CN1831865B - Electronic bank safety authorization system and method based on CPK - Google Patents
Electronic bank safety authorization system and method based on CPK Download PDFInfo
- Publication number
- CN1831865B CN1831865B CN2006100760202A CN200610076020A CN1831865B CN 1831865 B CN1831865 B CN 1831865B CN 2006100760202 A CN2006100760202 A CN 2006100760202A CN 200610076020 A CN200610076020 A CN 200610076020A CN 1831865 B CN1831865 B CN 1831865B
- Authority
- CN
- China
- Prior art keywords
- client
- data
- bank
- cpk
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims description 30
- 238000013475 authorization Methods 0.000 title 1
- 238000012795 verification Methods 0.000 claims description 27
- 239000011159 matrix material Substances 0.000 claims description 11
- 238000004891 communication Methods 0.000 claims description 4
- 230000008676 import Effects 0.000 claims description 4
- 238000007689 inspection Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 10
- 101100161469 Arabidopsis thaliana ABCB23 gene Proteins 0.000 description 7
- 101100132433 Arabidopsis thaliana VIII-1 gene Proteins 0.000 description 7
- 101100324822 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) fes-4 gene Proteins 0.000 description 7
- 101150115605 atm1 gene Proteins 0.000 description 7
- 101100289995 Caenorhabditis elegans mac-1 gene Proteins 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 230000027455 binding Effects 0.000 description 2
- 238000009739 binding Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000008929 regeneration Effects 0.000 description 1
- 238000011069 regeneration method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/20—Point-of-sale [POS] network systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/04—Payment circuits
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F19/00—Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
- G07F19/20—Automatic teller machines [ATMs]
- G07F19/211—Software architecture within ATMs or in relation to the ATM network
Abstract
A safety certification system of electronic bank based on CPK comprises an account number card with the first CPK safety chip for obtaining system completeness code through transaction data and for using private key to make signature, client end with the second CPK safety chip for obtaining client end transaction data and system completeness code as well as signature and for generating random number to encipher data then to encipher random number, bank end with the third CPK safety chip for deciphering data from client end and for verifying signature and completeness code.
Description
Technical field
The present invention relates to digital communication safety certification field, particularly relate to a kind of e-bank's security certification system and method based on Conbined public or double key algorithm (CPK) safety certification.
Background technology
E-bank is meant by ATM, POS machine and deposits and withdraws and a kind of e commerce transactions of ta vservice.
Up to the present, all adopt magnetic card in the e-banking system,, play historical effect for payment has brought very big convenience.But security also has been subjected to very big challenge.The magnetic card verification system is that the method with symmetric key encryption realizes that promptly client's key also has in bank.Otherwise bank also just can't decryption verification.There are following two problems in this mode:
The one, because there are client's all information, particularly symmetric key and password in bank, so the information dropout of bank also relates to losing of customer information: losing several ten million user profile in the bank in the U.S., Hong Kong is exactly example.
The 2nd, bank has kept all information of client, so the internal staff of bank obtains password quite easily and steals client's deposit.If after the internal staff of bank has stolen customer deposit, and the client does not draw deposits, then may cause the client to lose, the prestige to bank impacts simultaneously.
Having another kind of method now is, adopts the PKI technical method of unsymmetrical key signature to realize the safety certification of e-bank, and this is a kind of passive safety certification means of defence.
(Pubic Key Infrastructure is present most widely used a kind of cryptographic algorithm PKI) to the Public Key Infrastructure algorithm, is an important component part of information security infrastructure, is a kind of blanket network security infrastructure.The PKI notion that to be the eighties in 20th century put forward by American scholar, in fact, empowerment management infrastructure, trusted timestamp service system, safe and secret management system, unified safe electronic government affair platform etc. construct the support that all be unable to do without it.In this algorithm, encryption key and decruption key have nothing in common with each other, and the people who sends information utilizes recipient's PKI to send enciphered message, and the recipient utilizes own proprietary private key to be decrypted again.This mode had both guaranteed the confidentiality of information, can guarantee information have non repudiation again.At present, public key system is widely used for fields such as ca authentication, digital signature and key change.Digital certificate authentication center CA, the audit RA of registration center (Registration Authority), the KM of KMC (Key Manager) are the key components of forming PKI.
But, the method of this e-banking system passive security authentication, the mechanism that needs the third party to prove, the support of the certificate repository of on-line operation must be arranged, and its maintenance has the database of mass data, takies a large amount of storage spaces, efficient during operation is not high yet, processing speed is very slow, can not adapt to the such public network safety of e-bank and enter the active requirement of shelter of credible requirement by passive protection, can't set up trusted system in the such ultra-large public network scope of e-bank.
Summary of the invention
The objective of the invention is to overcome above-mentioned defective and a kind of e-bank's Verification System and method based on CPK is provided, it does not need to safeguard the database of mass data, and the efficient of operation is greatly enhanced.
A kind of e-bank's security certification system based on CPK for realizing that the object of the invention provides comprises account card, client and bank's end, and client can be discerned account card, and client is held with bank and is connected.
Described account card comprises a CPK safety chip, is used for the transaction data according to user's input, utilizes transaction data to obtain the system integrity sign indicating number, utilizes with the corresponding private key of account number and by the CPK algorithm data integrity code is signed;
Described client comprises the 2nd CPK safety chip, is used for the data of sending according to account card the one CPK safety chip, and adds the client identification data, obtains the client transaction data; Obtain the client integrity code according to the client transaction data; Utilize client private key to the client integrity code being signed by the CPK algorithm; Produce random number then, utilize random number that client transaction data, integrity code and signature are encrypted, obtain the client encrypt data, the PKI that utilizes bank's end to provide is encrypted random number, obtains the random number encryption data;
Described bank end comprises the 3rd CPK safety chip, is used for the end private key by bank, utilizes the deciphering of CPK algorithm to obtain random number, utilizes the random number deciphering to obtain the client transaction data; Utilize client public key checking client signature credible then, the system integrity sign indicating number of simultaneous verification client transaction data, after checking is passed through, from the client transaction data, read the account card signature, utilize account card public key verifications account number signature credible, the system integrity sign indicating number of simultaneous verification transaction data after checking is passed through, is imported transaction data with the user and is handled at bank's end.
A described CPK safety chip, the 2nd CPK safety chip and the 3rd CPK safety chip comprise CPK algorithm function module, indentification protocol module and Internet Key Exchange Protocol module, the PKI matrix module, and corresponding to the private key of account card, client and bank's end sign.
Described account card is the smart card of band CPU.
Described client is ATM or POS machine.
Described the 2nd CPK safety chip and the 3rd CPK safety chip are the U rod.
Also comprise computer network, be used to connect client and bank end, carry out data communication, the transaction request of client is sent to bank's end from client.
For realizing that the object of the invention also provides a kind of e-bank's safety certifying method based on CPK, comprise the following steps:
Steps A) account card utilizes transaction data to obtain the system integrity sign indicating number according to the transaction data of user's input, utilizes with the corresponding private key of account number and by the CPK algorithm data integrity code is signed, and is transferred to client then;
Step B) the client data of sending according to account card, and add the client identification data, obtain the client transaction data; Obtain the client integrity code according to the client transaction data; Utilize client private key to the client integrity code being signed by the CPK algorithm; Produce random number then, utilize random number that client transaction data, integrity code and signature are encrypted, obtain the client encrypt data, the PKI that utilizes bank's end to provide is encrypted random number, obtain the random number encryption data, with the client encrypt data, client integrity code and random data enciphered data send bank's end to;
Step C) bank's end utilizes the deciphering of CPK algorithm to obtain random number by bank's end private key, utilizes the random number deciphering to obtain the client transaction data; Utilize client public key checking client signature credible then, the system integrity sign indicating number of simultaneous verification client transaction data, after checking is passed through, from the client transaction data, read the account card signature, utilize account card public key verifications account number signature credible, the system integrity sign indicating number of simultaneous verification transaction data after checking is passed through, is imported transaction data with the user and is handled at bank's end.
Step D) after checking is passed through, bank's end is preserved exchange hour, client signature and account card signed data.
Described steps A) can comprise the following steps:
Steps A 1) after the user inserts account card bank client end equipment application transaction, client provides the user to enter password after confirming account card that this card can discern for this machine, and whether the inspection user password is correct; If correct, then the prompting transaction is proceeded; Otherwise the prompting user re-enters or closes the trade;
Steps A 2) after the user imports correct password, client device prompting transaction content;
Steps A 3) account card obtains the system integrity sign indicating number of user input data according to the data of user's input, utilizes the system integrity sign indicating number being signed with the corresponding private key of account number of preserving in the account card then; And with the data of user input, system integrity sign indicating number and signature send client together to.
Described step B) can comprise the following steps:
Step B1) client is received the data of user's input that account card sends, and behind system integrity sign indicating number and the signature, adds the client identification data, obtains the client transaction data of this transaction;
Step B2) client is utilized the client transaction data of this transaction, generates the client integrity code of this transaction;
Step B3) client utilizes client private key that the client sign indicating number is signed;
Step B4) client generates random number, utilizes random number, by the CPK algorithm client transaction data is encrypted, and obtains the client encrypt data;
Step B5) client utilize bank end PKI with random number encryption, obtain encrypted random number;
Step B6) client is the client encrypt data, the client integrity code, and the client signature, the client encrypt data, and encrypted random number sends bank's end in the lump to.
Described step C) can comprise the following steps:
Step C1) bank's end equipment is received the client encrypt data that client device sends, client integrity code, client signature, the client encrypt data, and behind the encrypted random number, bank's end utilizes the private key of oneself, the encrypted random number that deciphering is received obtains original random number;
Step C2) bank's end utilizes the public key verifications client signature of client, confirms the credibility of client, and checking client system integrity sign indicating number, the data consistent that data that affirmation is received and client transmit;
Step C3) bank's end utilizes random number, and by the CPK algorithm, deciphering client encrypt data obtain former client transaction data;
Step C4) bank's end is preserved the client identification data, utilizes the signature of the public key verifications account card of account card, confirms the account card credibility, and checking account card system integrity sign indicating number, the data consistent of the data that affirmation is received and user's input.
The invention has the beneficial effects as follows: e-bank's Verification System and method based on CPK of the present invention, it utilizes limited factor, to identify and key bindings by mapping algorithm, realize ultra-large key management with very little resource, need not the third party proves, do not need the support of database, so system does not need to safeguard.It adapts to different trading environment and transaction-based requirements, for account number, the amount of money, place and the time etc. of concluding the business provide credible (being responsible for property) to prove.
Description of drawings
Fig. 1 is the e-bank's security certification system structural representation based on CPK of the present invention.
Embodiment
Further describe e-bank's Verification System and the method based on CPK of the present invention below in conjunction with accompanying drawing.
Usually, existing e-banking system is made of client and bank's end (Portal),
The transaction that the user carries out on ATM and POS machine.With the ATM system is example, and bank's end (Portal) and ATM constitute radial network, constitute a radial network between ATM and the client again.
Client, the user allows the remote client of bank to initiate the monetary transaction request that will handle automatically selectively, comprises ATM or POS machine.
Bank's end is used for the customer in response end, automatic reception and the described monetary transaction request of processing client.
Connect carry out between client and the bank end data communication computer network, be used for transaction request with client and send bank to from client and hold.
As shown in Figure 1, e-bank of the present invention security certification system, it is included in the CPK chip of client and bank's end, and account card, utilizes CPK key authentication algorithm, the data security transmission of foundation from user to the client and between bank's end.
(Combined Pubic Key CPK) is based on the public key algorithm of sign to the Conbined public or double key algorithm, and its KMC generates private key calculating parameter (private key calculates base) and the PKI calculating parameter (PKI calculates basic) that corresponds to each other; According to the sign that first user provides, utilize described private key calculating parameter to calculate first user's private key, and the private key that is produced is offered first user; And announce described PKI calculating parameter, so that second user can utilize described PKI calculating parameter according to first user's sign after the sign that obtains first user, calculate first user's PKI.
E-bank of the present invention security certification system utilizes the CPK chip to realize, comprises the CPK algorithm function module in the CPK algorithm in the CPK chip, the indentification protocol module, the Internet Key Exchange Protocol module, PKI matrix module, and the private key of holding sign corresponding to account card, client and bank.
Have CPK algorithm function module, an indentification protocol module among the present invention, applicant's Chinese invention patent application 2005100021564 based on the key generation apparatus of sign and method in embodiment described, quote in full in the present invention.The algorithm function module of CPK and indentification protocol module provide required all parameters of authentication and agreement, utilize the PKI matrix then just can calculate the PKI of any entity.
CPK safety chip of the present invention can be embedded in the U rod, also can be embedded in the account card.All signature functions, authentication function and key-switch function all carry out in the CPK safety chip.Just can utilize the CPK algorithm to sign by the private key in the CPK algorithm, have PKI (times point) matrix just can verify the signature of any sign.PKI (times point) matrix is open variable, can be placed in U rod or the account card, also can be placed on places such as ATM, POS machine, bank's door.
The format surface of user's account card is the same with present magnetic stripe card, mainly is distribution name, serial number and number of the account, can set up number of the account in the interim registration of bank counter.The number of the account of account card is defined when dispatching from the factory by trade company, the good number of the account private key of configured in advance.Private key deposits in the chip under password encryption, and the function of change password is provided.
Account card realizes there is the private key of this number of the account with the smart card (IC) of band CPU, and private key also is subjected to virtual protection except that physical protection, promptly store under user password and system integrity sign indicating number double-encryption.The system integrity sign indicating number is not present in the CPK safety chip of account card, but the interim computing system integrity code of when calling private key each time the user being imported of data prevents to steal with illegal means the behavior of private key with this.
The user is when using account card, after will blocking the ATM or POS machine of inserting client earlier, enter password, the inspection of password is not carried out at client or bank's end of bank, but carry out in user's CPK safety chip inside, could correctly call the function of chip when having only password correct.
The ATM of client or POS machine, and the CPK safety chip of the gate system outfit of bank's end can be the U rods, and its function is identical with the CPK safety chip function of account card, and has been equipped with the PKI matrix.Because the CPK safety chip of client and bank end has been equipped with PKI (times point) matrix, can verify the signature of sign of user's account card.
A) in e-bank's transaction processing process, at first account card is inserted bank client end equipment (ATM the user, POS) after the application transaction, after client is confirmed account card that this card can discern for this machine, CPK safety chip 1 on the operation account card, provide the user to enter password, check whether user password is correct; If correct, then the prompting transaction is proceeded; Otherwise the prompting user re-enters or closes the trade.
After the user imports correct password, client device prompting transaction content, the user imports related data, comprises withdrawing the money, deposit, transferring accounts etc., and selects to determine.
CPK safety chip 1 in the account card obtains the system integrity sign indicating number of user input data according to the data of user's input, utilizes the system integrity sign indicating number being signed with the corresponding private key of account number of preserving in the account card then; And with the data of user input, system integrity sign indicating number and signature send client together to.
B) client device (ATM, POS machine) is received the data of user's input that account card sends, and behind system integrity sign indicating number and the signature, adds the sign of the 2nd CPK safety chip 2 of exchange hour and this machine, obtains the client transaction data of this transaction;
The 2nd CPK safety chip 2 of client utilizes the client transaction data of this transaction, generates the client integrity code of this transaction;
The 2nd CPK safety chip 2 utilizes client private key that the client sign indicating number is signed then;
Thereafter, the 2nd CPK safety chip 2 generates a random number, utilizes random number, by the CPK algorithm client transaction data is encrypted, and obtains the client encrypt data;
Then, the 2nd CPK safety chip 2 utilizes the PKI of bank's end with random number encryption, obtains encrypted random number;
Client device is the client encrypt data, the client integrity code, and the client signature, the client encrypt data, and encrypted random number sends bank's end in the lump to.
C) bank's end equipment (PORTAL etc.) is received the client encrypt data that client device sends, the client integrity code, the client signature, the client encrypt data, and behind the encrypted random number, bank holds the 3rd CPK safety chip 3 at first to utilize the private key of oneself, and the encrypted random number that deciphering is received obtains original random number;
The 3rd CPK safety chip 3 utilizes the public key verifications client signature of client, confirms the credibility of client, and checking client system integrity sign indicating number, the data consistent that data that affirmation is received and client transmit;
The 3rd CPK safety chip 3 utilizes random number, and by the CPK algorithm, deciphering client encrypt data obtain former client transaction data;
Then, bank's end is preserved exchange hour and the 2nd CPK safety chip 2 signs, and the 3rd CPK safety chip 3 utilizes the signature of the public key verifications account card of account card, confirms the account card credibility, and checking account card system integrity sign indicating number, the data consistent of the data that affirmation is received and user's input.
Bank's end equipment is with data content processing bank's operation system processing again of user's input, and with result notifying bank end equipment, bank's end equipment notice client device is carried out (go out money, print etc.).
Therefore, the e-bank's security certification system based on CPK of the present invention can all will provide CPK credible proof to e-bank in each link of transaction of e-bank.Wherein, the private key of CPK algorithm is respectively by the account card in user's hand, and the safety chip of CPK separately of client and bank's end provides, and PKI is then provided by the PKI in the CPK chip (times point) matrix.Because the PKI matrix is open variable, and data volume very little (amount of more than 2,000 Chinese character), its storage is very easy to solve.According to the CPK algorithm, as long as PKI (times point) matrix and sign have been arranged, just can calculate the PKI of this sign by the CPK mapping algorithm, therefore can verify the signature of any sign easily.
Protocol module in the e-bank of the present invention security certification system comprises digital signature protocol and cryptographic protocol, and Internet Key Exchange Protocol.Digital signature protocol adopts international 509 standards to carry out, and does not prove but do not need to call the third party, does not need to call the other side's certificate, because the CPK algorithm is the algorithm of indicating self proof, therefore calls the other side's certificate, and it is unnecessary that the process of authentication certificate becomes.
Internet Key Exchange Protocol of the present invention does not have ready-made, the New Deal of the non-handshaking type of otherwise designed:
Internet Key Exchange Protocol is as follows:
If the private key of user A is SK
A, PKI is PK
A, the private key of user B is SK
B, PKI is PK
B, the key exchange process of A and B is so:
A1: generate random number r;
A2: calculate rG, G is the basic point of elliptic curve key, makes rG=key;
A3: with key data data is encrypted: E
Key(data)=α;
A4: on the public base of B, calculate r (PK
B)=β;
A5: α, β are issued B;
B1: the private key with oneself carries out computing to β, obtains encryption key key:
β(SK
B)
-1=r(PK
B)(SK
B)
-1=r(SK
B*G)(SK
B)
-1=rG=key;
B2: with key DecryptDecryption data: D
KEY(α)=data;
Below with the flow process of withdrawing the money as object lesson; e-bank of the present invention safety certifying method process is described; but the present invention is not as limit; in carrying out the electronic banking process; relate to the process operational approach of utilizing the CPK algorithm that e-bank's safety is authenticated, all within protection scope of the present invention.
Steps A: according to the transaction data of user's input, account card the one CPK safety chip 1 utilizes transaction data to obtain the system integrity sign indicating number, utilize the private key in the CPK safety chip 1 the data integrity code to be signed, be transferred to client then by the CPK algorithm.
The client at first carries out the work of safety certification at customer account number card (ID) when carrying out e-bank's operation:
The client inserts account card (ID card), can be by the screen display operation of at present existing ATM.After the client enters password, ID card checking user password.Then, submit to professionally, by the ATM prompting, select professional: withdraw the money, select the amount of money: 5000, and the data of selecting are sent in the ID card.Flow process in the ID card is as follows.
(1.data1=number of the account // withdraw the money // 5000); //
*With this block number of the account, the code of withdrawing the money, 5000 makes data data1
*
2.Mac1=HASH (data1); //
*Integrity code Mac1 with hash function HASH computational data data1
*
3.Sign1=SIG
The number of the account private key(mac1); //
*Utilize the CPK algorithm that integrity code is signed with the number of the account private key, must be to signed codevector SIGN1
*
4.ID block data data1, integrity code Mac1, signed codevector Sign1 sends, and hands to ATM.
Step B: the 2nd CPK safety chip 2 in the client receives the data that account card sends, and adds exchange hour, and the client secure chip identification, obtains the client transaction data; Utilize the client transaction data to obtain the client integrity code, and utilize the private key in the 2nd CPK safety chip 2 that integrity code is signed, produce random number then, utilize random number that client transaction data, integrity code and signature are encrypted, obtain the client encrypt data, the PKI that utilizes bank's end to provide is encrypted random number, obtains the random number encryption data, with the client encrypt data, client integrity code and random data enciphered data send bank's end to.
After the ATM of client receives the next data of account card transmission, utilize the client secure chip on the ATM to carry out the work of safety certification:
Data that ATM is sent the ID card and exchange hour are sent in the safety chip (U rod) on the ATM, and the flow process that safety chip (U rod) carries out in the safety certification is as follows;
(1.data2=data1, Mac1, Sign1, exchange hour, ATM1); //
*ATM1 is the sign of this ATM1 safety chip U rod
2.Mac2=Hash(data2);
3.Sign2=SIG
The ATM1 private key(mac2);
4. carry out data encryption then:
41) produce random number R 3, to utilizing the CPK algorithm data are encrypted with R3
ER3 (data2/Mac2/Sign2)=cipher-text; // utilize the CPK algorithm that data data2/ integrity code mac2/ signature Sign2 is encrypted by the private key in the safety chip in the ATM, cipher-text is a data encrypted
42) utilize the CPK algorithm to encrypt with the other side's PKI (PORTAL PKI) R3 again;
E
The PORTAL PKI(R3)=coded-key; //
*The PKI that utilizes bank end to provide is encrypted random number R 3, and coded-key utilizes data after the CPK algorithm for encryption to R3
*
5. data encrypted cipher-text and coded-key are sent outside the U rod, send to the end PORTAL of bank by ATM.
Step C: bank end (PORTAL) utilizes bank to hold the 3rd CPK safety chip 3 after receiving the data that client sends, and by bank's end private key, deciphering obtains random number, utilizes the random number deciphering to obtain the client transaction data; Utilize client public key checking client signature credible then, the system integrity sign indicating number of simultaneous verification client transaction data, after checking is passed through, the client transaction data is transferred to bank hold the 3rd CPK safety chip 3, from the client transaction data, read the account card signature, utilize account card public key verifications account number signature credible, the system integrity sign indicating number of simultaneous verification transaction data, after checking is passed through, user's service data is handled at bank's end, and the preservation exchange hour, data such as client signature and account card signature.
Bank end (PORTAL) utilizes bank's end CPK safety chip to carry out safety certification work after receiving the data that client sends:
1. the data of sending to client (ATM) are decrypted
With the CPK private key of bank's end (PORTAL) oneself, utilize the deciphering of CPK algorithm, random number R 3 is decrypted, utilize 3 pairs of client encrypt data decryptions of random number R, obtain client transaction data data2/Mac2/Sign2;
D
The PORTAL private key(coded-key)=R3; //
*Deciphering obtains random number R 3
*
DR3 (cipher-text)=(data2/Mac2/Sign2) //
*Utilize random data R3 to decrypt ciphertext, obtain former data data2/Mac2/Sign2
2. with the PKI inspection signature Sign2 of ATM1, the responsible property of ATM1 is checked;
3. check and all pass through that give business department with data2 and handle, business department takes out sign1 from data2, checks the number of the account signature, if legal, business department handles the business of withdrawing the money, and the number of the account signature is given over to the evidence of getting money.
4. result is made data data3, data will comprise mac, R1, and the portal signature as the receipt data, is encrypted and is sent to ATM1.
5. last, ATM checks mac and random number R 1 to the receipt DecryptDecryption, if meet, then points out and allows to carry out and withdraw the money.
E-bank of the present invention security certification system and method, with the realization compatibility of existing system, therefore ATM, the POS machine of existing magnetic stripe card system's use account number (IC) card that itself and e-banking system relate to, are realized changing original e-banking system is minimum.Because the main certification work of native system is all finished in the CPK safety chip, also little to the influence of existing e-banking system, just need to change card reader safety chip part, be with a wide range of applications.
The present invention is based on e-bank's security certification system of CPK, by depositing and withdrawing and ta vservice that ATM, POS machine carry out.User's number of the account card is realized with the IC-card of band CPU, can realize number of the account seal (signature) easily, and the credibility that assurance is withdrawn the money, deposits, transferred accounts is the credit card of existing magnetic stripe card, the regeneration product of debt-credit card.Its safety certification process comprises the mutual authentication between mutual authentication, client and the bank's end between mutual authentication, number of the account card and the client (as ATM) of user and number of the account card, forms the mutual authentication between holding of number of the account card and bank at last.Its safety certification has comprised that the authenticity to number of the account card, number of the account, dealing money, exchange hour, loco etc. proves, guarantees the security of transaction.
E-bank's Verification System and method based on CPK of the present invention, it utilizes limited factor, will identify and key bindings by mapping algorithm, realize ultra-large key management with very little resource, need not the third party proves, does not need the support of database, so system does not need to safeguard.It adapts to different trading environment and transaction-based requirements, for account number, the amount of money, place and the time etc. of concluding the business provide credible (being responsible for property) to prove.
Present embodiment is to make those of ordinary skills understand the present invention; and to detailed description that the present invention carried out; but can expect; in the scope that does not break away from claim of the present invention and contained, can also make other variation and modification, these variations and revising all in protection scope of the present invention.
Claims (11)
1. the e-bank's security certification system based on CPK comprises account card, client and bank's end, and client can be discerned account card, and client is held with bank and is connected, and it is characterized in that:
Described account card comprises a CPK safety chip (1), is used for the transaction data according to user's input, utilizes transaction data to obtain the system integrity sign indicating number, utilizes by the CPK algorithm data integrity code being signed with the corresponding private key of account number of preserving in the account card;
Described client comprises the 2nd CPK safety chip (2), is used for the data of sending according to account card the one CPK safety chip (1), and adds the client identification data, obtains the client transaction data; Obtain the client integrity code according to the client transaction data; Utilize client private key the client integrity code to be signed by the CPK algorithm; Produce random number then, utilize random number that client transaction data, integrity code and signature are encrypted, obtain the client encrypt data, the PKI that utilizes bank's end to provide is encrypted random number, obtains the random number encryption data;
Described bank end comprises the 3rd CPK safety chip (3), is used for the end private key by bank, utilizes the deciphering of CPK algorithm to obtain random number, utilizes the random number deciphering to obtain the client transaction data; Utilize client public key checking client signature credible then, the system integrity sign indicating number of simultaneous verification client transaction data, after checking is passed through, from the client transaction data, read the account card signature, utilize account card public key verifications account number signature credible, the system integrity sign indicating number of simultaneous verification transaction data after checking is passed through, is imported transaction data with the user and is handled at bank's end.
2. e-bank according to claim 1 security certification system, it is characterized in that, a described CPK safety chip (1), the 2nd CPK safety chip (2) and the 3rd CPK safety chip (3) comprise CPK algorithm function module, indentification protocol module and Internet Key Exchange Protocol module, PKI matrix module, and the private key of holding sign corresponding to account card, client and bank.
3. e-bank according to claim 1 and 2 security certification system is characterized in that, described account card is the smart card of band CPU.
4. e-bank according to claim 1 and 2 security certification system is characterized in that, described client is ATM or POS machine.
5. e-bank according to claim 1 and 2 security certification system is characterized in that, described the 2nd CPK safety chip (2) and the 3rd CPK safety chip (3) are the U rod.
6. e-bank according to claim 1 and 2 security certification system is characterized in that, also comprises computer network, is used to connect client and bank end, carries out data communication, and the transaction request of client is sent to bank's end from client.
7. the e-bank's safety certifying method based on CPK is characterized in that, comprises the following steps:
Steps A) account card utilizes transaction data to obtain the system integrity sign indicating number according to the transaction data of user's input, utilizes by the CPK algorithm data integrity code being signed with the corresponding private key of account number of preserving in the account card, is transferred to client then;
Step B) the client data of sending according to account card, and add the client identification data, obtain the client transaction data; Obtain the client integrity code according to the client transaction data; Utilize client private key to the client integrity code being signed by the CPK algorithm; Produce random number then, utilize random number that client transaction data, integrity code and signature are encrypted, obtain the client encrypt data, the PKI that utilizes bank's end to provide is encrypted random number, obtain the random number encryption data, with the client encrypt data, client integrity code and random data enciphered data send bank's end to;
Step C) bank's end utilizes the deciphering of CPK algorithm to obtain random number by bank's end private key, utilizes the random number deciphering to obtain the client transaction data; Utilize client public key checking client signature credible then, the system integrity sign indicating number of simultaneous verification client transaction data, after checking is passed through, from the client transaction data, read the account card signature, utilize account card public key verifications account number signature credible, the system integrity sign indicating number of simultaneous verification transaction data after checking is passed through, is imported transaction data with the user and is handled at bank's end.
8. e-bank according to claim 7 safety certifying method is characterized in that, also comprises the following steps:
Step D) after checking is passed through, bank's end is preserved exchange hour, client signature and account card signed data.
9. according to claim 7 or 8 described e-bank safety certifying methods, it is characterized in that described steps A) comprise the following steps:
Steps A 1) after the user inserts account card bank client end equipment application transaction, client provides the user to enter password after confirming account card that this card can discern for this machine, and whether the inspection user password is correct; If correct, then the prompting transaction is proceeded; Otherwise the prompting user re-enters or closes the trade;
Steps A 2) after the user imports correct password, client device prompting transaction content;
Steps A 3) account card obtains the system integrity sign indicating number of user input data according to the data of user's input, utilizes the system integrity sign indicating number being signed with the corresponding private key of account number of preserving in the account card then; And with the data of user input, system integrity sign indicating number and signature send client together to.
10. according to claim 7 or 8 described e-bank safety certifying methods, it is characterized in that described step B) comprise the following steps:
Step B1) client is received the data of user's input that account card sends, and behind system integrity sign indicating number and the signature, adds the client identification data, obtains the client transaction data of this transaction;
Step B2) client is utilized the client transaction data of this transaction, generates the client integrity code of this transaction;
Step B3) client utilizes client private key that the client sign indicating number is signed;
Step B4) client generates random number, utilizes random number, by the CPK algorithm client transaction data is encrypted, and obtains the client encrypt data;
Step B5) client utilize bank end PKI with random number encryption, obtain encrypted random number;
Step B6) client is the client encrypt data, the client integrity code, and the client signature, the client encrypt data, and encrypted random number sends bank's end in the lump to.
11., it is characterized in that described step C according to claim 7 or 8 described e-bank safety certifying methods) comprise the following steps:
Step C1) bank's end equipment is received the client encrypt data that client device sends, client integrity code, client signature, and behind the encrypted random number, bank's end utilizes the private key of oneself, and the encrypted random number that deciphering is received obtains original random number;
Step C2) bank's end utilizes the public key verifications client signature of client, confirms the credibility of client, and checking client system integrity sign indicating number, the data consistent that data that affirmation is received and client transmit;
Step C3) bank's end utilizes random number, and by the CPK algorithm, deciphering client encrypt data obtain former client transaction data;
Step C4) bank's end is preserved the client identification data, utilizes the signature of the public key verifications account card of account card, confirms the account card credibility, and checking account card system integrity sign indicating number, the data consistent of the data that affirmation is received and user's input.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100760202A CN1831865B (en) | 2006-04-24 | 2006-04-24 | Electronic bank safety authorization system and method based on CPK |
| PCT/CN2006/003497 WO2007121631A1 (en) | 2006-04-24 | 2006-12-20 | System and method of electronic bank safety certification based on cpk |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100760202A CN1831865B (en) | 2006-04-24 | 2006-04-24 | Electronic bank safety authorization system and method based on CPK |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1831865A CN1831865A (en) | 2006-09-13 |
| CN1831865B true CN1831865B (en) | 2010-09-29 |
Family
ID=36994146
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006100760202A Expired - Fee Related CN1831865B (en) | 2006-04-24 | 2006-04-24 | Electronic bank safety authorization system and method based on CPK |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN1831865B (en) |
| WO (1) | WO2007121631A1 (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101079698B (en) * | 2007-02-14 | 2011-05-11 | 四川易恒科技发展有限公司 | A file encryption method based on Linux operating system with CPK authentication |
| CN103136664B (en) * | 2013-03-06 | 2016-05-18 | 天地融科技股份有限公司 | There is smart card transaction system and the method for electronic signature functionality |
| CN103136667B (en) * | 2013-03-06 | 2016-09-14 | 天地融科技股份有限公司 | There is the smart card of electronic signature functionality, smart card transaction system and method |
| CN108596605A (en) * | 2013-02-06 | 2018-09-28 | 天地融科技股份有限公司 | Smart card with electronic signature functionality |
| CN103136666B (en) * | 2013-03-06 | 2016-08-03 | 天地融科技股份有限公司 | There is smart card method of commerce and the system of electronic signature functionality |
| CN103208151B (en) * | 2013-04-03 | 2016-08-03 | 天地融科技股份有限公司 | Process the method and system of operation requests |
| CN104424568A (en) * | 2013-08-22 | 2015-03-18 | 成都市易恒信科技有限公司 | Authentication false-proof traceability system employing circuit core chip ID number as identification |
| CN105096119A (en) * | 2014-05-15 | 2015-11-25 | 东方斯泰克信息技术研究院(北京)有限公司 | Virtual bank system and realization method thereof |
| CN103971236A (en) * | 2014-05-16 | 2014-08-06 | 天地融科技股份有限公司 | Information interaction method, system and trading terminal and trading terminal query suite |
| CN106779696B (en) | 2016-11-29 | 2020-09-29 | 晋商博创(北京)科技有限公司 | CPK-based digital bank and digital currency and payment method |
| CN106788991A (en) * | 2016-12-05 | 2017-05-31 | 北京中交兴路信息科技有限公司 | A kind of method and device of data transfer |
| CN108011722A (en) * | 2017-12-12 | 2018-05-08 | 金邦达有限公司 | Data signature method, system, chip card and micro-control unit |
| CN108306892B (en) * | 2018-03-01 | 2020-12-18 | 武汉大学 | TrustZone-based request response method and system |
| CN108776896A (en) * | 2018-06-04 | 2018-11-09 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | Digital cash wallet business management method based on multi-signature and system |
| CN111147245A (en) * | 2020-01-08 | 2020-05-12 | 江苏恒为信息科技有限公司 | Algorithm for encrypting by using national password in block chain |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6052468A (en) * | 1998-01-15 | 2000-04-18 | Dew Engineering And Development Limited | Method of securing a cryptographic key |
| CN1633071A (en) * | 2005-01-14 | 2005-06-29 | 南相浩 | Method and apparatus for cipher key generation based on identification |
| CN1655142A (en) * | 2005-03-23 | 2005-08-17 | 蔡冠群 | Intelligent digital audio emitter and electronic identity safety certification method therefor |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| SG64957A1 (en) * | 1996-12-04 | 1999-05-25 | Inst Of Systems Science Nation | Microprocessor card payment system |
| FR2815203A1 (en) * | 2000-10-05 | 2002-04-12 | Ntsys | INTERNET SECURE PAYMENT AGENT WITH MOBILE PHONE VALIDATION |
| CN1571453A (en) * | 2003-07-18 | 2005-01-26 | 英华达(南京)科技有限公司 | Method for implementing network trade safety certification |
-
2006
- 2006-04-24 CN CN2006100760202A patent/CN1831865B/en not_active Expired - Fee Related
- 2006-12-20 WO PCT/CN2006/003497 patent/WO2007121631A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6052468A (en) * | 1998-01-15 | 2000-04-18 | Dew Engineering And Development Limited | Method of securing a cryptographic key |
| CN1633071A (en) * | 2005-01-14 | 2005-06-29 | 南相浩 | Method and apparatus for cipher key generation based on identification |
| CN1655142A (en) * | 2005-03-23 | 2005-08-17 | 蔡冠群 | Intelligent digital audio emitter and electronic identity safety certification method therefor |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2007121631A1 (en) | 2007-11-01 |
| CN1831865A (en) | 2006-09-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1831865B (en) | Electronic bank safety authorization system and method based on CPK | |
| CN105243313B (en) | For the method whenever confirmed to verifying token | |
| CN101848090B (en) | Authentication device and system and method using same for on-line identity authentication and transaction | |
| CN101765108B (en) | Safety certification service platform system, device and method based on mobile terminal | |
| CN101546407B (en) | Electronic commerce system and management method thereof based on digital certificate | |
| CN106096947B (en) | The half off-line anonymous method of payment based on NFC | |
| EP0880254A2 (en) | Security system and method for financial institution server and client web browser | |
| US20030069792A1 (en) | System and method for effecting secure online payment using a client payment card | |
| WO2018133674A1 (en) | Method of verifying and feeding back bank payment permission authentication information | |
| CN101770619A (en) | Multiple-factor authentication method for online payment and authentication system | |
| TWI591553B (en) | Systems and methods for mobile devices to trade financial documents | |
| CN102238193A (en) | Data authentication method and system using same | |
| CN103489104A (en) | Security payment method and system | |
| TWI578253B (en) | System and method for applying financial certificate using a mobile telecommunication device | |
| CN101335754A (en) | Method for information verification using remote server | |
| CN102521777B (en) | A kind of method and system realizing remote credit | |
| CN110634072B (en) | Block chain transaction system based on multi-signature and hardware encryption | |
| CN108496194A (en) | A kind of method, server-side and the system of verification terminal legality | |
| CN108777673A (en) | One kind carrying out Bidirectional identity authentication method in block chain | |
| KR100468031B1 (en) | Publication and settlement of account for an electronic check | |
| CN112419021B (en) | Electronic invoice verification method, system, storage medium, computer equipment and terminal | |
| CN102724180A (en) | Method and system for preventing signature information of universal serial bus (USB) key from being falsified | |
| CN107403310A (en) | Payment system and its method of payment under quantum Metropolitan Area Network (MAN) | |
| EP0886248B1 (en) | Method and apparatus for registration of information with plural institutions and recording medium with registration program stored thereon | |
| KR20020020134A (en) | PKI system for and method of using micro explorer on mobile terminals |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| ASS | Succession or assignment of patent right |
Owner name: NAN XIANGHAO; ZHAO JIANGUO Free format text: FORMER OWNER: BEIJING YIHENXIN AUTHORIZATION SCIENCE + TECHNOLOGY CO., LTD. Effective date: 20060922 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20060922 Address after: Beijing City, Shijingshan District Shijingshan Road No. 40 building three layer E-G Xin'an Applicant after: Nan Xianghao Co-applicant after: Zhao Jianguo Address before: Beijing City, Shijingshan District Shijingshan Road No. 40 building three layer E-G Xin'an Applicant before: Yihengxin Verification Science and Technology Co., Ltd., Beijing |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING YIHENXIN AUTHORIZATION SCIENCE & TECHNOLO Free format text: FORMER OWNER: NAN XIANGHAO; APPLICANT Effective date: 20081024 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20081024 Address after: Beijing City, Shijingshan District Shijingshan Road No. 40 building three layer E-G principal zone encoding: 100042 Applicant after: Yihengxin Verification Science and Technology Co., Ltd., Beijing Address before: Beijing City, Shijingshan District Shijingshan Road No. 40 building three layer E-G principal zone encoding: 100042 Applicant before: Nan Xiang Hao Co-applicant before: Zhao Jianguo |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100929 Termination date: 20200424 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |