphertext and the second ciphertext Value；Wherein, the second ciphertext is encrypted using session key to the second certification factor by identity card card-reading terminal, the The signature value of two ciphertexts is signed using the first private key of itself to the second ciphertext by identity card card-reading terminal.Body Part card card reading responding device carries out safety verification to the 4th data packet, after safety verification passes through, obtains the second certification factor, wraps Include: identity card card reading responding device carries out signature to the signature value of the second ciphertext using the First Certificate of identity card card-reading terminal and tests Card, in the case where being verified, is decrypted the second ciphertext using session key, obtains the second certification factor；Otherwise it ties Beam identity card card reading responding process.If identity card card reading responding device can be right using the first public key of identity card card-reading terminal The signature value of second ciphertext is decrypted, then illustrates that the signature value of received second ciphertext is issued by identity card card-reading terminal , data source is legal；If identity card card reading responding device cannot using the first public key of identity card card-reading terminal The signature value of second ciphertext is decrypted, then illustrates that the signature value of received second ciphertext is sent out by identity card card-reading terminal Out, data source is illegal, and therefore, carrying out signature verification to the signature value of the second ciphertext can be confirmed data source Legitimacy.If the second ciphertext is distorted in transmission process by illegal person, identity card card reading responding device is in sign test mistake Cheng Zhong can carry out HASH to the second ciphertext after distorting and abstract is calculated, and the abstract and identity card card reading responding device utilize The abstract that the signature value of the second ciphertext is decrypted in first public key of identity card card-reading terminal must be different, lead to sign test It can not pass through, therefore, carrying out sign test by the signature value to the second ciphertext may determine that whether the second ciphertext is tampered, and guarantee to connect The integrality for the second ciphertext received.If the session that identity card card reading responding device just has using itself with identity card card-reading terminal The second ciphertext received cannot be decrypted in key, illustrate that second ciphertext is not what identity card card-reading terminal issued, Therefore, the legitimacy that data source can be confirmed the second ciphertext is decrypted；If third party is truncated to the second ciphertext, due to The session key that third party can not obtain identity card card reading responding device and identity card card-reading terminal just has, therefore cannot be to second Ciphertext is decrypted, and can not obtain the second certification factor, and therefore, the second ciphertext, which is decrypted, can prevent the second certification factor It illegally stolen, read in network transmission, guarantee the transmission security of the second certification factor.

Step S107: identity card card reading responding device handles the second certification factor, obtains the second authentication data；

In the present embodiment, the Processing Algorithm that identity card card reading responding device is authorized using the Ministry of Public Security of preset configuration is to second The certification factor is handled, and the second authentication data is obtained.Wherein, identity card card reading responding device authenticates at the factor to second Reason can use but be not limited to following manner: mode one: identity card card reading responding device utilizes corresponding with identity card identification information Security key to second certification the factor carry out MAC MAC value is calculated, which is exactly the second authentication data；Mode two: Identity card card reading responding device encrypts the second certification factor using security key corresponding with identity card identification information, obtains To the second authentication data.Identity card card reading responding device is calculated presupposed information corresponding with identity card identification information Security key.

Step S108: identity card card reading responding device carries out safe handling to the second authentication data, obtains the 5th data packet, And the 5th data packet is sent to identity card card-reading terminal；

As a kind of optional embodiment of the present embodiment, the 5th data packet includes third encryption data and third number of signature According to；Identity card card reading responding device carries out safe handling to the second authentication data, comprising: identity card card reading responding device uses meeting Words the second authentication data of key pair is encrypted, and obtains third encryption data, and use the private key of identity card card reading responding device It signs to third encryption data, obtains third signed data.Identity card card reading responding device will include third encryption data Identity card card-reading terminal is sent to the 5th data packet of third signed data.Identity card card reading responding device utilizes session key Second authentication data is encrypted to obtain third encryption data, even if third party intercepts third encryption data, can not also be obtained Second authentication data, because the not no session key of third party, cannot solve third encryption data using the session key It is close, the second authentication data is obtained, only equally the identity card card-reading terminal with the session key could decrypt third encryption number According to, therefore, the second authentication data can be effectively prevented and illegally stolen, read in network transmission, the second authentication data of guarantee The safety of transmission.After third signed data is sent to identity card card-reading terminal by identity card card reading responding device, identity card is read Card terminal can execute sign test operation, if identity card card-reading terminal can be to third using the public key of identity card card reading responding device Signed data is decrypted, then illustrates that received third signed data is issued by identity card card reading responding device, data Source is legal；If identity card card-reading terminal cannot be to third signed data using the public key of identity card card reading responding device It is decrypted, then illustrates that received third signed data is issued by identity card card reading responding device, data source is Illegal, therefore, the legitimacy of identity card card-reading terminal confirmation data source can be made by signing to third encryption data. If third encryption data is distorted in transmission process by illegal person, identity card card-reading terminal, can be right during sign test Third encryption data after distorting carries out HASH and abstract is calculated, and the abstract and identity card card-reading terminal utilize identity card card reading The abstract that third signed data is decrypted in the public key of responding device must be different, cause sign test that can not pass through, therefore, Third encryption data can be prevented to be tampered by signing to third encryption data, guarantee that identity card card-reading terminal receives the The integrality of three encryption datas.In this optional embodiment, identity card card-reading terminal can use identity card card reading responding device Public key to third signed data carry out signature verification, after being verified, recycle session key to third encryption data into Row decryption, obtains the second authentication data, and the second authentication data is sent to identity card.

In the present embodiment, after identity card receives the second authentication data of identity card card-reading terminal transmission, first with pre- Identifying algorithm built in elder generation authenticates the second authentication data, and after certification passes through, and sends body to identity card card-reading terminal Part card data ciphertext.Wherein, identity card data ciphertext is usually that resident identification card number, name, photo, age, address, card make With the ciphertext of the data such as the time limit and/or fingerprint.Wherein, identity card authenticates the second authentication data and can use but be not limited to Following manner: mode one: identity card is calculated using the second certification factor that built-in security key generates itself The MAC value being calculated is compared by MAC value with the second authentication data received, if identical, to the second certification number According to certification pass through.Mode two: identity card can use built-in security key and solve to the second authentication data received It is close, the certification factor is obtained, and compare the obtained certification factor of decryption is generated with itself second whether authenticate the factor identical, if It is identical, then the certification of the second authentication data is passed through.Mode three: identity card can use built-in security key and generate to itself The second certification factor encrypted to obtain authentication data, and compare the obtained authentication data of encryption and the second certification for receiving Whether data are identical, if identical, pass through to the certification of the second authentication data.If identity card authenticates the second authentication data Pass through, the security key for illustrating that identity card card reading responding device uses is identical as the security key built in identity card, illustrates identity Card card reading responding device is legal identity card card reading responding device, and identity card is by carrying out authenticate-acknowledge to the second authentication data The legitimacy of identity card card reading responding device.As an alternative embodiment, if to the progress of the second authentication data Certification is not over then terminating identity card card reading responding process.Identity card card-reading terminal is to the identity card data ciphertext received Safe handling is carried out, obtains the 6th data packet, and the 6th data packet is sent to identity card card reading responding device.It can as one kind The embodiment of choosing, identity card card-reading terminal can by information included by identity card data ciphertext by a data packet, one It is secondary to be sent to identity card card reading responding device, it is of course also possible to which information included by identity card data ciphertext is passed through multiple numbers According to packet, it is sent to identity card card reading responding device several times.

Identity card card reading responding device confirmed the legitimacy of identity card by the first certification factor, and identity card passes through second The certification factor confirmed the legitimacy of identity card card reading responding device.After two-way authentication passes through, identity card is just to identity card card reading Terminal sends identity card data ciphertext.

Step S109: identity card card reading responding device receives the 6th data packet that identity card card-reading terminal is sent, and to the Six data packets carry out safety verification, after safety verification passes through, obtain identity card data ciphertext；

As a kind of optional embodiment of the present embodiment, the 6th data packet includes the signature of third ciphertext and third ciphertext Value；Wherein, third ciphertext is to be encrypted by identity card card-reading terminal using session key identity card data ciphertext, the The signature value of three ciphertexts is signed using the first private key of itself to third ciphertext by identity card card-reading terminal.Body Part card card reading responding device carries out safety verification to the 6th data packet, after safety verification passes through, obtains identity card data ciphertext, wraps Include: identity card card reading responding device carries out signature to the signature value of third ciphertext using the First Certificate of identity card card-reading terminal and tests Card, in the case where being verified, is decrypted third ciphertext using session key, obtains identity card data ciphertext；Otherwise Terminate identity card card reading responding process.If identity card card reading responding device can using the first public key of identity card card-reading terminal The signature value of third ciphertext is decrypted, then illustrates that the signature value of received third ciphertext is issued by identity card card-reading terminal , data source is legal；If identity card card reading responding device cannot using the first public key of identity card card-reading terminal The signature value of third ciphertext is decrypted, then illustrates that the signature value of received third ciphertext is sent out by identity card card-reading terminal Out, data source is illegal, and therefore, carrying out signature verification to the signature value of third ciphertext can be confirmed data source Legitimacy.If third ciphertext is distorted in transmission process by illegal person, identity card card reading responding device is in sign test mistake Cheng Zhong can carry out HASH to the third ciphertext after distorting and abstract is calculated, and the abstract and identity card card reading responding device utilize The abstract that the signature value of third ciphertext is decrypted in first public key of identity card card-reading terminal must be different, lead to sign test It can not pass through, therefore, carrying out sign test by the signature value to third ciphertext may determine that whether third ciphertext is tampered, and guarantee to connect The integrality of the third ciphertext of receipts.If the session that identity card card reading responding device just has using itself with identity card card-reading terminal The third ciphertext received cannot be decrypted in key, illustrate that the third ciphertext is not what identity card card-reading terminal issued, Therefore, the legitimacy that data source can be confirmed third ciphertext is decrypted；If third party is truncated to third ciphertext, due to The session key that third party can not obtain identity card card reading responding device and identity card card-reading terminal just has, therefore cannot be to third Ciphertext is decrypted, and can not obtain identity card data ciphertext, and therefore, third ciphertext, which is decrypted, can prevent identity card data Ciphertext is illegally stolen in network transmission, is read, and guarantees the transmission security of identity card data ciphertext.

Step S110: identity card data ciphertext is decrypted in identity card card reading responding device, and it is bright to obtain identity card data Text；

In the present embodiment, identity card data clear text is usually resident identification card number, name, photo, age, address, card The plaintext of the data such as service life, fingerprint.

In the present embodiment, identity card card reading responding device is arranged in cloud authentication platform comprising national Password Management office examines The specified special product (SAM module) of the Ministry of Public Security of the safety chip criticized and responsible decryption identity card data ciphertext, this is dedicated Product meets GA 467-2013 " residence card verifying safety control module Technical Interface Specification ".

Step S111: identity card card reading responding device carries out safe handling to identity card data clear text, obtains the 7th data Packet, and the 7th data packet is sent to identity card card-reading terminal.

In the present embodiment, after the 7th data packet is sent to identity card card-reading terminal by identity card card reading responding device, identity Card card reading responds successfully, terminates identity card card reading responding process.

As a kind of optional embodiment of the present embodiment, identity card card reading responding device can be by identity card data clear text Included information is once sent to identity card card-reading terminal, it is of course also possible to which identity card data are bright by a data packet Information included by text is sent to identity card card-reading terminal by multiple data packets several times.

As a kind of optional embodiment of the present embodiment, identity card card reading responding device carries out identity card data clear text Safe handling, comprising: identity card card reading responding device encrypts identity card data clear text using session key, obtains the 4th Encryption data, and signed using the private key of identity card card reading responding device to the 4th encryption data, obtain the 4th number of signature According to.The 7th data packet including the 4th encryption data and the 4th signed data is sent to identity card by identity card card reading responding device Card-reading terminal.Identity card card reading responding device encrypts identity card data clear text using session key to obtain the 4th encryption number According to even if third party's the 4th encryption data of interception, can not also obtain identity card data clear text, because the session is not close by third party Key cannot be decrypted the 4th encryption data using the session key, obtain identity card data clear text, and only equally having should The identity card card-reading terminal of session key could decrypt the 4th encryption data, therefore, identity card data clear text can be effectively prevented It illegally stolen, read in network transmission, guarantee the safety of identity card data clear text transmission.Identity card card reading responding device After 4th signed data is sent to identity card card-reading terminal, identity card card-reading terminal can execute sign test operation, if identity card Card-reading terminal can be decrypted the 4th signed data using the public key of identity card card reading responding device, then illustrate received Four signed datas are issued by identity card card reading responding device, and data source is legal；If identity card card-reading terminal The 4th signed data cannot be decrypted using the public key of identity card card reading responding device, then illustrate received 4th number of signature According to being issued by identity card card reading responding device, data source be it is illegal, therefore, the 4th encryption data is carried out Signature can make the legitimacy of identity card card-reading terminal confirmation data source.If the 4th encryption data is non-in transmission process Method molecule is distorted, then identity card card-reading terminal can carry out HASH calculating to the 4th encryption data after distorting during sign test It is made a summary, the abstract and identity card card-reading terminal carry out the 4th signed data using the public key of identity card card reading responding device Decrypting obtained abstract must be different, causes sign test that can not pass through, therefore, can be to prevent by signing to the 4th encryption data Only the 4th encryption data is tampered, and guarantees that identity card card-reading terminal receives the integrality of the 4th encryption data.This optional embodiment party In formula, the public key that identity card card-reading terminal can use identity card card reading responding device carries out signature to the 4th signed data and tests Card recycles session key that the 4th encryption data is decrypted, obtains identity card data clear text after being verified.

In identity card card-reading terminal in the present embodiment and be not provided with can be real to the ciphertext data read from identity card The identity card card reading responding device now decrypted, but identity card card reading responding device is set in cloud authentication platform, identity card is read Card terminal can greatly reduce the cost of implementation of user, spy by being linked into cloud authentication platform to realize the reading to identity card It is not to need to be implemented the industry of ID card information read operation in bank, station, insurance etc., need to only disposes the identity of respective numbers Card-reading terminal is demonstrate,proved, without largely disposing identity card card reading responding device again, is rung without a large amount of setting identity card card readings The corresponding relationship between device and identity card card-reading terminal is answered, implementation is simplified.Meanwhile identity is set in cloud authentication platform Card reading responding device is demonstrate,proved, identity card card reading responding device carries out safety to the identity card related data that identity card card-reading terminal is sent Verifying, then respective handling is carried out to identity card related data, response data is generated, and safe handling is carried out to response data, then Processed data are sent to identity card card-reading terminal, therefore between identity card card reading responding device and identity card card-reading terminal Exit passageway is established, the safety communicated between identity card and identity card card reading responding device can be improved by the exit passageway Property, guarantee the transmission safety of identity card data.Also, identity card and identity card card reading responding device by the first certification factor and The interaction of the second certification factor completes two-way authentication, identity card card reading responding device to identity card data ciphertext be decrypted with Identity card data clear text is obtained, and is sent to identity card card-reading terminal, to complete the reading of identity card.

In the present embodiment, as shown in Fig. 2, being needed before carrying out safety verification to card reading request data package in step s101 Session key is obtained, therefore, as a kind of optional embodiment of the present embodiment, identity card card reading provided in this embodiment is rung Induction method can also include the following steps (step S201-S205):

Step S201: identity card card reading responding device receives the session key request data that identity card card-reading terminal is sent Packet, wherein session key request data package includes that the first random factor, the signature value of the first random factor and identity card card reading are whole The First Certificate at end；

In this optional embodiment, the signature value of the first random factor is first private of the identity card card-reading terminal using itself What key was signed.First random factor can be one or a string of random numbers, or can be one or a string random Any combination of character or a string of random numbers and random character.

Step 202: identity card card reading responding device verifies the legitimacy of First Certificate, after being verified, makes Signature verification is carried out with signature value of the First Certificate to the first random factor, in the case where signature verification passes through, generates second Random factor；

In this optional embodiment, identity card card reading responding device is using root certificate to the first card of identity card card-reading terminal Book is verified, and if the verification passes, then illustrates that the First Certificate of identity card card-reading terminal is legal.

In this optional embodiment, if identity card card reading responding device utilizes the first public key energy of identity card card-reading terminal It is enough that the signature value of first random factor is decrypted, then illustrate that the signature value of received first random factor is read by identity card What card terminal issued, data source is legal；If identity card card reading responding device utilizes the of identity card card-reading terminal One public key cannot the signature value to the first random factor be decrypted, then illustrate that the signature value of received first random factor is not Issued by identity card card-reading terminal, data source be it is illegal, therefore, the signature value of the first random factor is signed The legitimacy of data source can be confirmed in name verifying.If the first random factor is distorted in transmission process by illegal person, Identity card card reading responding device can carry out HASH to the first random factor after distorting and abstract is calculated during sign test, The abstract and identity card card reading responding device utilize the first public key of identity card card-reading terminal to the signature value of the first random factor The abstract being decrypted must be different, cause sign test that can not pass through, therefore, by the signature value to the first random factor into Row sign test may determine that whether the first random factor is tampered, and guarantee the integrality of received first random factor.

In this optional embodiment, the second random factor can be one or a string of random numbers, or can for one or Any combination of a string of random characters or a string of random numbers and random character.

Optionally, if identity card card reading responding device to the sign test of the signature value of the first random factor not over tying Beam session key requests responding process.

In this optional embodiment, after step S202 generates the second random factor, further includes:

Step 205: identity card card reading responding device generates session key according to the first random factor and the second random factor.

In this optional embodiment, identity card card reading responding device using preset algorithm to the first random factor and second with The machine factor generates session key.

Step 203: identity card card reading responding device encrypts the first random factor and the second random factor, obtains Five encryption datas, and signed using the private key of identity card card reading responding device to the 5th encryption data, obtain the 5th signature Data；

In this optional embodiment, identity card card reading responding device is using the First Certificate of identity card card-reading terminal to first Random factor and the second random factor are encrypted, and the 5th encryption data is obtained.Identity card card reading responding device is close using session Key is encrypted to obtain the 5th encryption data to the first random factor and the second random factor, even if the 5th encryption of third party's interception Data can not also obtain the first random factor and the second random factor, cannot be using should because of the not no session key of third party The 5th encryption data is decrypted in session key, obtains the first random factor and the second random factor, and only equally having should The identity card card-reading terminal of session key could decrypt the 5th encryption data, therefore, can be effectively prevented the first random factor and Second random factor is illegally stolen in network transmission, is read, and guarantees what the first random factor and the second random factor transmitted Safety.After 5th signed data is sent to identity card card-reading terminal by identity card card reading responding device, identity card card-reading terminal Sign test operation can be executed, if identity card card-reading terminal can be to the 5th number of signature using the public key of identity card card reading responding device According to being decrypted, then illustrate that received 5th signed data is issued by identity card card reading responding device, data source is Legal；If identity card card-reading terminal cannot solve the 5th signed data using the public key of identity card card reading responding device It is close, then illustrate that received 5th signed data is issued by identity card card reading responding device, data source is illegal , therefore, the legitimacy of identity card card-reading terminal confirmation data source can be made by signing to the 5th encryption data.If the Five encryption datas are distorted in transmission process by illegal person, then identity card card-reading terminal during sign test, can be to distorting after The 5th encryption data carry out HASH abstract be calculated, the abstract and identity card card-reading terminal utilize identity card card reading response dress The abstract that the 5th signed data is decrypted in the public key set must be different, cause sign test that can not pass through, therefore, by right 5th encryption data, which carries out signature, can prevent the 5th encryption data to be tampered, and guarantee that identity card card-reading terminal receives the 5th encryption The integrality of data.

Step 204: the 8th data packet is sent to identity card card-reading terminal by identity card card reading responding device, wherein the 8th Data packet includes the certificate of the 5th encryption data, the 5th signed data and identity card card reading responding device；

In this optional embodiment, after identity card card-reading terminal receives the 8th data packet, responded using identity card card reading The public key of device carries out signature verification to the 5th signed data, private using the first of identity card card-reading terminal after being verified The 5th encryption data is decrypted in key, obtains the first random factor and the second random factor, decryption is obtained first random The factor is compared with the first random factor that itself is generated, if identical, illustrates that identity card card reading responding device has received It is generated to the first random factor and received first random factor of identity card card reading responding device and identity card card-reading terminal First random factor is identical, and identity card card-reading terminal is random to first using algorithm identical with the preset algorithm in step S205 The factor and the second random factor are calculated, and session key identical with the session key of identity card card reading responding device is generated, In this way, identity card card reading responding device and identity card card-reading terminal can carry out body by the Session key establishment exit passageway The related data transmission of part card, can be improved the safety of data transmission；If it is not the same, then illustrating identity card card reading response dress It sets the first random factor that received first random factor is generated with identity card card-reading terminal to be different, identity card card-reading terminal Respective first random factor and the second random factor are calculated using identical preset algorithm with identity card card reading responding device Different two session keys are obtained, identity card card-reading terminal and identity card card reading responding device cannot decrypt other side and send Encryption data.

As a kind of optional embodiment of the present embodiment, the reading that identity card card-reading terminal is sent is received in step s101 Before card request data package, the response of identity card card seeking request operation can also be carried out, as shown in figure 3, mainly including following step Suddenly (S301 to S305):

Step S301: identity card card reading responding device receives the card seeking request data package that identity card card-reading terminal is sent, In, card seeking request data package includes card seeking request data ciphertext, the signature value of card seeking request data ciphertext and identity card card reading The First Certificate of terminal and the second certificate；

In this optional embodiment, card seeking request data ciphertext is to utilize authenticated encryption key pair by identity card card-reading terminal Card seeking request data is encrypted, and the signature value of card seeking request data ciphertext is to utilize itself by identity card card-reading terminal The first private key signed to card seeking request data ciphertext.

Optionally, First Certificate and the second certificate can be identical certificate, be also possible to different certificates.

Optionally, card seeking request data includes timestamp and/or terminal counter；Using the certification decruption key obtained Card seeking request data ciphertext is decrypted, after obtaining card seeking request data, further includes: by timestamp and/or terminal count Device is sent to dispatch server.It is whole that dispatch server can carry out identity card card reading according to information such as timestamp, terminal counters The frequency control at end and blacklist automatic capture, and blacklist is added in suspicious identity card card-reading terminal.

Optionally, identity card card reading responding device receive identity card card-reading terminal send card seeking request data package it Before, dispatch server can receive the request of the access cloud authentication platform of identity card card-reading terminal, obtain identity card card-reading terminal Whether identification information allows identity card card-reading terminal reading identity card according to the identification information judgment of identity card card-reading terminal；In It determines in the case where allowing identity card card-reading terminal reading identity card, in the card seeking request for receiving the transmission of identity card card-reading terminal After data packet, working condition inquiry request is sent to the cloud authentication database of cloud authentication platform；Cloud authentication database receives scheduling The working condition inquiry request that server is sent, each identity card card reading in the compass of competency of query scheduling server respond dress The working condition set, and query result is sent to dispatch server；Dispatch server receives looking into for cloud authentication database transmission Ask as a result, and according to query result, selecting a working condition is the identity card card reading responding device of free time, by the identity of selection The identification information of card card reading responding device is sent to identity card card-reading terminal.Wherein, dispatch server can be in the following manner Determine whether identity card card-reading terminal reading identity card: the identification information of identity card card-reading terminal includes First Certificate and Two certificates；It can use root certificate to verify the legitimacy of First Certificate, if being verified, allow identity card card reading whole Hold reading identity card；If verifying does not pass through, identity card card-reading terminal reading identity card is not allowed；And/or it can use root card Book verifies the legitimacy of the second certificate, if being verified, allows identity card card-reading terminal reading identity card；If verifying Do not pass through, does not then allow identity card card-reading terminal reading identity card.

Optionally, after selecting identity card card reading responding device of the working condition for the free time, dispatch server meeting Authentication code is generated, authentication code is respectively sent to identity card card-reading terminal and cloud authentication database；Cloud authentication database storage mirror Weighted code, and when reaching the validity period of authentication code, delete authentication code；Card seeking request data package further includes authentication code ciphertext, identity Authentication code ciphertext is decrypted in card card reading responding device, obtains authentication code, inquires in cloud authentication database whether be stored with mirror Weighted code continues to execute operation, otherwise terminates process if being stored with.Specifically, in distribution port to the body of working condition free time After part card card reading responding device, the authentication code of generation is separately sent to identity card card-reading terminal to dispatch server and cloud authenticates It is stored in database, identity card card-reading terminal is encrypted using the authenticated encryption key pair authentication code, obtains authentication code Ciphertext；Identity card card reading responding device is decrypted the authentication code ciphertext using certification decruption key, obtains authentication code, Xiang Yun Authentication database sends inquiry request, inquires in cloud authentication database whether be stored with the authentication code, if being stored with, generation is sought Otherwise card request response data terminates card seeking responding process.Wherein, which has timeliness, when being more than scheduled duration, Cloud authentication database just will be deleted the authentication code of storage, authentication code failure, and above-mentioned inquiry operation failure terminates transaction response, because This, setting authentication code can identify whether transaction is legal, therefore, it is determined that whether continuous business responds, guarantee the response of identity card card reading The safety of process.The authentication code can be one or a string of random numbers, perhaps can for one or a string of random characters or Any combination of a string of random numbers and random character, is not especially limited in the present embodiment.

Step S302: identity card card reading responding device verifies the legitimacy of First Certificate, after being verified, makes Signature verification is carried out with signature value of the First Certificate to card seeking request data ciphertext, in the case where signature verification passes through, is used Card seeking request data ciphertext is decrypted in the certification decruption key of acquisition, obtains card seeking request data；

In this optional embodiment, if identity card card reading responding device utilizes the first public key energy of identity card card-reading terminal It is enough that the signature value of card seeking request data ciphertext is decrypted, then illustrate received card seeking request data ciphertext signature value be by What identity card card-reading terminal issued；If identity card card reading responding device cannot be right using the first public key of identity card card-reading terminal The signature value of card seeking request data ciphertext is decrypted, then illustrates that the signature value of received card seeking request data ciphertext is not by body Part card card-reading terminal issues, and therefore, carrying out signature verification to the signature value of card seeking request data ciphertext can be confirmed that data are come The legitimacy in source.If card seeking request data ciphertext is distorted in transmission process by illegal person, identity card card reading response dress It sets during sign test, HASH can be carried out to the card seeking request data ciphertext after distorting and abstract is calculated, the abstract and identity Card card reading responding device is decrypted the signature value of card seeking request data ciphertext using the first public key of identity card card-reading terminal Obtained abstract must be different, cause sign test that can not pass through, therefore, tested by the signature value to card seeking request data ciphertext Label may determine that whether card seeking request data ciphertext is tampered, and guarantee the integrality of received card seeking request data ciphertext.If Identity card card reading responding device cannot ask the card seeking received with the session key that identity card card-reading terminal just has using itself It asks data ciphertext to be decrypted, illustrates that the card seeking request data ciphertext is not what identity card card-reading terminal issued, therefore, to seeking The legitimacy that data source can be confirmed is decrypted in card request data ciphertext；If third party is truncated to card seeking, request data is close Text, due to the session key that third party can not obtain identity card card reading responding device and identity card card-reading terminal just has, no Card seeking request data ciphertext can be decrypted, card seeking request data can not be obtained, therefore, card seeking request data ciphertext is carried out Decryption can prevent card seeking request data from illegally being stolen, being read in network transmission, and correctly read card seeking request data.

In this optional embodiment, identity card card reading responding device will decrypt card seeking request data ciphertext, need to obtain and recognize Decruption key is demonstrate,proved, which can be identical key, i.e. symmetric key with above-mentioned authenticated encryption key.Acquisition is recognized Card decruption key can use but be not limited to following manner: mode one: certification decruption key preset configuration is rung in identity card card reading Answer in device, authenticated encryption key also preset configuration in identity card card-reading terminal.Mode two: identity card card reading responding device obtains Take the protection key of certification decruption key ciphertext and cloud authentication database, wherein certification decruption key ciphertext is cloud authentication data What the authenticated encryption key of each identity card card-reading terminal of the protection key pair in library was encrypted, identity card card reading response dress It sets and is decrypted using protection key pair certification decruption key ciphertext, obtain certification decruption key.Identity is being received for the first time After demonstrate,proving data of the card-reading terminal using the encryption of authenticated encryption key, identity card card reading responding device is docked using certification decruption key The data that the identity card card-reading terminal received is sent for the first time are decrypted, and guarantee identity card card reading responding device and identity card card reading The safety of the transmission data of terminal；In the present embodiment, card seeking request data ciphertext is that identity card card-reading terminal is sent for the first time Data.

Step S303: identity card card reading responding device responds card seeking request data, generates card seeking and requests number of responses According to；

Step S304: identity card card reading responding device encrypts card seeking request response data using session key, obtains To the 6th encryption data, session key is encrypted using the second certificate, obtains session key ciphertext, and read using identity card The private key of card responding device signs to the 6th encryption data and session key ciphertext, obtains the 6th signed data；

In this optional embodiment, session key can use but be not limited to following manner and be obtained: mode one: identity Card card reading responding device generates session key at random, and session key is random factor；Optionally, session key can for one or A string of random numbers can be perhaps one or any combination of a string of random characters or a string of random numbers and random character；Meeting Key is talked about as the key being randomly generated, is not easy to be stolen by illegal person.Mode two: pre- inside identity card card reading responding device Session key is first set.Mode three: identity card card reading responding device and identity card card-reading terminal generate arranging key through consultation, Using arranging key as session key, existing negotiation mode is can be used in specific machinery of consultation, is not limited specifically in the present embodiment It is fixed.

In this optional embodiment, identity card card reading responding device carries out card seeking request response data using session key Encryption obtains the 6th encryption data, even if third party intercepts the 6th encryption data, can not also obtain card seeking request response data, because For the not no session key of third party, the 6th encryption data cannot be decrypted using the session key, obtain card seeking request Response data only equally could decrypt the 6th encryption data with the identity card card-reading terminal of the session key, therefore, can be with It effectively prevent card seeking request response data illegally to be stolen, read in network transmission, guarantees the transmission of card seeking request response data Safety.After 6th signed data is sent to identity card card-reading terminal by identity card card reading responding device, identity card card reading is whole End can execute sign test operation, if identity card card-reading terminal can be signed using the public key of identity card card reading responding device to the 6th Data are decrypted, then illustrate that received 6th signed data is issued by identity card card reading responding device, data source It is legal；If identity card card-reading terminal cannot carry out the 6th signed data using the public key of identity card card reading responding device Decryption, then illustrate that received 6th signed data is issued by identity card card reading responding device, data source is not conform to Method, therefore, the legitimacy of identity card card-reading terminal confirmation data source can be made by signing to the 6th encryption data.If 6th encryption data is distorted in transmission process by illegal person, then identity card card-reading terminal, can be to distorting during sign test The 6th encryption data afterwards carries out HASH and abstract is calculated, and the abstract and identity card card-reading terminal are responded using identity card card reading The abstract that the 6th signed data is decrypted in the public key of device must be different, cause sign test that can not pass through, therefore, pass through Signing to the 6th encryption data can prevent the 6th encryption data to be tampered, and guarantee that identity card card-reading terminal receives the 6th and adds The integrality of ciphertext data.

In this optional embodiment, identity card card reading responding device is only using certification decruption key to identity card card-reading terminal The data (such as card seeking request data package of the present embodiment) sent for the first time are decrypted, and utilize the session newly obtained close Key carries out enciphering/deciphering processing to the subsequent data sent or received, in this way, can establish data safety with identity card card-reading terminal Channel, improve data transfer safety.

Step S305: card seeking request response data packet is sent to identity card card-reading terminal by identity card card reading responding device, Wherein, card seeking request response data packet includes the 6th encryption data and the 6th signed data.

In this optional embodiment, identity card card-reading terminal is asked receiving the card seeking that identity card card reading responding device is sent After seeking response data packet, signature verification is carried out to the 6th signed data using the certificate of identity card card reading responding device, is being verified By rear, using the second private key of identity card card-reading terminal (in second private key and the second certificate of identity card card-reading terminal Second public key is a pair of of unsymmetrical key) session key ciphertext is decrypted, session key is obtained, session key pair is recycled 6th encryption data is decrypted, and obtains card seeking request response data；The session key is stored, it later can be close by session Key establishes exit passageway, and the related data for carrying out identity card with identity card card reading responding device is transmitted, and guarantees the peace of data transmission Quan Xing.

In the present embodiment, identity card card reading responding device can directly be read by cable network or wireless network and identity card Card terminal is directly communicated, and the communication data with identity card card-reading terminal can also be sent or received by dispatch server. If identity card card reading responding device does not have communication interface, need to be communicated by third party, such as dispatch server The forwarding or switching of data, without directly being communicated with identity card card-reading terminal.It receives when by dispatch server comprising label It, can be whole to identity card card reading by dispatch server if in communication data including signed data when the communication data of name data It holds the data sent to carry out signature verification, signature verification can also be carried out by identity card card reading responding device, in the present embodiment It is not construed as limiting.

Embodiment 2

Fig. 4 is a kind of structural schematic diagram of identity card card reading responding device provided in an embodiment of the present invention.As shown in figure 4, Identity card card reading responding device provided in this embodiment specifically includes that receiving module 401, for receiving identity card card-reading terminal hair The card reading request data package sent；Secure verification module 402, for carrying out safety verification, safety verification to card reading request data package By rear, identity card identification information is obtained；First generation module 403, for generating the first certification factor；Secure processing module 404, for carrying out safe handling to the first certification factor, obtain the first data packet；Sending module 405 is used for the first data Packet is sent to identity card card-reading terminal；Receiving module 401 is also used to receive the second data packet of identity card card-reading terminal transmission； Secure verification module 402 is also used to carry out safety verification to the second data packet, after safety verification passes through, obtains the first certification number According to；Second generation module 406 after certification passes through, generates certification factor application and asks for authenticating to the first authentication data It asks；Secure processing module 404 is also used to carry out safe handling to certification factor application request, obtains third data packet；Send mould Block 405 is also used to third data packet being sent to identity card card-reading terminal；Receiving module 401 is also used to receive identity card card reading The 4th data packet that terminal is sent；Secure verification module 402 is also used to carry out safety verification, safety verification to the 4th data packet By rear, the second certification factor is obtained；Identification processing module 407 obtains second and recognizes for handling the second certification factor Demonstrate,prove data；Secure processing module 404 is also used to carry out safe handling to the second authentication data, obtains the 5th data packet；Send mould Block 405 is also used to the 5th data packet being sent to identity card card-reading terminal；Receiving module 401 is also used to receive identity card card reading The 6th data packet that terminal is sent；Secure verification module 402 is also used to carry out safety verification, safety verification to the 6th data packet By rear, identity card data ciphertext is obtained；Deciphering module 408 obtains identity card for identity card data ciphertext to be decrypted Data clear text；Secure processing module 404 is also used to carry out safe handling to identity card data clear text, obtains the 7th data packet；Hair Module 405 is sent, is also used to the 7th data packet being sent to identity card card-reading terminal.

In the present embodiment, identity card card reading responding device is arranged in cloud authentication platform comprising national Password Management office examines The specified special product of the Ministry of Public Security of the safety chip criticized and responsible decryption identity card data ciphertext, the special product meet GA 467-2013 " residence card verifying safety control module Technical Interface Specification ".

As a kind of optional embodiment of the present embodiment, card reading request data package includes card reading request data ciphertext and reading The signature value of card request data ciphertext；Wherein, card reading request data ciphertext is that identity card card-reading terminal utilizes session key to packet What the card reading request data of the identification information containing identity card was encrypted, the signature value of card reading request data ciphertext is identity card Card-reading terminal signs to card reading request data ciphertext using the first private key of itself；Specifically, identity card card reading Terminal calculates card reading request data ciphertext using HASH algorithm and obtains the abstract of card reading request data ciphertext, and is read using identity card First private key of card terminal encrypts the abstract of card reading request data ciphertext, obtains the signature of card reading request data ciphertext Value.Secure verification module 402 carries out safety verification to card reading request data package in the following manner, after safety verification passes through, obtains To identity card identification information: being signed using the First Certificate of identity card card-reading terminal to the signature value of card reading request data ciphertext Name verifying, in the case where being verified, is decrypted card reading request data ciphertext using session key, obtains identity card mark Know information；Specifically, secure verification module 402 is first with the First Certificate of identity card card-reading terminal to card reading request data ciphertext Signature value be decrypted, the abstract of card reading request data ciphertext is obtained, using HASH algorithm to the card reading number of request received The abstract that card reading request data ciphertext is calculated is carried out according to ciphertext, the abstract of card reading request data ciphertext that decryption is obtained with The abstract for the card reading request data ciphertext being calculated is compared, if identical, sign test passes through, and otherwise terminates identity card reading Card responding process；In the case where being verified, card reading request data ciphertext is decrypted using session key, obtains identity Demonstrate,prove identification information.Wherein, First Certificate include at least identity card card-reading terminal the first public key, the first of identity card card-reading terminal Public key and the first private key of identity card card-reading terminal are a pair of of unsymmetrical key.If secure verification module 402 utilizes identity card The signature value of card reading request data ciphertext can be decrypted in first public key of card-reading terminal, then illustrates received card reading request The signature value of data ciphertext is issued by identity card card-reading terminal, and data source is legal；If secure verification module 402 cannot be decrypted the signature value of card reading request data ciphertext using the first public key of identity card card-reading terminal, then illustrate The signature value of received card reading request data ciphertext is issued by identity card card-reading terminal, and data source is illegal , therefore, carrying out signature verification to the signature value of card reading request data ciphertext can be confirmed the legitimacy of data source.If read Card request data ciphertext is distorted in transmission process by illegal person, then secure verification module 402, can be to usurping during sign test Card reading request data ciphertext after changing carries out HASH and abstract is calculated, and the abstract and secure verification module 402 utilize identity card The abstract that the signature value of card reading request data ciphertext is decrypted in first public key of card-reading terminal must be different, cause to test Label can not pass through, and therefore, carrying out sign test by the signature value to card reading request data ciphertext may determine that card reading request data is close Whether text is tampered, and guarantees the integrality of received card reading request data ciphertext.If secure verification module 402 utilizes identity card The session key that card reading responding device and identity card card-reading terminal just have cannot carry out the card reading request data ciphertext received Decryption, then illustrate that the card reading request data ciphertext is not what identity card card-reading terminal issued, therefore, close to card reading request data The legitimacy that data source can be confirmed is decrypted in text；If third party is truncated to card reading request data ciphertext, due to third The session key that Fang Wufa obtains identity card card reading responding device and identity card card-reading terminal just has, therefore card reading cannot be requested Data ciphertext is decrypted, and can not obtain card reading request data, therefore, card reading request data ciphertext is decrypted and can be prevented Card reading request data is illegally stolen in network transmission, is read, and guarantees the transmission security of card reading request data.It needs to illustrate , the sign test process in the present embodiment can be found in the embodiment, and the process that sign test is referred to below no longer will specifically go to live in the household of one's in-laws on getting married It states.

As a kind of optional embodiment of the present embodiment, sending module 405, it is right in secure verification module 402 to be also used to Card reading request data package carries out safety verification, and after safety verification passes through, after obtaining identity card identification information, identity card is identified Information is sent to dispatch server.Wherein, dispatch server is similarly disposed on cloud authentication platform.In this way, dispatch server can To judge whether body according to the identification information and preset strategy of identity card identification information, identity card card-reading terminal Blacklist or control list is added in the identification information of part card card-reading terminal.

In the present embodiment, before the identity card data ciphertext that identity card card reading responding device receives that identity card is sent, identity Card should realize two-way authentication with identity card card reading responding device, which is that identity card and identity card card reading to be ensured is rung It is legal for answering device all.Identity card card reading responding device can use certification of the first certification factor realization to identity card, In, the first certification factor can be one or a string of random numbers, perhaps can for one or a string of random characters or a string with Any combination of machine number and random character.It should be noted that the first certification factor is responded by identity card card reading in the present embodiment Device generates and sends to identity card.

As a kind of optional embodiment of the present embodiment, the first data packet includes the first encryption data and the first number of signature According to；Secure processing module 404 carries out safe handling to the first certification factor in the following manner, obtains the first data packet: using Session key encrypts the first certification factor, obtains the first encryption data, and use the private of identity card card reading responding device Key signs to the first encryption data, obtains the first signed data；Specifically, secure processing module 404 utilizes HASH algorithm It calculates the first encryption data and obtains the abstract of the first encryption data, and added using the private key of identity card card reading responding device to first The abstract of ciphertext data is encrypted, and the first signed data is obtained.Sending module 405 will include the first encryption data and the first signature First data packet of data is sent to identity card card-reading terminal.Secure processing module 404 using session key to first certification because Son is encrypted to obtain the first encryption data, even if third party intercepts the first encryption data, can not also obtain the first certification factor, Because of the not no session key of third party, the first encryption data cannot be decrypted using the session key, obtain first and recognize The factor is demonstrate,proved, only equally the identity card card-reading terminal with the session key could decrypt the first encryption data, therefore, Ke Yiyou Effect prevents the first certification factor from illegally being stolen, being read in network transmission, guarantees the safety of the first certification factor transmission.Hair After sending module 405 that first signed data is sent to identity card card-reading terminal, identity card card-reading terminal can execute sign test operation, such as Fruit identity card card-reading terminal can be decrypted the first signed data using the public key of identity card card reading responding device, then illustrate Received first signed data is issued by identity card card reading responding device, and data source is legal；If identity card Card-reading terminal cannot be decrypted the first signed data using the public key of identity card card reading responding device, then illustrate received One signed data is issued by identity card card reading responding device, data source be it is illegal, therefore, to first encrypt Data, which carry out signature, can make the legitimacy of identity card card-reading terminal confirmation data source.If the first encryption data is being transmitted across It is distorted in journey by illegal person, then identity card card-reading terminal can carry out the first encryption data after distorting during sign test Abstract is calculated in HASH, and the abstract and identity card card-reading terminal are signed using the public key of identity card card reading responding device to first The abstract that data are decrypted must be different, cause sign test that can not pass through, therefore, by signing to the first encryption data Name can prevent the first encryption data to be tampered, and guarantee that identity card card-reading terminal receives the integrality of the first encryption data.Originally may be used It selects in embodiment, the certificate of identity card card reading responding device need to be sent to identity card card-reading terminal, which includes at least The private key of the public key of identity card card reading responding device, the public key and identity card card reading responding device is a pair of of unsymmetrical key, body Part card card-reading terminal can use the public key and carry out signature verification to the first signed data, after being verified, recycle session The first encryption data of key pair is decrypted, and obtains the first certification factor, and the first certification factor is sent to identity card.It needs Illustrate, the signature process in the present embodiment can be found in the embodiment, and the process that signature is referred to below will no longer have Body repeats.

As a kind of optional embodiment of the present embodiment, the second data packet includes the signature of the first ciphertext and the first ciphertext Value；Wherein, the first ciphertext is encrypted using session key to the first authentication data by identity card card-reading terminal, the The signature value of one ciphertext is signed using the first private key of itself to the first ciphertext by identity card card-reading terminal.Peace Full authentication module 402, carries out safety verification to the second data packet in the following manner, after safety verification passes through, obtains first and recognize It demonstrate,proves data: signature verification being carried out to the signature value of the first ciphertext using the First Certificate of identity card card-reading terminal, is being verified In the case where, the first ciphertext is decrypted using session key, obtains the first authentication data；Otherwise terminate identity card card reading to ring Answer process.If secure verification module 402 being capable of signature value to the first ciphertext using the first public key of identity card card-reading terminal It is decrypted, then illustrates that the signature value of received first ciphertext is issued by identity card card-reading terminal, data source is to close Method；If secure verification module 402 using identity card card-reading terminal the first public key cannot signature value to the first ciphertext into Row decryption, then illustrate that the signature value of received first ciphertext is issued by identity card card-reading terminal, data source is not Legal, therefore, carrying out signature verification to the signature value of the first ciphertext can be confirmed the legitimacy of data source.If first is close Text is distorted in transmission process by illegal person, then secure verification module 402, can be close to first after distorting during sign test Text carries out HASH and abstract is calculated, which utilizes the first public key pair of identity card card-reading terminal with secure verification module 402 The abstract that the signature value of first ciphertext is decrypted must be different, cause sign test that can not pass through, therefore, by close to first The signature value of text, which carries out sign test, may determine that whether the first ciphertext is tampered, and guarantee the integrality of received first ciphertext.If Secure verification module 402 cannot be to reception using the session key that identity card card reading responding device and identity card card-reading terminal just have To the first ciphertext be decrypted, illustrate that first ciphertext is not what identity card card-reading terminal issued, therefore, to the first ciphertext The legitimacy that data source can be confirmed is decrypted；If third party is truncated to the first ciphertext, since third party can not obtain The session key that identity card card reading responding device and identity card card-reading terminal just have, therefore the first ciphertext cannot be decrypted, The first authentication data can not be obtained, therefore, the first ciphertext, which is decrypted, can prevent the first authentication data in network transmission It illegally stolen, read, guarantee the transmission security of the first authentication data.

In the present embodiment, the identifying algorithm that identity card card reading responding device is authorized using the Ministry of Public Security of preset configuration is to safety It verifies the first obtained authentication data to be authenticated, if certification passes through, realizes the certification to identity card legitimacy, i.e. body Part card is true legal；Then certification factor application request is generated, and certification factor application request is sent to identity card and is read Card responding device.Wherein, identity card card reading responding device the first authentication data is authenticated can use but be not limited to it is following Mode: mode one: what identity card card reading responding device generated itself using security key corresponding with identity card identification information The first certification factor carries out that MAC value is calculated, the first authentication data that the MAC value being calculated and safety verification are obtained into Row compares, if identical, passes through to the certification of the first authentication data.Mode two: identity card card reading responding device can use The first authentication data that safety verification obtains is decrypted in security key corresponding with identity card identification information, obtain certification because Son, and compare the obtained certification factor of decryption is generated with itself first whether authenticate the factor identical, if identical, to first The certification of authentication data passes through.Mode three: identity card card reading responding device can use peace corresponding with identity card identification information The first certification factor that full key pair itself generates is encrypted to obtain authentication data, and compare authentication data that encryption obtains with Whether the first authentication data that safety verification obtains is identical, if identical, passes through to the certification of the first authentication data.If body The certification that part card card reading responding device carries out the first authentication data passes through, then illustrates the security key and identity that identity card uses The security key that card card reading responding device uses is identical, illustrates that identity card is legal identity card, identity card card reading responding device By carrying out the authenticate-acknowledge legitimacy of identity card to the first authentication data.Identity card card reading responding device to presupposed information into Security key corresponding with identity card identification information is calculated in row.Optionally, if the certification carried out to the first authentication data Not over then terminating identity card card reading responding process.

As a kind of optional embodiment of the present embodiment, third data packet includes the second encryption data and the second number of signature According to；Secure processing module 404 carries out safe handling to certification factor application request in the following manner, obtains third data packet: Certification factor application request is encrypted using session key, obtains the second encryption data, and respond using identity card card reading The private key of device signs to the second encryption data, obtains the second signed data；Sending module 405 will include the second encryption number Identity card card-reading terminal is sent to according to the third data packet with the second signed data.Secure processing module 404 utilizes session key Certification factor application request is encrypted to obtain the second encryption data, even if third party intercepts the second encryption data, also can not Certification factor application request is obtained, it, cannot be using the session key to the second encryption number because of the not no session key of third party According to being decrypted, certification factor application request is obtained, only equally the identity card card-reading terminal with the session key could solve Therefore close second encryption data can be effectively prevented certification factor application request and illegally be stolen, be read in network transmission, Guarantee the safety of certification factor application request transmission.Second signed data is sent to identity card card reading end by sending module 405 Behind end, identity card card-reading terminal can execute sign test operation, if identity card card-reading terminal utilizes identity card card reading responding device The second signed data can be decrypted in public key, then illustrates that received second signed data is by identity card card reading responding device It issues, data source is legal；If identity card card-reading terminal cannot using the public key of identity card card reading responding device Second signed data is decrypted, then illustrates that received second signed data is issued by identity card card reading responding device , data source be it is illegal, therefore, sign to the second encryption data can make identity card card-reading terminal confirm number According to the legitimacy in source.If the second encryption data is distorted in transmission process by illegal person, identity card card-reading terminal exists During sign test, HASH can be carried out to the second encryption data after distorting and abstract is calculated, the abstract and identity card card reading are whole End must be different using the abstract that the second signed data is decrypted in the public key of identity card card reading responding device, cause to test Label can not pass through, and therefore, the second encryption data can be prevented to be tampered by signing to the second encryption data, guarantee identity Demonstrate,prove the integrality that card-reading terminal receives the second encryption data.In this optional embodiment, identity card card-reading terminal can use body The public key of part card card reading responding device carries out signature verification to the second signed data, after being verified, recycles session key Second encryption data is decrypted, obtains certification factor application request, and certification factor application request is sent to identity card.

As a kind of optional embodiment of the present embodiment, the 4th data packet includes the signature of the second ciphertext and the second ciphertext Value；Wherein, the second ciphertext is encrypted using session key to the two certification factors by identity card card-reading terminal, second The signature value of ciphertext is signed using the first private key of itself to the second ciphertext by identity card card-reading terminal.Safety Authentication module 402 carries out safety verification to the 4th data packet in the following manner, after safety verification passes through, obtains the second certification The factor: signature verification is carried out to the signature value of the second ciphertext using the First Certificate of identity card card-reading terminal, what is be verified In the case of, the second ciphertext is decrypted using session key, obtains the second certification factor；Otherwise terminate the response of identity card card reading Process.If secure verification module 402 using identity card card-reading terminal the first public key can signature value to the second ciphertext into Row decryption, then illustrate that the signature value of received second ciphertext is issued by identity card card-reading terminal, data source is legal 's；If secure verification module 402 using identity card card-reading terminal the first public key cannot signature value to the second ciphertext carry out Decryption, then illustrate that the signature value of received second ciphertext is issued by identity card card-reading terminal, data source is not conform to Method, therefore, carrying out signature verification to the signature value of the second ciphertext can be confirmed the legitimacy of data source.If the second ciphertext It is distorted in transmission process by illegal person, then secure verification module 402, can be to the second ciphertext after distorting during sign test It carries out HASH and abstract is calculated, the first public key of the abstract and the utilization identity card card-reading terminal of secure verification module 402 is to the The abstract that the signature value of two ciphertexts is decrypted must be different, cause sign test that can not pass through, therefore, by the second ciphertext Signature value carry out sign test and may determine that whether the second ciphertext is tampered, guarantee the integrality of received second ciphertext.If peace The session key that full authentication module 402 just has using identity card card reading responding device and identity card card-reading terminal cannot be to receiving The second ciphertext be decrypted, illustrate that second ciphertext is not what identity card card-reading terminal issued, therefore, to the second ciphertext into The legitimacy of data source can be confirmed in row decryption；If third party is truncated to the second ciphertext, since third party can not obtain body The session key that part card card reading responding device and identity card card-reading terminal just have, therefore the second ciphertext cannot be decrypted, nothing Method obtains the second certification factor, and therefore, the second ciphertext, which is decrypted, can prevent second certification factor quilt in network transmission It illegally steals, read, guarantee the transmission security of the second certification factor.

In the present embodiment, identification processing module 407 tests safety using the Processing Algorithm that the Ministry of Public Security of preset configuration authorizes It demonstrate,proves the second obtained certification factor to be handled, obtains the second authentication data.Wherein, identification processing module 407 is authenticated to second The factor, which carries out processing, can use but be not limited to following manner: mode one: identification processing module 407 identifies letter using with identity card It ceases corresponding security key and MAC value is calculated to the second certification factor progress MAC, which is exactly the second authentication data；Side Formula two: identification processing module 407 encrypts the second certification factor using security key corresponding with identity card identification information, Obtain the second authentication data.Identity card card reading responding device is calculated presupposed information corresponding with identity card identification information Security key.

As a kind of optional embodiment of the present embodiment, the 5th data packet includes third encryption data and third number of signature According to；Secure processing module 404 carries out safe handling to the second authentication data in the following manner, obtains the 5th data packet: using Session key encrypts the second authentication data, obtains third encryption data, and use the private of identity card card reading responding device Key signs to third encryption data, obtains third signed data；Sending module 405 will include third encryption data and third 5th data packet of signed data is sent to identity card card-reading terminal.Secure processing module 404 is recognized using session key second Card data are encrypted to obtain third encryption data, even if third party intercepts third encryption data, can not also obtain the second certification Data cannot be decrypted third encryption data using the session key because of the not no session key of third party, obtain the Two authentication datas, only equally the identity card card-reading terminal with the session key could decrypt third encryption data, therefore, can To effectively prevent the second authentication data illegally to be stolen, read in network transmission, guarantee the safety of the second authentication data transmission Property.After third signed data is sent to identity card card-reading terminal by sending module 405, identity card card-reading terminal can execute sign test behaviour Make, if identity card card-reading terminal can be decrypted third signed data using the public key of identity card card reading responding device, Then illustrate that received third signed data is issued by identity card card reading responding device, data source is legal；If Identity card card-reading terminal cannot be decrypted third signed data using the public key of identity card card reading responding device, then explanation connects The third signed data of receipts is issued by identity card card reading responding device, data source be it is illegal, therefore, to Three encryption datas, which carry out signature, can make the legitimacy of identity card card-reading terminal confirmation data source.If third encryption data exists It is distorted in transmission process by illegal person, then identity card card-reading terminal can encrypt number to the third after distorting during sign test Abstract is calculated according to HASH is carried out, the abstract and identity card card-reading terminal utilize the public key of identity card card reading responding device to the The abstract that three signed datas are decrypted must be different, cause sign test that can not pass through, therefore, by third encryption data Carrying out signature can prevent third encryption data to be tampered, and guarantee that identity card card-reading terminal receives the complete of third encryption data Property.In this optional embodiment, the public key that identity card card-reading terminal can use identity card card reading responding device signs to third Data carry out signature verification, after being verified, recycle session key that third encryption data is decrypted, obtain second and recognize Data are demonstrate,proved, and the second authentication data is sent to identity card.

In the present embodiment, after identity card receives the second authentication data of identity card card-reading terminal transmission, first with pre- Identifying algorithm built in elder generation authenticates the second authentication data, and after certification passes through, and sends body to identity card card-reading terminal Part card data ciphertext.Wherein, identity card data ciphertext is usually that resident identification card number, name, photo, age, address, card make With the ciphertext of the data such as the time limit and/or fingerprint.Wherein, identity card authenticates the second authentication data and can use but be not limited to Following manner: mode one: identity card is calculated using the second certification factor that built-in security key generates itself The MAC value being calculated is compared, if identical, to second by MAC value with the second authentication data that safety verification obtains The certification of authentication data passes through.Mode two: identity card can use built-in security key second to be recognized to what safety verification obtained Card data are decrypted, and obtain the certification factor, and compare the certification factor that decryption obtains and the second certification factor that itself is generated It is whether identical, if identical, the certification of the second authentication data is passed through.Mode three: identity card can use built-in safety The second certification factor that key pair itself generates is encrypted to obtain authentication data, and compares authentication data and peace that encryption obtains It is whether identical that the second obtained authentication data is verified entirely, if identical, the certification of the second authentication data is passed through.If identity Card passes through the certification of the second authentication data, illustrates the peace built in security key and identity card that identity card card reading responding device uses Full key is identical, illustrates that identity card card reading responding device is legal identity card card reading responding device, identity card passes through to second Authentication data carries out the authenticate-acknowledge legitimacy of identity card card reading responding device.As an alternative embodiment, if The certification carried out to the second authentication data is not over then terminating identity card card reading responding process.Identity card card-reading terminal is to body Part card data ciphertext carries out safe handling, obtains the 6th data packet, and the 6th data packet is sent to identity card card reading response dress It sets.As an alternative embodiment, identity card card-reading terminal can pass through information included by identity card data ciphertext One data packet is once sent to identity card card reading responding device, it is of course also possible to by letter included by identity card data ciphertext Breath is sent to identity card card reading responding device by multiple data packets several times.

As a kind of optional embodiment of the present embodiment, the 6th data packet includes the signature of third ciphertext and third ciphertext Value；Wherein, third ciphertext is to be encrypted by identity card card-reading terminal using session key identity card data ciphertext, the The signature value of three ciphertexts is signed using the first private key of itself to third ciphertext by identity card card-reading terminal.Peace Full authentication module 402, carries out safety verification to the 6th data packet in the following manner, after safety verification passes through, obtains identity card Data ciphertext: carrying out signature verification to the signature value of third ciphertext using the First Certificate of identity card card-reading terminal, logical in verifying In the case where crossing, third ciphertext is decrypted using session key, obtains identity card data ciphertext；Otherwise terminate identity card reading Card responding process.If secure verification module 402 can be to the label of third ciphertext using the first public key of identity card card-reading terminal Name value is decrypted, then illustrates that the signature value of received third ciphertext is issued by identity card card-reading terminal, data source It is legal；If secure verification module 402 cannot be to the signature of third ciphertext using the first public key of identity card card-reading terminal Value is decrypted, then illustrates that the signature value of received third ciphertext is issued by identity card card-reading terminal, data source Be it is illegal, therefore, carrying out signature verification to the signature value of third ciphertext can be confirmed the legitimacy of data source.If the Three ciphertexts are distorted in transmission process by illegal person, then secure verification module 402, can be to after distorting during sign test Three ciphertexts carry out HASH and abstract are calculated, which utilizes the first public affairs of identity card card-reading terminal with secure verification module 402 The abstract that the signature value of third ciphertext is decrypted in key must be different, cause sign test that can not pass through, therefore, by the The signature value of three ciphertexts, which carries out sign test, may determine that whether third ciphertext is tampered, and guarantee the integrality of received third ciphertext. If secure verification module 402 cannot be right using the session key that identity card card reading responding device and identity card card-reading terminal just have The third ciphertext received is decrypted, and illustrates that the third ciphertext is not what identity card card-reading terminal issued, therefore, to third The legitimacy that data source can be confirmed is decrypted in ciphertext；If third party is truncated to third ciphertext, since third party can not The session key that acquisition identity card card reading responding device and identity card card-reading terminal just have, therefore third ciphertext cannot be solved It is close, identity card data ciphertext can not be obtained, therefore, third ciphertext, which is decrypted, can prevent identity card data ciphertext in network It illegally stolen, read in transmission, guarantee the transmission security of identity card data ciphertext.

In the present embodiment, after the 7th data packet is sent to identity card card-reading terminal by sending module 405, identity card card reading is rung It should succeed, terminate identity card card reading responding process.

As a kind of optional embodiment of the present embodiment, sending module 405 can will be included by identity card data clear text Information by a data packet, identity card card-reading terminal is once sent to, it is of course also possible to which identity card data clear text is wrapped The information included is sent to identity card card-reading terminal by multiple data packets several times.

As a kind of optional embodiment of the present embodiment, the 7th data packet includes the 4th encryption data and the 4th number of signature According to；Secure processing module 404 carries out safe handling to identity card data clear text in the following manner, obtains the 7th data packet: making Identity card data clear text is encrypted with session key, obtains the 4th encryption data, and use identity card card reading responding device Private key sign to the 4th encryption data, obtain the 4th signed data.Sending module 405 will include the 4th encryption data and 7th data packet of the 4th signed data is sent to identity card card-reading terminal.Secure processing module 404 is using session key to body Part card data clear text is encrypted to obtain the 4th encryption data, even if third party intercepts the 4th encryption data, can not also obtain body Part card data clear text, because the not no session key of third party, cannot solve the 4th encryption data using the session key It is close, identity card data clear text is obtained, only equally the identity card card-reading terminal with the session key could decrypt the 4th encryption Therefore data can be effectively prevented identity card data clear text and illegally be stolen, be read in network transmission, guarantee identity card number According to the safety of plaintext transmission.After 4th signed data is sent to identity card card-reading terminal by sending module 405, identity card card reading Terminal can execute sign test operation, if identity card card-reading terminal can be signed using the public key of identity card card reading responding device to the 4th Name data are decrypted, then illustrate that received 4th signed data is issued by identity card card reading responding device, and data are come Source is legal；If identity card card-reading terminal using identity card card reading responding device public key cannot to the 4th signed data into Row decryption, then illustrate that received 4th signed data is issued by identity card card reading responding device, data source is not Legal, therefore, secure processing module 404, which signs to the 4th encryption data, can make identity card card-reading terminal confirm data The legitimacy in source.If the 4th encryption data is distorted in transmission process by illegal person, identity card card-reading terminal is being tested During label, HASH can be carried out to the 4th encryption data after distorting and abstract is calculated, the abstract and identity card card-reading terminal Must be different using the abstract that the 4th signed data is decrypted in the public key of identity card card reading responding device, lead to sign test It can not pass through, therefore, the 4th encryption data can be prevented to be tampered by signing to the 4th encryption data, guarantee identity card Card-reading terminal receives the integrality of the 4th encryption data.In this optional embodiment, identity card card-reading terminal can use identity The public key for demonstrate,proving card reading responding device carries out signature verification to the 4th signed data, after being verified, recycles session key pair 4th encryption data is decrypted, and obtains identity card data clear text.

As a kind of optional embodiment of the present embodiment, as shown in figure 4, identity card card reading provided in this embodiment responds Device can also include: receiving module 401, be also used to carry out safety to card reading request data package in secure verification module 402 to test Before card, the session key request data package that identity card card-reading terminal is sent is received, wherein session key request data package includes The First Certificate of first random factor, the signature value of the first random factor and identity card card-reading terminal；Secure verification module 402, It is also used to verify the legitimacy of First Certificate, and after being verified, using First Certificate to the first random factor Signature value carries out signature verification；4th generation module 410, in the case where signature verification passes through, generate second it is random because Son；Secure processing module 404 is also used to encrypt the first random factor and the second random factor, obtains the 5th encryption number According to, and signed using the private key of identity card card reading responding device to the 5th encryption data, obtain the 5th signed data；It sends Module 405 is also used to the 8th data packet being sent to identity card card-reading terminal, wherein the 8th data packet includes the 5th encryption number According to, the certificate of the 5th signed data and identity card card reading responding device；5th generation module 411, in the 4th generation module After 410 generate the second random factor, session key is generated according to the first random factor and the second random factor.

In this optional embodiment, if secure verification module 402 can using the first public key of identity card card-reading terminal The signature value of first random factor is decrypted, then illustrates that the signature value of received first random factor is by identity card card reading What terminal issued, data source is legal；If secure verification module 402 utilizes the first public key of identity card card-reading terminal Cannot the signature value to the first random factor be decrypted, then illustrate that the signature value of received first random factor is not by identity Demonstrate,prove what card-reading terminal issued, data source be it is illegal, therefore, signature verification is carried out to the signature value of the first random factor The legitimacy of data source can be confirmed.If the first random factor is distorted in transmission process by illegal person, safety is tested Module 402 is demonstrate,proved during sign test, HASH can be carried out to the first random factor after distorting and abstract is calculated, the abstract and peace Full authentication module 402402 is decrypted the signature value of the first random factor using the first public key of identity card card-reading terminal The abstract arrived must be different, cause sign test that can not pass through, and therefore, carrying out sign test by the signature value to the first random factor can be with Judge whether the first random factor is tampered, guarantees the integrality of received first random factor.

Optionally, if secure verification module 402 to the sign test of the signature value of the first random factor not over terminating meeting Talk about key request responding process.

In this optional embodiment, the 5th generation module 411 is random to the first random factor and second using preset algorithm The factor generates session key.

In this optional embodiment, secure processing module 404 using identity card card-reading terminal First Certificate to first with The machine factor and the second random factor are encrypted, and the 5th encryption data is obtained.Secure processing module 404 is using session key to the One random factor and the second random factor are encrypted to obtain the 5th encryption data, even if third party intercepts the 5th encryption data, Also the first random factor and the second random factor can not be obtained, because the not no session key of third party, cannot utilize the session The 5th encryption data of key pair is decrypted, and obtains the first random factor and the second random factor, only equally has the session The identity card card-reading terminal of key could decrypt the 5th encryption data, therefore, the first random factor and second can be effectively prevented Random factor is illegally stolen in network transmission, is read, and guarantees the safety of the first random factor and the transmission of the second random factor Property.After 5th signed data is sent to identity card card-reading terminal by sending module 405, identity card card-reading terminal can execute sign test behaviour Make, if identity card card-reading terminal can be decrypted the 5th signed data using the public key of identity card card reading responding device, Then illustrate that received 5th signed data is issued by identity card card reading responding device, data source is legal；If Identity card card-reading terminal cannot be decrypted the 5th signed data using the public key of identity card card reading responding device, then explanation connects The 5th signed data received is issued by identity card card reading responding device, data source be it is illegal, therefore, to the Five encryption datas, which carry out signature, can make the legitimacy of identity card card-reading terminal confirmation data source.If the 5th encryption data exists It is distorted in transmission process by illegal person, then identity card card-reading terminal can encrypt number to the 5th after distorting during sign test Abstract is calculated according to HASH is carried out, the abstract and identity card card-reading terminal utilize the public key of identity card card reading responding device to the The abstract that five signed datas are decrypted must be different, cause sign test that can not pass through, therefore, by the 5th encryption data Carrying out signature can prevent the 5th encryption data to be tampered, and guarantee that identity card card-reading terminal receives the complete of the 5th encryption data Property.

In this optional embodiment, after identity card card-reading terminal receives the 8th data packet, responded using identity card card reading The certificate of device carries out signature verification to the 5th signed data, private using the first of identity card card-reading terminal after being verified The 5th encryption data is decrypted in key, obtains the first random factor and the second random factor, decryption is obtained first random The factor is compared with the first random factor that itself is generated, if identical, illustrates that identity card card reading responding device has received It is generated to the first random factor and received first random factor of identity card card reading responding device and identity card card-reading terminal First random factor is identical, and identity card card-reading terminal is using algorithm identical with above-mentioned preset algorithm to the first random factor and the Two random factors are calculated, and session key identical with the session key of identity card card reading responding device are generated, in this way, identity The phase that card card reading responding device can carry out identity card by the Session key establishment exit passageway with identity card card-reading terminal Data transmission is closed, can be improved the safety of data transmission；If it is not the same, then illustrating that identity card card reading responding device is received The first random factor that first random factor is generated with identity card card-reading terminal is different, identity card card-reading terminal and identity card Not phase is calculated to respective first random factor and the second random factor using identical preset algorithm in card reading responding device Two same session keys, identity card card-reading terminal and identity card card reading responding device cannot decrypt the encryption number that other side sends According to.

As a kind of optional embodiment of the present embodiment, as shown in figure 4, identity card card reading provided in this embodiment responds Device can also include: receiving module 401, be also used to receive identity card card-reading terminal send card reading request data package it Before, receive the card seeking request data package that identity card card-reading terminal is sent, wherein card seeking request data package includes card seeking request data The First Certificate and the second certificate of ciphertext, the signature value of card seeking request data ciphertext and identity card card-reading terminal；Safety verification Module 402 is also used to verify the legitimacy of First Certificate, after being verified, is requested using First Certificate card seeking The signature value of data ciphertext carries out signature verification and uses the certification decruption key pair of acquisition in the case where signature verification passes through Card seeking request data ciphertext is decrypted, and obtains card seeking request data；Third generation module 409, for card seeking request data It is responded, generates card seeking request response data；Secure processing module 404 is also used for session key and requests to ring to card seeking It answers data to be encrypted, obtains the 6th encryption data, and encrypt to session key using the second certificate, obtain session key Ciphertext；It is signed using the private key of identity card card reading responding device to the 6th encryption data and session key ciphertext, obtains Six signed datas；Sending module 405 is also used to card seeking request response data packet being sent to identity card card-reading terminal, wherein seek Card request response data packet includes the 6th encryption data and the 6th signed data.

Optionally, card seeking request data includes timestamp and/or terminal counter；Sending module 405, is also used in safety Authentication module 402 is decrypted card seeking request data ciphertext using the certification decruption key of acquisition, obtains card seeking request data Later, timestamp and/or terminal counter are sent to dispatch server.Dispatch server can be according to timestamp, terminal meter The information such as number device carry out the frequency control and blacklist automatic capture of identity card card-reading terminal, and suspicious identity card card reading is whole Blacklist is added in end.

Optionally, before the card seeking request data package that receiving module 401 receives that identity card card-reading terminal is sent, scheduling clothes Business device can receive the request of the access cloud authentication platform of identity card card-reading terminal, obtain the identification information of identity card card-reading terminal, Whether allow identity card card-reading terminal reading identity card according to the identification information judgment of identity card card-reading terminal；Allow body determining In the case where part card card-reading terminal reading identity card, after the card seeking request data package for receiving the transmission of identity card card-reading terminal, Working condition inquiry request is sent to the cloud authentication database of cloud authentication platform；Cloud authentication database receives dispatch server and sends Working condition inquiry request, the work shape of each identity card card reading responding device in the compass of competency of query scheduling server State, and query result is sent to dispatch server；Dispatch server receives the query result that cloud authentication database is sent, and root It is investigated that asking as a result, selecting a working condition for idle identity card card reading responding device, by the identity card card reading response of selection The identification information of device is sent to identity card card-reading terminal.Wherein, whether dispatch server can be judged by the following manner permits Perhaps identity card card-reading terminal reading identity card: the identification information of identity card card-reading terminal includes First Certificate and the second certificate；It can To verify using legitimacy of the root certificate to First Certificate, if being verified, identity card card-reading terminal is allowed to read body Part card；If verifying does not pass through, identity card card-reading terminal reading identity card is not allowed；And/or it can use root certificate to second The legitimacy of certificate is verified, if being verified, allows identity card card-reading terminal reading identity card；If verifying does not pass through, Identity card card-reading terminal reading identity card is not allowed then.

Optionally, after selecting identity card card reading responding device of the working condition for the free time, dispatch server meeting Authentication code is generated, authentication code is respectively sent to identity card card-reading terminal and cloud authentication database；Cloud authentication database storage mirror Weighted code, and when reaching the validity period of authentication code, delete authentication code；Card seeking request data package further includes authentication code ciphertext, identity Authentication code ciphertext is decrypted in card card reading responding device, obtains authentication code；As shown in figure 4, described device further includes inquiry mould Block 412, if being stored with, continues to execute operation, otherwise terminates for inquiring in cloud authentication database whether be stored with authentication code Process.Specifically, dispatch server will generate after distribution port is to the identity card card reading responding device of working condition free time Authentication code be separately sent to be stored in identity card card-reading terminal and cloud authentication database, identity card card-reading terminal is using recognizing Card encryption key encrypts the authentication code, obtains authentication code ciphertext；Identity card card reading responding device is close using certification decryption The authentication code ciphertext is decrypted in key, obtains authentication code, sends inquiry request to cloud authentication database, inquires cloud authentication data It whether is stored with the authentication code in library, if being stored with, generates card seeking request response data, otherwise terminates card seeking responding process. Wherein, which has timeliness, and when being more than scheduled duration, cloud authentication database just will be deleted the authentication code of storage, mirror Weighted code failure, above-mentioned inquiry operation failure, terminates transaction response, and therefore, setting authentication code can identify whether transaction is legal, from And determine whether that continuous business responds, guarantee the safety of identity card card reading responding process.The authentication code can be one or one String random number can be perhaps one or any combination of a string of random characters or a string of random numbers and random character, at this It is not especially limited in embodiment.

In this optional embodiment, if secure verification module 402 can using the first public key of identity card card-reading terminal The signature value of card seeking request data ciphertext is decrypted, then illustrates that the signature value of received card seeking request data ciphertext is by body Part card card-reading terminal issues；If secure verification module 402 cannot be to card seeking using the first public key of identity card card-reading terminal The signature value of request data ciphertext is decrypted, then illustrates that the signature value of received card seeking request data ciphertext is not by identity card What card-reading terminal issued, therefore, carrying out signature verification to the signature value of card seeking request data ciphertext can be confirmed data source Legitimacy.If card seeking request data ciphertext is distorted in transmission process by illegal person, secure verification module 402 is in sign test In the process, HASH can be carried out to the card seeking request data ciphertext after distorting and abstract is calculated, the abstract and secure verification module 402 must using the abstract that the signature value of card seeking request data ciphertext is decrypted in the first public key of identity card card-reading terminal Fixed difference, causes sign test that can not pass through, and therefore, may determine that and seeks by the signature value progress sign test to card seeking request data ciphertext Whether card request data ciphertext is tampered, and guarantees the integrality of received card seeking request data ciphertext.If secure verification module 402 session keys just having using identity card card reading responding device and identity card card-reading terminal cannot request the card seeking received Data ciphertext is decrypted, and illustrates that the card seeking request data ciphertext is not what identity card card-reading terminal issued, therefore, to card seeking The legitimacy that data source can be confirmed is decrypted in request data ciphertext；If third party is truncated to card seeking, request data is close Text, due to the session key that third party can not obtain identity card card reading responding device and identity card card-reading terminal just has, no Card seeking request data ciphertext can be decrypted, card seeking request data can not be obtained, therefore, card seeking request data ciphertext is carried out Decryption can prevent card seeking request data from illegally being stolen, being read in network transmission, and correctly read card seeking request data.

In this optional embodiment, secure verification module 402 will decrypt card seeking request data ciphertext, need to obtain certification solution Key, the certification decruption key can be identical key, i.e. symmetric key with above-mentioned authenticated encryption key.Obtain certification solution Key can use but be not limited to following manner: mode one: certification decruption key preset configuration is responded in identity card card reading and is filled In setting, authenticated encryption key also preset configuration in identity card card-reading terminal.Mode two: the acquisition of identity card card reading responding device is recognized Demonstrate,prove the protection key of decruption key ciphertext and cloud authentication database, wherein certification decruption key ciphertext is cloud authentication database What the authenticated encryption key of the protection each identity card card-reading terminal of key pair was encrypted, identity card card reading responding device benefit It is decrypted with protection key pair certification decruption key ciphertext, obtains certification decruption key.It is read receiving identity card for the first time After data of the card terminal using the encryption of authenticated encryption key, identity card card reading responding device is using certification decruption key to receiving The data that send for the first time of identity card card-reading terminal be decrypted, guarantee identity card card reading responding device and identity card card-reading terminal Transmission data safety；In the present embodiment, card seeking request data ciphertext is the number that identity card card-reading terminal is sent for the first time According to.

In this optional embodiment, secure processing module 404 adds card seeking request response data using session key It is close to obtain the 6th encryption data, even if third party intercepts the 6th encryption data, card seeking request response data can not be also obtained, because The not no session key of third party cannot be decrypted the 6th encryption data using the session key, obtain card seeking request and ring Data are answered, only equally the identity card card-reading terminal with the session key could decrypt the 6th encryption data, therefore, Ke Yiyou Effect prevents card seeking request response data from illegally being stolen, being read in network transmission, guarantees the transmission of card seeking request response data Safety.After 6th signed data is sent to identity card card-reading terminal by sending module 405, identity card card-reading terminal can be executed and be tested Label operation, if identity card card-reading terminal can solve the 6th signed data using the public key of identity card card reading responding device It is close, then illustrate that received 6th signed data is issued by identity card card reading responding device, data source is legal；Such as Fruit identity card card-reading terminal cannot be decrypted the 6th signed data using the public key of identity card card reading responding device, then illustrate Received 6th signed data is issued by identity card card reading responding device, data source be it is illegal, it is therefore, right 6th encryption data, which carries out signature, can make the legitimacy of identity card card-reading terminal confirmation data source.If the 6th encryption data It is distorted in transmission process by illegal person, then identity card card-reading terminal can encrypt the 6th after distorting during sign test Data carry out HASH and abstract are calculated, which utilizes the public key pair of identity card card reading responding device with identity card card-reading terminal The abstract that 6th signed data is decrypted must be different, cause sign test that can not pass through, therefore, by the 6th encryption number The 6th encryption data can be prevented to be tampered according to signature is carried out, guarantee that identity card card-reading terminal receives the complete of the 6th encryption data Property.In this optional embodiment, secure verification module 402 are sent identity card card-reading terminal using certification decruption key for the first time Data (such as card seeking request data package of the present embodiment) be decrypted, and utilize the session key that newly obtains to subsequent The data sent or received carry out enciphering/deciphering processing and mention in this way, can establish data security channel with identity card card-reading terminal High data transmission security.

In this optional embodiment, identity card card-reading terminal is receiving the card seeking request response that sending module 405 sends After data packet, signature verification is carried out to the 6th signed data using the certificate of identity card card reading responding device, after being verified, Utilize the second private key (the second public key in second private key and the second certificate of identity card card-reading terminal of identity card card-reading terminal It is a pair of of unsymmetrical key) session key ciphertext is decrypted, session key is obtained, session key is recycled to encrypt to the 6th Data are decrypted, and obtain card seeking request response data；The session key is stored, can be pacified later by Session key establishment Full tunnel, the related data for carrying out identity card with identity card card reading responding device are transmitted, and guarantee the safety of data transmission.

Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention Embodiment person of ordinary skill in the field understood.

It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..

Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.

It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in a processing module It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer In read/write memory medium.

Storage medium mentioned above can be read-only memory, disk or CD etc..

In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiment or examples in can be combined in any suitable manner.

Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example Property, it is not considered as limiting the invention, those skilled in the art are not departing from the principle of the present invention and objective In the case where can make changes, modifications, alterations, and variations to the above described embodiments within the scope of the invention.The scope of the present invention By appended claims and its equivalent limit.

Claims

1. a kind of identity card card reading response method characterized by comprising

Identity card card reading responding device receives the card reading request data package that identity card card-reading terminal is sent, and requests the card reading Data packet carries out safety verification, after safety verification passes through, obtains identity card identification information, wherein the identity card card reading response Device is arranged in cloud authentication platform；

The first certification factor is generated, safe handling is carried out to the first certification factor, obtains the first data packet, and by described the One data packet is sent to the identity card card-reading terminal；

The second data packet that the identity card card-reading terminal is sent is received, and safety verification, peace are carried out to second data packet After being verified entirely, the first authentication data is obtained, wherein first authentication data is that identity card receives the identity card card reading Recognize after the first certification factor that terminal is sent and using the Processing Algorithm that the Ministry of Public Security of preset configuration authorizes described first What the card factor obtained after being handled；

First authentication data is authenticated, after certification passes through, generates certification factor application request；

The certification factor application is requested to carry out safe handling, obtains third data packet, and the third data packet is sent To the identity card card-reading terminal；

The 4th data packet that the identity card card-reading terminal is sent is received, and safety verification, peace are carried out to the 4th data packet After being verified entirely, the second certification factor is obtained；

The second certification factor is handled, the second authentication data is obtained；

Safe handling is carried out to second authentication data, obtains the 5th data packet, and the 5th data packet is sent to institute State identity card card-reading terminal；

The 6th data packet that the identity card card-reading terminal is sent is received, and safety verification, peace are carried out to the 6th data packet After being verified entirely, identity card data ciphertext is obtained；

The identity card data ciphertext is decrypted, identity card data clear text is obtained；

Safe handling is carried out to the identity card data clear text, obtains the 7th data packet, and the 7th data packet is sent to The identity card card-reading terminal.

2. the method according to claim 1, wherein

The card reading request data package includes the signature value of card reading request data ciphertext and the card reading request data ciphertext；To institute It states card reading request data package and carries out safety verification, after safety verification passes through, obtain identity card identification information, comprising: described in use The First Certificate of identity card card-reading terminal carries out signature verification to the signature value of the card reading request data ciphertext, is being verified In the case where, the card reading request data ciphertext is decrypted using session key, obtains the identity card identification information； And/or

First data packet includes the first encryption data and the first signed data；Safe place is carried out to the first certification factor Reason, comprising: the first certification factor is encrypted using session key, obtains first encryption data, and use institute The private key for stating identity card card reading responding device signs to first encryption data, obtains first signed data；With/ Or

Second data packet includes the signature value of the first ciphertext and first ciphertext；Safety is carried out to second data packet Verifying, after safety verification passes through, obtains the first authentication data, comprising: uses the First Certificate pair of the identity card card-reading terminal The signature value of first ciphertext carries out signature verification, close to described first using session key in the case where being verified Text is decrypted, and obtains first authentication data；And/or

The third data packet includes the second encryption data and the second signed data；Certification factor application request is pacified Full processing, comprising: certification factor application request is encrypted using session key, obtains second encryption data, And signed using the private key of the identity card card reading responding device to second encryption data, obtain second signature Data；And/or

4th data packet includes the signature value of the second ciphertext and second ciphertext；Safety is carried out to the 4th data packet Verifying, after safety verification passes through, obtains the second certification factor, comprising: uses the First Certificate pair of the identity card card-reading terminal The signature value of second ciphertext carries out signature verification, close to described second using session key in the case where being verified Text is decrypted, and obtains the second certification factor；And/or

5th data packet includes third encryption data and third signed data；Safe place is carried out to second authentication data Reason, comprising: second authentication data is encrypted using session key, obtains the third encryption data, and use institute The private key for stating identity card card reading responding device signs to the third encryption data, obtains the third signed data；With/ Or

6th data packet includes the signature value of third ciphertext and the third ciphertext；Safety is carried out to the 6th data packet Verifying, after safety verification passes through, obtains identity card data ciphertext, comprising: uses the First Certificate of the identity card card-reading terminal Signature verification is carried out to the signature value of the third ciphertext, in the case where being verified, using session key to the third Ciphertext is decrypted, and obtains the identity card data ciphertext；And/or

7th data packet includes the 4th encryption data and the 4th signed data；Safety is carried out to the identity card data clear text Processing, comprising: the identity card data clear text is encrypted using session key, obtains the 4th encryption data, and make It is signed with the private key of the identity card card reading responding device to the 4th encryption data, obtains the 4th number of signature According to.

3. method according to claim 1 or 2, which is characterized in that tested carrying out safety to the card reading request data package Before card, further includes:

The identity card card reading responding device receives the session key request data package that the identity card card-reading terminal is sent, In, the session key request data package includes the signature value and the identity of the first random factor, first random factor Demonstrate,prove the First Certificate of card-reading terminal；

The legitimacy of the First Certificate is verified, after being verified, using the First Certificate to described first with The signature value of the machine factor carries out signature verification, in the case where signature verification passes through, generates the second random factor；

First random factor and second random factor are encrypted, obtain the 5th encryption data, and described in use The private key of identity card card reading responding device signs to the 5th encryption data, obtains the 5th signed data；

8th data packet is sent to the identity card card-reading terminal, wherein the 8th data packet includes the 5th encryption The certificate of data, the 5th signed data and the identity card card reading responding device；

Wherein, after generating the second random factor, further includes: according to first random factor and second random factor Generate session key.

4. method according to claim 1 or 2, which is characterized in that asked receiving the card reading that identity card card-reading terminal is sent Before seeking data packet, further includes:

The identity card card reading responding device receives the card seeking request data package that the identity card card-reading terminal is sent, wherein institute Stating card seeking request data package includes card seeking request data ciphertext, the signature value and the identity of the card seeking request data ciphertext Demonstrate,prove the First Certificate and the second certificate of card-reading terminal；

The legitimacy of the First Certificate is verified, after being verified, the card seeking is asked using the First Certificate It asks the signature value of data ciphertext to carry out signature verification and uses the certification decruption key of acquisition in the case where signature verification passes through The card seeking request data ciphertext is decrypted, card seeking request data is obtained；

The card seeking request data is responded, card seeking request response data is generated；

The card seeking request response data is encrypted using session key, the 6th encryption data is obtained, uses described second Certificate encrypts the session key, obtains session key ciphertext, and use the private of the identity card card reading responding device Key signs to the 6th encryption data and the session key ciphertext, obtains the 6th signed data；

Card seeking request response data packet is sent to the identity card card-reading terminal, wherein the card seeking request response data packet Including the 6th encryption data and the 6th signed data.

5. method according to claim 1 or 2, which is characterized in that

Safety verification is being carried out to the card reading request data package, after safety verification passes through, after obtaining identity card identification information, Further include:

The identity card identification information is sent to dispatch server.

6. according to the method described in claim 4, it is characterized in that, the card seeking request data includes timestamp and/or terminal Counter；The card seeking request data ciphertext is decrypted in the certification decruption key using acquisition, obtains card seeking number of request According to later, further includes:

The timestamp and/or terminal counter are sent to dispatch server.

7. a kind of identity card card reading responding device characterized by comprising

Receiving module, for receiving the card reading request data package of identity card card-reading terminal transmission；

Secure verification module after safety verification passes through, obtains identity for carrying out safety verification to the card reading request data package Demonstrate,prove identification information；

First generation module, for generating the first certification factor；

Secure processing module obtains the first data packet for carrying out safe handling to the first certification factor；

Sending module, for first data packet to be sent to the identity card card-reading terminal；

The receiving module is also used to receive the second data packet that the identity card card-reading terminal is sent；

The secure verification module is also used to carry out safety verification to second data packet, after safety verification passes through, obtains the One authentication data, wherein first authentication data is that identity card receives the identity card card-reading terminal is sent described first The Processing Algorithm that the Ministry of Public Security after the certification factor using preset configuration authorizes obtains after handling the first certification factor 's；

Second generation module after certification passes through, generates certification factor application and asks for authenticating to first authentication data It asks；

The secure processing module is also used to request the certification factor application to carry out safe handling, obtains third data packet；

The sending module is also used to the third data packet being sent to the identity card card-reading terminal；

The receiving module is also used to receive the 4th data packet that the identity card card-reading terminal is sent；

The secure verification module is also used to carry out safety verification to the 4th data packet, after safety verification passes through, obtains the The two certification factors；

Identification processing module obtains the second authentication data for handling the second certification factor；

The secure processing module is also used to carry out safe handling to second authentication data, obtains the 5th data packet；

The sending module is also used to the 5th data packet being sent to the identity card card-reading terminal；

The receiving module is also used to receive the 6th data packet that the identity card card-reading terminal is sent；

The secure verification module is also used to carry out safety verification to the 6th data packet, after safety verification passes through, obtains body Part card data ciphertext；

Deciphering module obtains identity card data clear text for the identity card data ciphertext to be decrypted；

The secure processing module is also used to carry out safe handling to the identity card data clear text, obtains the 7th data packet；

The sending module is also used to the 7th data packet being sent to the identity card card-reading terminal.

8. device according to claim 7, which is characterized in that

The card reading request data package includes the signature value of card reading request data ciphertext and the card reading request data ciphertext；It is described Secure verification module carries out safety verification to the card reading request data package in the following manner, after safety verification passes through, obtains Identity card identification information: use the First Certificate of the identity card card-reading terminal to the signature value of the card reading request data ciphertext Signature verification is carried out the card reading request data ciphertext is decrypted using session key, obtains in the case where being verified To the identity card identification information；And/or

First data packet includes the first encryption data and the first signed data；The secure processing module, by with lower section Formula to it is described first certification the factor carry out safe handling, obtain the first data packet: using session key to it is described first certification because Son is encrypted, and obtains first encryption data, and using the private key of the identity card card reading responding device to described first Encryption data is signed, and first signed data is obtained；And/or

Second data packet includes the signature value of the first ciphertext and first ciphertext；The secure verification module, by with Under type carries out safety verification to second data packet, after safety verification passes through, obtains the first authentication data: using the body The First Certificate of part card card-reading terminal carries out signature verification to the signature value of first ciphertext, in the case where being verified, First ciphertext is decrypted using session key, obtains first authentication data；And/or

The third data packet includes the second encryption data and the second signed data；The secure processing module, by with lower section Formula to the certification factor application request carry out safe handling, obtain third data packet: using session key to the certification because Son application request is encrypted, and obtains second encryption data, and use the private key pair of the identity card card reading responding device Second encryption data is signed, and second signed data is obtained；And/or

4th data packet includes the signature value of the second ciphertext and second ciphertext；The secure verification module, by with Under type carries out safety verification to the 4th data packet, after safety verification passes through, obtains the second certification factor: using the body The First Certificate of part card card-reading terminal carries out signature verification to the signature value of second ciphertext, in the case where being verified, Second ciphertext is decrypted using session key, obtains the second certification factor；And/or

5th data packet includes third encryption data and third signed data；The secure processing module, by with lower section Formula carries out safe handling to second authentication data, obtains the 5th data packet: using session key to the second certification number According to being encrypted, the third encryption data is obtained, and using the private key of the identity card card reading responding device to the third Encryption data is signed, and the third signed data is obtained；And/or

6th data packet includes the signature value of third ciphertext and the third ciphertext；The secure verification module, by with Under type carries out safety verification to the 6th data packet, after safety verification passes through, obtains identity card data ciphertext: described in use The First Certificate of identity card card-reading terminal carries out signature verification to the signature value of the third ciphertext, the case where being verified Under, the third ciphertext is decrypted using session key, obtains the identity card data ciphertext；And/or

7th data packet includes the 4th encryption data and the 4th signed data；The secure processing module, by with lower section Formula carries out safe handling to the identity card data clear text, obtains the 7th data packet: using session key to the identity card number According to being encrypted in plain text, the 4th encryption data is obtained, and using the private key of the identity card card reading responding device to described 4th encryption data is signed, and the 4th signed data is obtained.

9. device according to claim 7 or 8, which is characterized in that further include:

The receiving module, be also used to the secure verification module to the card reading request data package carry out safety verification it Before, receive the session key request data package that the identity card card-reading terminal is sent, wherein the session key request data package First Certificate including the first random factor, the signature value of first random factor and the identity card card-reading terminal；

The secure verification module is also used to verify the legitimacy of the First Certificate, and after being verified, and uses The First Certificate carries out signature verification to the signature value of first random factor；

4th generation module, for generating the second random factor in the case where signature verification passes through；

The secure processing module is also used to encrypt first random factor and second random factor, obtain 5th encryption data, and signed using the private key of the identity card card reading responding device to the 5th encryption data, it obtains To the 5th signed data；

The sending module is also used to the 8th data packet being sent to the identity card card-reading terminal, wherein the 8th data Packet includes the certificate of the 5th encryption data, the 5th signed data and the identity card card reading responding device；

5th generation module is used for after the 4th generation module generates the second random factor, random according to described first The factor and second random factor generate session key.

10. device according to claim 7 or 8, which is characterized in that further include:

The receiving module is also used to before receiving the card reading request data package that identity card card-reading terminal is sent, described in reception The card seeking request data package that identity card card-reading terminal is sent, wherein the card seeking request data package includes that card seeking request data is close The signature value of literary, the described card seeking request data ciphertext and the First Certificate and the second certificate of the identity card card-reading terminal；

The secure verification module is also used to verify the legitimacy of the First Certificate, after being verified, uses institute It states First Certificate and signature verification is carried out to the signature value of the card seeking request data ciphertext, in the case where signature verification passes through, The card seeking request data ciphertext is decrypted using the certification decruption key of acquisition, obtains card seeking request data；

Third generation module generates card seeking request response data for responding to the card seeking request data；

The secure processing module is also used for session key and encrypts to the card seeking request response data, obtains Six encryption datas, and the session key is encrypted using second certificate, obtain session key ciphertext；Using described The private key of identity card card reading responding device signs to the 6th encryption data and the session key ciphertext, obtains the 6th Signed data；

The sending module is also used to for card seeking request response data packet to be sent to the identity card card-reading terminal, wherein described Card seeking request response data packet includes the 6th encryption data and the 6th signed data.

11. device according to claim 7 or 8, it is characterised in that:

The sending module is also used to carry out safety verification, peace to the card reading request data package in the secure verification module After being verified entirely, after obtaining identity card identification information, the identity card identification information is sent to dispatch server.

12. device according to claim 10, it is characterised in that: the card seeking request data includes timestamp and/or end Hold counter；

The sending module is also used to request the card seeking using the certification decruption key obtained in the secure verification module Data ciphertext is decrypted, and after obtaining card seeking request data, the timestamp and/or terminal counter are sent to scheduling clothes Business device.