WO2013149426A1 - Method, device and system for authenticating access for application to smart card - Google Patents

Method, device and system for authenticating access for application to smart card Download PDF

Info

Publication number
WO2013149426A1
WO2013149426A1 PCT/CN2012/075684 CN2012075684W WO2013149426A1 WO 2013149426 A1 WO2013149426 A1 WO 2013149426A1 CN 2012075684 W CN2012075684 W CN 2012075684W WO 2013149426 A1 WO2013149426 A1 WO 2013149426A1
Authority
WO
WIPO (PCT)
Prior art keywords
smart card
application
authentication
serial number
card
Prior art date
Application number
PCT/CN2012/075684
Other languages
French (fr)
Chinese (zh)
Inventor
曹岚健
余万涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013149426A1 publication Critical patent/WO2013149426A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Abstract

Disclosed are a method, device and system for authenticating the access for an application to a smart card, the method including: the smart card receives an access request transmitted by the application, and transmits the authentication information of the access request to the application; the smart card receives the authentication response of the authentication information, wherein the application obtains the authentication response from the card issuer server of the smart card and transmits the authentication response to the smart card; and when the authentication response is verified to be passed by the smart card , the application is allowed to access the smart card. The present invention solves the technical problem of prior art that there is no way to implement the authentication of the access for an application through a smart card so that the data or function of the smart card can not be used by the application of the terminal and the safety of the service can not be ensured, and implements that the smart card performs the access control of the application requesting the access to the smart card so that the terminal application can dispose the service authentication correlation data in the smart card and the safety of the service is improved.

Description

应用接入智能卡的认证方法、 装置和系统 技术领域 本发明涉及通信领域, 具体而言, 涉及一种应用接入智能卡的认证方法、 装置和 系统。 背景技术 随着网络的升级, 移动终端应用和移动业务也不断增多, 使得移动用户的生活得 到了极大的便利。 这些移动业务的普及使得对用户的安全认证和对信息的安全保护越 来越重要, 用户也越来越关心自身信息的安全问题。 移动支付和企业信息化等系统尤 其需要依靠用户身份的可靠验证和信息的安全保护以确保交易和信息的安全。 智能卡是抗破坏性高的安全设备, 并且便于携带, 同时还可基于密码学达到很高 的安全水平, 因此, 将移动应用认证相关的数据存储在智能卡上, 并利用智能卡完成 鉴权认证是一种比较安全、 可靠和方便的安全措施, 同时也可以在智能卡上实现生成 密钥对、 完成数字签名等功能。 但是由于终端没有开放应用直接访问智能卡的接口, 因此导致了智能卡上的数据或功能不能被终端应用调用。 目前还没有一种可以通过智能卡完成应用接入的鉴权认证的方式, 这使得智能卡 上存储的数据或功能不能被终端的应用调用, 从而导致智能卡上存储的资源被浪费。 针对上述的问题, 目前尚未提出有效的解决方案。 发明内容 本发明实施例提供了一种应用接入智能卡的认证方法、 装置和系统, 以至少解决 现有技术中没有一种可以通过智能卡完成应用接入的鉴权认证的方式, 使得智能卡上 存储的数据或功能不能被终端的应用调用的技术问题。 根据本发明实施例的一个实施例,提供了一种应用接入智能卡的认证方法,包括: 智能卡接收应用发送的接入请求, 将接入请求的认证信息发送给应用; 智能卡接收认 证信息的认证响应, 其中, 应用从智能卡的卡发行商服务器获取认证响应并发送至智 能卡; 当智能卡对认证响应验证通过时, 允许应用接入到智能卡。 优选地, 应用从智能卡的卡发行商服务器获取认证响应, 包括: 应用利用应用提 供商服务器从卡发行商服务器获取认证响应。 优选地, 应用利用应用提供商服务器从卡发行商服务器获取认证响应, 包括: 应 用和应用提供商服务器之间进行相互认证并建立第一安全连接, 应用通过第一安全连 接将认证信息发送给应用提供商服务器; 应用提供商服务器和卡发行商服务器之间进 行相互认证并建立第二安全连接, 应用提供商服务器通过第二安全连接将认证信息转 发给卡发行商服务器; 卡发行商服务器接收应用提供商服务器转发的认证信息; 当卡 发行商服务器对认证信息验证通过后, 卡发行商服务器根据认证信息生成认证响应; 卡发行商服务器通过第二安全连接将认证响应发送给应用提供商服务器, 由应用提供 商服务器通过第一安全连接将认证响应转发至应用。 优选地, 卡发行商服务器根据认证信息生成认证响应, 包括: 卡发行商服务器根 据智能卡标识查找与智能卡对应的根密钥, 其中, 根密钥是卡发行商服务器为每一张 智能卡分配的密钥信息, 智能卡与根密钥一一对应, 认证信息携带有所述智能卡的智 能卡标识和智能卡为所述应用本次接入所生成的随机数; 卡发行商服务器根据根密钥 和随机数生成认证响应。 优选地, 认证响应携带有第一认证内容和第一临时会话密钥, 其中, 卡发行商服 务器利用第一临时会话密钥对认证响应进行加密传输。 优选地, 智能卡接收认证信息的认证响应之后, 还包括: 智能卡根据认证信息中 的随机数和自身的根密钥按照和卡发行商服务器对应的方式生成第二认证内容和第二 临时会话密钥; 智能卡根据第二会话密钥对认证响应进行解密, 如果解密成功, 则对 解密得到的第一认证内容和第二认证内容进行比较, 如果相同, 则表明验证成功。 优选地, 智能卡接入应用, 包括: 智能卡使用第一临时会话密钥和第二临时会话 密钥在自身和应用之间建立安全信道; 智能卡通过安全信道与应用进行信息交互。 优选地, 智能卡将应用接入智能卡之后, 还包括: 当应用关闭时, 智能卡释放安 全信道; 智能卡删除第二临时会话密钥。 优选地, 认证信息携带有应用本次接入时智能卡的第一序列号。 优选地, 第一序列号按如下步骤生成: 智能卡在自身存储的第二序列号上增加预 定值, 得到第三序列号; 智能卡判断第三序列号是否大于预定阈值; 若是, 则将预设 初始值赋值给第一序列号和第二序列号; 若否, 则将第三序列号赋值给第一序列号和 第二序列号。 优选地, 卡发行商服务器根据认证信息生成认证响应, 包括: 卡发行商服务器从 认证信息中获取第一序列号和智能卡标识; 卡发行商服务器根据智能卡标识查找自身 存储的对应于该智能卡的第四序列号; 卡发行商服务器根据第一序列号和第四序列号 进行验证, 在验证通过后, 卡发行商服务器生成认证响应。 优选地, 卡发行商服务器根据第一序列号和第四序列号进行验证, 包括: 卡发行 商服务器判断第一序列号是否大于或等于第四序列号, 如果大于或等于, 则验证成功, 卡发行商服务器将第一序列号赋值给第四序列号。 优选地, 卡发行商服务器将第一序列号赋值给第四序列号之后, 还包括: 卡发行 商服务器判断第一序列号加上预定值后是否大于预定阈值, 如果大于, 则卡发行商服 务器将预设初始值赋值给第四序列号。 根据本发明实施例的另一实施例, 提供了一种应用接入智能卡的认证装置, 位于 智能卡中, 包括: 第一接收单元, 设置为接收应用发送的接入请求, 将接入请求的认 证信息发送给应用; 第二接收单元, 设置为接收认证信息的认证响应, 其中, 应用从 智能卡的卡发行商服务器获取认证响应并发送至智能卡; 接入单元, 设置为当智能卡 对认证响应验证通过时, 允许应用接入到智能卡。 优选地, 该装置还包括: 第一生成单元, 设置为当认证响应携带有第一认证内容 和第一临时会话密钥时, 在接收认证信息的认证响应之后, 根据认证信息中的随机数 和自身的根密钥按照和卡发行商服务器对应的方式生成第二认证内容和第二临时会话 密钥; 解密单元, 设置为根据第二会话密钥对认证响应进行解密, 如果解密成功, 则 对解密得到的第一认证内容和第二认证内容进行比较, 如果相同, 则表明验证成功。 优选地, 接入单元包括: 接入模块, 设置为使用第一临时会话密钥和第二临时会 话密钥在自身和应用之间建立安全信道; 交互模块, 设置为通过安全信道与应用进行 信息交互。 优选地, 该装置还包括: 第二生成单元, 设置为生成携带有应用本次接入时智能 卡的第一序列号的认证信息。 优选地, 第二生成单元包括: 增加模块, 设置为在自身存储的第二序列号上增加 预定值, 得到第三序列号; 判断模块, 设置为判断第三序列号是否大于预定阈值; 第 一赋值模块, 设置为在判断出第三序列号大于预定阈值时, 将预设初始值赋值给第一 序列号和第二序列号; 第二赋值模块, 设置为在判断出第三序列号不大于预定阈值时, 将第三序列号赋值给第一序列号和第二序列号。 根据本发明实施例的又一实施例, 提供了另一种应用接入智能卡的认证装置, 位 于卡发行商服务器中, 包括: 第三接收单元, 设置为应用发送的认证信息, 其中, 认 证信息携带有智能卡的智能卡标识和 /或智能卡为应用本次接入所生成的随机数; 第三 生成单元, 设置为根据认证信息生成认证响应, 并将认证响应发送给应用。 优选地, 第三生成单元包括: 获取模块, 设置为从认证信息中获取第一序列号和 智能卡标识; 第二查找模块, 设置为根据智能卡标识查找自身存储的对应于该智能卡 的第四序列号; 验证模块, 设置为根据第一序列号和第四序列号进行验证, 在验证通 过后, 生成认证响应。 优选地, 第三生成单元包括: 第一查找模块, 设置为器根据智能卡标识查找与智 能卡对应的根密钥,其中,根密钥是卡发行商服务器为每一张智能卡分配的密钥信息, 智能卡与根密钥一一对应; 第一生成模块, 设置为根据根密钥和随机数生成认证响应。 优选地, 第三生成单元包括: 第二生成模块, 设置为生成携带有第一认证内容和 第一临时会话密钥的认证响应; 加密模块, 设置为利用第一临时会话密钥对认证响应 进行加密。 根据本发明实施例的又一实施例, 提供了一种应用接入处理系统, 包括: 上述的 位于智能卡中的应用接入处理装置, 和位于卡发行商服务器中的应用接入处理装置。 在本发明实施例中, 智能卡在接收到应用的接入请求后, 响应于该接入请求生成 对应于该应用本次接入的认证信息, 并将该认证信息发给应用, 以触发该应用向卡发 行商服务器获取对应于该认证信息的认证响应, 只有在该应用向智能卡返回匹配的认 证响应后, 智能卡才允许将该应用接入。 通过上述方式, 实现了智能卡对应用接入的 鉴权认证, 从而解决现有技术中没有一种可以通过智能卡完成应用接入的鉴权认证的 方式, 使得智能卡上的数据或功能不能被终端的应用调用, 业务的安全性得不到保证 的技术问题, 实现了应用安全接入智能卡, 使得终端应用可以将业务认证相关数据部 署到智能卡上, 提高了业务的安全性。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部分, 本发 明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的不当限定。 在附图 中: 图 1是根据本发明实施例的应用接入处理方法的一种优选流程图; 图 2是根据本发明实施例的应用利用应用提供商服务器从卡发行商服务器获取认 证响应的一种优选流程图; 图 3是根据本发明实施例的位于智能卡中的应用接入智能卡的认证装置的一种优 选结构框图; 图 4是根据本发明实施例的位于智能卡中的应用接入智能卡的认证装置的另一种 优选结构框图; 图 5是根据本发明实施例的位于智能卡中的应用接入智能卡的认证装置的接入单 元的一种优选结构框图; 图 6是根据本发明实施例的位于智能卡中的应用接入智能卡的认证装置的又一种 优选结构框图; 图 7是根据本发明实施例的位于智能卡中的应用接入智能卡的认证装置的第二生 成单元的一种优选结构框图; 图 8是根据本发明实施例的位于卡发行商服务器中的应用接入智能卡的认证装置 的一种优选结构框图; 图 9是根据本发明实施例的位于卡发行商服务器中的应用接入智能卡的认证装置 的第三生成单元的一种优选结构框图; 图 10 是根据本发明实施例的位于卡发行商服务器中的应用接入智能卡的认证装 置的第三生成单元的另一种优选结构框图; 图 11 是根据本发明实施例的位于卡发行商服务器中的应用接入智能卡的认证装 置的第三生成单元的又一种优选结构框图; 图 12是根据本发明实施例的应用接入智能卡的方法的另一种优选流程图; 图 13是根据本发明实施例的应用获得认证信息和认证响应,并给智能卡发送认证 响应请求接入智能卡的一种优选流程图; 图 14 是根据本发明实施例的智能卡对请求接入智能卡的应用进行接入控制的一 种优选流程图; 图 15是根据本发明实施例的应用请求接入智能卡,智能卡对应用进行接入控制的 一种优选流程图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在不冲突的 情况下, 本申请中的实施例及实施例中的特征可以相互组合。 在本发明实施例中, 应用在部署到终端上以后, 无论应用执行何种操作, 例如应 用需要对智能卡特定的安全域进行升级, 还例如应用需要利用智能卡进行业务认证相 关的操作, 都必须首先获取接入智能卡的权限, 并且接入智能卡。 也就是说, 智能卡 对试图接入自身的应用存在接入控制接口。 实施时, 接入控制接口的关键作用在于, 在应用启动并请求接入智能卡时, 对应用进行接入的控制, 以限制某些应用接入到智 能卡, 只允许授权能够接入智能卡的应用在智能卡认证通过后才能接入到智能卡; 在 应用获得了智能卡的接入允许 (即认证通过) 后, 应用的运行过程中一直占据与智能 卡的连接通道; 在应用关闭时, 要释放智能卡和应用之间的连接通道; 应用在下次启 动并请求接入智能卡时要重新通过智能卡的准许。 同时, 应用要接入到智能卡, 必须向智能卡发送某种能够证明自己身份合法的信 息。 智能卡能够对该信息进行验证, 以证明发送该信息的应用是否是能够被授权接入 智能卡的应用, 以便只让得到授权的合法应用接入到智能卡。 要规范接入控制接口, 必须先规范出应用需要发送何种能够证明自己身份的信息, 并且必须确定一种智能卡 对请求接入智能卡的应用进行接入控制的方法。 现有的智能卡安全 API (Application Program Interface, 应用编程接口) 架构提出 了一种终端上的移动应用能安全高效的访问智能卡的架构体系。 智能卡安全 API架构 分为三个层次: 应用层、 业务认证中间层和业务认证服务层, 并且定义了两种 API: 智能卡与终端软件系统之间的 API、 终端软件系统与应用之间的 API。 智能卡与终端 软件系统之间的 API 侧重于将移动应用访问智能卡的指令转换成智能卡所能识别的 APDU指令, 终端软件系统与应用之间的 API则侧重于研究应用如何通过该类接口访 问智能卡上的认证服务应用。终端软件系统与应用之间的 API应包括智能卡管理接口、 接入控制接口、 数据加解密接口、 数字签名验证接口以及身份认证接口等几大类。 为了实现智能卡对请求接入智能卡的应用的接入控制, 本发明实施例提供了一种 应用接入智能卡的认证方法,下面将结合几个具体的实施例对该方法进行详细的描述。 实施例 1 本发明实施例提供了一种应用接入智能卡的认证方法, 如图 1所示, 包括: The present invention relates to the field of communications, and in particular to an authentication method, apparatus, and system for applying an access smart card. BACKGROUND With the upgrading of networks, mobile terminal applications and mobile services are also increasing, which makes the life of mobile users greatly facilitated. The popularity of these mobile services has made it increasingly important for users to securely authenticate and secure information, and users are increasingly concerned about the security of their own information. Systems such as mobile payments and enterprise informatization rely in particular on reliable authentication of user identities and security of information to ensure the security of transactions and information. The smart card is a high-destruction-proof security device and is easy to carry. It can also achieve a high level of security based on cryptography. Therefore, storing data related to mobile application authentication on a smart card and using a smart card to complete authentication is one. It is safer, more reliable and more convenient. At the same time, it can also realize the function of generating key pair and completing digital signature on the smart card. However, since the terminal does not have an open application to directly access the interface of the smart card, the data or function on the smart card cannot be called by the terminal application. At present, there is no way to perform authentication authentication of an application access through a smart card, which makes the data or functions stored on the smart card cannot be called by the application of the terminal, thereby causing waste of resources stored on the smart card. In response to the above problems, no effective solution has been proposed yet. SUMMARY OF THE INVENTION The embodiments of the present invention provide an authentication method, device, and system for applying an access smart card, so as to at least solve the problem that at least one authentication authentication that can complete application access through a smart card in the prior art, so that the smart card is stored. The technical problem of the data or function cannot be called by the application of the terminal. According to an embodiment of the present invention, an authentication method for an application access smart card is provided, including: the smart card receives an access request sent by an application, and sends the authentication information of the access request to the application; the smart card receives the authentication of the authentication information. In response, the application obtains an authentication response from the card issuer server of the smart card and sends the authentication response to the smart card; when the smart card verifies the authentication response, the application is allowed to access the smart card. Preferably, the applying the authentication response from the card issuer server of the smart card comprises: the application obtaining the authentication response from the card issuer server by using the application provider server. Preferably, the application obtains the authentication response from the card issuer server by using the application provider server, including: performing mutual authentication and establishing a first secure connection between the application and the application provider server, and the application sends the authentication information to the application by using the first secure connection. Provider server; mutual authentication between the application provider server and the card issuer server and establishing a second secure connection, the application provider server forwards the authentication information to the card issuer server through the second secure connection; the card issuer server receives the application The authentication information forwarded by the provider server; after the card issuer server verifies the authentication information, the card issuer server generates an authentication response according to the authentication information; the card issuer server sends the authentication response to the application provider server through the second secure connection, The authentication response is forwarded to the application by the application provider server over the first secure connection. Preferably, the card issuer server generates an authentication response according to the authentication information, including: the card issuer server searches for a root key corresponding to the smart card according to the smart card identifier, where the root key is a secret assigned by the card issuer server to each smart card Key information, the smart card corresponds to the root key one by one, the authentication information carries the smart card identifier of the smart card and the smart card is a random number generated by the application for the current access; the card issuer server generates the root key and the random number Certification response. Preferably, the authentication response carries the first authentication content and the first temporary session key, wherein the card issuer server encrypts the authentication response by using the first temporary session key. Preferably, after the smart card receives the authentication response of the authentication information, the method further includes: the smart card generating the second authentication content and the second temporary session key according to the random number in the authentication information and the root key thereof according to the card publisher server. The smart card decrypts the authentication response according to the second session key. If the decryption is successful, the decrypted first authentication content and the second authentication content are compared. If they are the same, the verification is successful. Preferably, the smart card accessing the application comprises: the smart card establishing a secure channel between itself and the application by using the first temporary session key and the second temporary session key; and the smart card interacts with the application through the secure channel. Preferably, after the smart card connects the application to the smart card, the method further includes: when the application is closed, the smart card releases the secure channel; and the smart card deletes the second temporary session key. Preferably, the authentication information carries a first serial number of the smart card when the current access is applied. Preferably, the first serial number is generated as follows: the smart card adds a predetermined value to the second serial number stored by itself, to obtain a third serial number; the smart card determines whether the third serial number is greater than a predetermined threshold; if yes, the preset The initial value is assigned to the first serial number and the second serial number; if not, the third serial number is assigned to the first serial number and the second serial number. Preferably, the card issuer server generates the authentication response according to the authentication information, including: the card issuer server obtains the first serial number and the smart card identifier from the authentication information; the card issuer server searches for the first stored corresponding to the smart card according to the smart card identifier The four serial number; the card issuer server verifies according to the first serial number and the fourth serial number, and after the verification is passed, the card issuer server generates an authentication response. Preferably, the card issuer server performs verification according to the first serial number and the fourth serial number, including: the card issuer server determines whether the first serial number is greater than or equal to the fourth serial number, and if greater than or equal to, the verification succeeds, the card is successful. The publisher server assigns the first serial number to the fourth serial number. Preferably, after the card issuer server assigns the first serial number to the fourth serial number, the method further includes: the card issuer server determining whether the first serial number plus the predetermined value is greater than a predetermined threshold, and if greater than, the card issuer server The preset initial value is assigned to the fourth serial number. According to another embodiment of the present invention, an authentication device for accessing a smart card is provided, which is located in a smart card, and includes: a first receiving unit, configured to receive an access request sent by an application, and authenticate the access request The information is sent to the application; the second receiving unit is configured to receive an authentication response of the authentication information, where the application obtains the authentication response from the card issuer server of the smart card and sends the authentication response to the smart card; and the access unit is configured to verify the authentication response when the smart card passes the authentication Allows the app to access the smart card. Preferably, the apparatus further includes: a first generating unit, configured to: when the authentication response carries the first authentication content and the first temporary session key, after receiving the authentication response of the authentication information, according to the random number in the authentication information The root key generates a second authentication content and a second temporary session key in a manner corresponding to the card issuer server; the decryption unit is configured to decrypt the authentication response according to the second session key, and if the decryption is successful, The decrypted first authentication content and the second authentication content are compared, and if they are the same, the verification is successful. Preferably, the access unit comprises: an access module, configured to establish a secure channel between itself and the application by using the first temporary session key and the second temporary session key; and the interaction module is configured to perform information with the application through the secure channel Interaction. Preferably, the apparatus further includes: a second generating unit, configured to generate the authentication information carrying the first serial number of the smart card when the current access is applied. Preferably, the second generating unit includes: an adding module, configured to add a predetermined value to the second serial number stored by itself, to obtain a third serial number; and a determining module, configured to determine whether the third serial number is greater than a predetermined threshold; An assignment module is configured to assign a preset initial value to the first serial number and the second serial number when determining that the third serial number is greater than a predetermined threshold; the second assignment module is configured to determine that the third serial number is not When the threshold is greater than the predetermined threshold, the third serial number is assigned to the first serial number and the second serial number. According to still another embodiment of the present invention, another authentication device for accessing a smart card is provided, which is located in a card issuer server, and includes: a third receiving unit, configured to send authentication information, wherein the authentication information The smart card identifier and/or the smart card carrying the smart card is a random number generated by applying the current access; the third generating unit is configured to generate an authentication response according to the authentication information, and send the authentication response to the application. Preferably, the third generating unit includes: an obtaining module, configured to obtain a first serial number and a smart card identifier from the authentication information; and a second searching module, configured to search for a fourth serial number corresponding to the smart card stored by the smart card identifier according to the smart card identifier The verification module is configured to perform verification according to the first serial number and the fourth serial number, and after the verification is passed, generate an authentication response. Preferably, the third generating unit includes: a first searching module, configured to search for a root key corresponding to the smart card according to the smart card identifier, where the root key is key information allocated by the card issuer server for each smart card, The smart card has a one-to-one correspondence with the root key; the first generation module is configured to generate an authentication response according to the root key and the random number. Preferably, the third generating unit comprises: a second generating module, configured to generate an authentication response carrying the first authentication content and the first temporary session key; and an encryption module configured to perform the authentication response by using the first temporary session key encryption. According to still another embodiment of the present invention, an application access processing system is provided, including: the foregoing application access processing device located in a smart card, and an application access processing device located in a card issuer server. In the embodiment of the present invention, after receiving the access request of the application, the smart card generates authentication information corresponding to the current access of the application in response to the access request, and sends the authentication information to the application to trigger the application. The authentication response corresponding to the authentication information is obtained from the card issuer server, and the smart card allows the application to be accessed only after the application returns a matching authentication response to the smart card. In the above manner, the authentication authentication of the application access by the smart card is implemented, so that there is no way in the prior art that the authentication authentication of the application access can be completed by the smart card, so that the data or function on the smart card cannot be used by the terminal. The application is invoked, the security of the service is not guaranteed, and the application security access smart card is implemented, so that the terminal application can deploy the service authentication related data to the smart card, thereby improving the security of the service. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the drawings: FIG. 1 is a preferred flowchart of an application access processing method according to an embodiment of the present invention; FIG. 2 is an application for obtaining an authentication response from a card issuer server by using an application provider server according to an embodiment of the present invention; FIG. 3 is a block diagram of a preferred structure of an authentication device for accessing a smart card in an intelligent card according to an embodiment of the present invention; FIG. 4 is an application access smart card located in a smart card according to an embodiment of the invention; FIG. 5 is a block diagram showing a preferred block diagram of an access unit of an authentication device for accessing a smart card in a smart card according to an embodiment of the present invention; FIG. 6 is a block diagram of an access unit according to an embodiment of the present invention. Still another preferred structural block diagram of an authentication device for accessing a smart card by an application located in a smart card; FIG. 7 is a preferred configuration of a second generation unit of an authentication device for accessing a smart card by an application located in a smart card according to an embodiment of the present invention 8 is a block diagram of an authentication device for an application access smart card located in a card issuer server according to an embodiment of the present invention; FIG. 9 is a block diagram showing a preferred configuration of a third generation unit of an authentication device for accessing a smart card in an application in a card issuer server according to an embodiment of the present invention; FIG. 10 is a block diagram of a third generation unit according to an embodiment of the present invention. Another preferred structural block diagram of a third generating unit of an authentication device of an application access smart card located in a card issuer server; FIG. 11 is an authentication device for an application access smart card located in a card issuer server according to an embodiment of the present invention; Still another preferred structural block diagram of a third generating unit; FIG. 12 is another preferred flow chart of a method for applying an access smart card according to an embodiment of the present invention; 13 is a preferred flowchart of an application obtaining authentication information and an authentication response, and transmitting an authentication response request to the smart card according to an embodiment of the present invention; FIG. 14 is a smart card pair requesting access to a smart card according to an embodiment of the present invention; A preferred flowchart for applying access control is provided. FIG. 15 is a preferred flowchart of an application requesting access to a smart card according to an embodiment of the present invention, and the smart card performs access control on the application. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. In the embodiment of the present invention, after the application is deployed on the terminal, no matter what operation is performed by the application, for example, the application needs to upgrade the security domain specific security domain, and for example, the application needs to use the smart card for service authentication related operations, and must first Obtain access to the smart card and access the smart card. That is to say, the smart card has an access control interface for an application attempting to access itself. In implementation, the key function of the access control interface is to control the access of the application when the application starts and requests access to the smart card, so as to restrict certain applications from accessing the smart card, and only allow authorized applications to access the smart card. After the smart card is authenticated, the smart card can be accessed. After the application obtains the access permission of the smart card (ie, the authentication is passed), the application always occupies the connection channel with the smart card; when the application is closed, the smart card and the application are released. The connection channel between the applications; the application must re-authorize the smart card when it starts up and requests access to the smart card. At the same time, if the application wants to access the smart card, it must send some information to the smart card that can prove its identity. The smart card can verify the information to prove whether the application that sent the information is an application that can be authorized to access the smart card, so that only the authorized legitimate application can access the smart card. To standardize the access control interface, it is necessary to first specify the information that the application needs to send to prove its identity, and must determine a method for the smart card to access the application requesting access to the smart card. The existing Smart Card Security API (Application Programming Interface) architecture proposes an architecture that enables mobile applications on the terminal to access the smart card securely and efficiently. The smart card security API architecture is divided into three levels: application layer, business authentication middle layer and business authentication service layer, and defines two APIs: API between smart card and terminal software system, API between terminal software system and application. The API between the smart card and the terminal software system focuses on converting the instructions of the mobile application to access the smart card into APDU commands that the smart card can recognize. The API between the terminal software system and the application focuses on how the application accesses through the interface. Ask the authentication service application on the smart card. The API between the terminal software system and the application should include the smart card management interface, the access control interface, the data encryption and decryption interface, the digital signature verification interface, and the identity authentication interface. In order to implement the access control of the smart card to the application for accessing the smart card, the embodiment of the present invention provides an authentication method for applying the access smart card. The method will be described in detail below in combination with several specific embodiments. Embodiment 1 The embodiment of the present invention provides an authentication method for an application access smart card. As shown in FIG. 1 , the method includes:
S102: 智能卡接收应用发送的接入请求, 将接入请求的认证信息发送给应用; S102: The smart card receives an access request sent by the application, and sends the authentication information of the access request to the application.
S104: 智能卡接收认证信息的认证响应, 其中, 应用从智能卡的卡发行商服务器 获取认证响应并发送至智能卡; S106: 当智能卡对认证响应验证通过时, 允许应用接入智能卡。 在本优选实施方式中, 智能卡在接收到应用的接入请求后, 响应于该接入请求生 成对应于该应用本次接入的认证信息, 并将该认证信息发给应用, 以触发该应用向卡 发行商服务器获取对应于该认证信息的认证响应, 只有在该应用向智能卡返回匹配的 认证响应后, 智能卡才将该应用接入。 通过上述方式, 实现了智能卡对应用接入的鉴 权认证, 从而解决现有技术中没有一种可以通过智能卡完成应用接入的鉴权认证的方 式, 使得智能卡上的数据或功能不能被终端的应用调用, 业务的安全性得不到保证的 技术问题, 实现了智能卡对请求接入智能卡的应用进行接入控制, 使得终端应用可以 将业务认证相关数据部署到智能卡上, 提高了业务的安全性。 因该认证信息是为了从卡发行商服务器获取对应应用本次接入该智能卡的认证响 应, 在本发明实施例一个优选实施方式中, 认证信息可以携带有: 智能卡的智能卡标 识和 /或智能卡为应用本次接入所生成的随机数。 实施时, 应用已在自己的应用提供商服务器处进行了注册, 应用提供商服务器和 卡发行商服务器中存在一定的签约关系, 因此, 应用可以通过与应用提供商服务器存 在签约关系的卡发行商服务器获取认证响应。 在一个优选实施方式中, 应用从智能卡 的卡发行商服务器获取认证响应, 包括: 应用利用应用提供商服务器从卡发行商服务 器获取认证响应。 具体地, 应用利用应用提供商服务器从卡发行商服务器获取认证响应的步骤, 如 图 2所示, 包括: S202: 应用和应用提供商服务器之间进行相互认证并建立第一安全连接, 应用通 过第一安全连接将认证信息发送给应用提供商服务器; S104: The smart card receives the authentication response of the authentication information, where the application obtains the authentication response from the card issuer server of the smart card and sends the authentication response to the smart card. S106: Allow the application to access the smart card when the smart card verifies the authentication response. In the preferred embodiment, after receiving the access request of the application, the smart card generates authentication information corresponding to the current access of the application in response to the access request, and sends the authentication information to the application to trigger the application. The authentication response corresponding to the authentication information is obtained from the card issuer server, and the smart card accesses the application only after the application returns a matching authentication response to the smart card. In the above manner, the authentication authentication of the application access by the smart card is implemented, so that there is no way in the prior art that the authentication authentication of the application access can be completed by the smart card, so that the data or function on the smart card cannot be used by the terminal. The application is invoked, and the security of the service is not guaranteed. The smart card implements access control for the application that requests the access to the smart card, so that the terminal application can deploy the service authentication related data to the smart card, thereby improving the security of the service. . In the preferred embodiment of the present invention, the authentication information may be carried by the smart card identifier and/or the smart card of the smart card. The authentication information is used to obtain the authentication response of the smart card from the card issuer server. Apply the random number generated by this access. At the time of implementation, the application has been registered at its own application provider server, and there is a certain contract relationship between the application provider server and the card issuer server. Therefore, the application can pass the card issuer with the contract relationship with the application provider server. The server obtains an authentication response. In a preferred embodiment, the application obtains the authentication response from the card issuer server of the smart card, the method comprising: the application obtaining the authentication response from the card issuer server by using the application provider server. Specifically, the step of the application obtaining the authentication response from the card issuer server by using the application provider server, as shown in FIG. 2, includes: S202: The application and the application provider server perform mutual authentication and establish a first secure connection, and the application sends the authentication information to the application provider server by using the first secure connection;
S204: 应用提供商服务器和卡发行商服务器之间进行相互认证并建立第二安全连 接, 应用提供商服务器通过第二安全连接将认证信息转发给卡发行商服务器; S206: 卡发行商服务器接收应用提供商服务器转发的认证信息; S204: Perform mutual authentication and establish a second secure connection between the application provider server and the card issuer server, and the application provider server forwards the authentication information to the card issuer server through the second secure connection; S206: the card issuer server receives the application Authentication information forwarded by the provider server;
S208: 当卡发行商服务器对认证信息验证通过后, 卡发行商服务器根据认证信息 生成认证响应; S208: After the card issuer server verifies the authentication information, the card issuer server generates an authentication response according to the authentication information.
S210: 卡发行商服务器通过第二安全连接将认证响应发送给应用提供商服务器, 由应用提供商服务器通过第一安全连接将认证响应转发至应用。 在上述步骤 S208中, 卡发行商服务器根据认证信息生成认证响应, 包括: 卡发行 商服务器根据智能卡标识查找与智能卡对应的根密钥, 其中, 根密钥是卡发行商服务 器为每一张智能卡分配的密钥信息, 智能卡与根密钥一一对应; 卡发行商服务器根据 根密钥和随机数生成认证响应。 在上述优选实施方式中, 卡发行商服务器在发行智能 卡时, 为每张智能卡分配一个根密钥 (KIC), 该根密钥可以为 128比特的对称密钥, 并且与智能卡的智能卡标识 (ICCID) 相对应。 优选地, 卡发行商服务器保存该根密 钥和 ICCID,卡发行商服务器通过智能卡的 ICCID可以查询到该智能卡的根密钥 KIC, 智能卡的根密钥 KIC在智能卡发行时就已经保存在智能卡中, 智能卡根密钥只能存在 于卡发行商服务器和智能卡中, 禁止被读出。 为了保证应用接入的安全性, 在一个优选实施方式中, 卡发行商服务器还在认证 响应中携带第一认证内容的同时还携带有第一临时会话密钥, 其中, 卡发行商服务器 利用第一临时会话密钥对认证响应进行加密传输。 同时, 该第一临时会话密钥还用于 后续信道建立后数据的交互的数据加密。 对应的, 在智能卡侧, 也需要和卡发行商服务器采用相同的方式生成对应的第二 临时会话密钥和第二认证内容, 在一个优选实施方式中, 在接收认证信息的认证响应 之后, 智能卡按照与卡发行商服务器对应的方式, 将认证信息中的随机数和自身的根 密钥生成第二认证内容和第二临时会话密钥; 智能卡根据第二会话密钥对认证响应进 行解密, 如果解密成功, 则对解密得到的第一认证内容和第二认证内容进行比较, 如 果相同, 则表明验证成功。 在智能卡接入应用的过程中, 可以根据上述的第一临时会话密钥和第二临时会话 密钥建立对应的安全信道, 并利用该第一临时会话密钥和第二临时会话密钥进行信息 的交互, 在一个优选实施方式中, 智能卡接入应用的步骤包括: 首先, 智能卡使用第 一临时会话密钥和第二临时会话密钥在自身和应用之间建立安全信道; 其次, 智能卡 通过安全信道与应用进行信息交互。 为了减少资源的不必要浪费, 并减少数据的冗余, 在应用关闭或者是其他原因致 使应用不需要和智能卡进行信息交互时, 可以释放和该应用对应的安全信道, 同时删 除临时会话密钥, 在一个优选实施方式中, 智能卡将应用接入智能卡之后, 还包括: 当应用关闭时, 智能卡释放安全信道, 之后智能卡删除第二临时会话密钥。 在上述优 选实施方式中, 应用每一次接入智能卡都会进行一个安全信道的建立, 同时会为该次 接入生成一对临时会话密钥, 减少了资源浪费, 也保证了终端应用的安全接入。 在本发明一个优选实施方式中, 认证信息还携带有应用本次接入时智能卡的第一 序列号。 该第一序列号按如下步骤生成: 智能卡在自身存储的第二序列号上增加预定 值, 得到第三序列号; 智能卡判断第三序列号是否大于预定阈值; 若是, 则将预设初 始值赋值给第一序列号和第二序列号; 若否, 则将第三序列号赋值给第一序列号和第 二序列号。 例如, 上述的预定值可以设置为 1, 预设初始值是 0, 此时, 智能卡预先存储一个 序列号 (SQNIC), 当该智能卡需要产生认证信息时智能卡将自身的 SQNIC加 1。 当 智能卡中所保存的 SQNIC计数溢出后, SQNIC会重新赋值为初始值 0。 在卡发行商服务器侧也存储与 SQNIC对应的序列号 SQRSER,在一个优选实施方 式中, 根据认证信息生成认证响应, 包括: 卡发行商服务器从认证信息中获取第一序 列号 (SQNIC) 和智能卡标识; 卡发行商服务器根据智能卡标识查找自身存储的对应 于该智能卡的第四序列号(SQRSER); 卡发行商服务器根据第一序列号和第四序列号 进行验证, 在验证通过后, 卡发行商服务器生成认证响应。 卡发行商服务器根据第一 序列号和第四序列号进行验证, 包括: 卡发行商服务器判断第一序列号是否大于或等 于第四序列号, 如果大于或等于, 则验证成功, 卡发行商服务器将第一序列号赋值给 第四序列号; 卡发行商服务器判断第一序列号加上预定值后是否大于预定阈值, 如果 大于, 则卡发行商服务器将预设初始值赋值给第四序列号。 现以预定值是 1, 预设初始值是 0为例进行说明, 卡发行商服务器为每一个自己 发行的智能卡保存有不同的 SQNSER,如果 SQMC大于或等于 SQNSER,则验证 SQN 成功, 此时将更新 SQNSER, 将接收到的 SQNIC的值赋值给 SQNSER, 并接着进行 下面的认证步骤; 如果 SQNIC小于 SQNSER, 则验证 SQN失败, 卡发行商拒绝产生 认证响应, 如果验证成功, 卡发行商服务器还应检测 SQNSER是否已到最大值, 即 SQNSER再加 1是否会溢出, 如果是, 则赋值 SQNSER=0。 S210: The card issuer server sends the authentication response to the application provider server through the second secure connection, and the application provider server forwards the authentication response to the application through the first secure connection. In the above step S208, the card issuer server generates the authentication response according to the authentication information, including: the card issuer server searches for the root key corresponding to the smart card according to the smart card identifier, where the root key is the card issuer server for each smart card The assigned key information, the smart card corresponds to the root key one by one; the card issuer server generates an authentication response according to the root key and the random number. In the above preferred embodiment, the card issuer server assigns a smart key (KIC) to each smart card when issuing the smart card, the root key may be a 128-bit symmetric key, and the smart card identification (ICCID) with the smart card ) Corresponding. Preferably, the card issuer server saves the root key and the ICCID, and the card issuer server can query the root key KIC of the smart card through the ICCID of the smart card, and the root key KIC of the smart card is already saved in the smart card when the smart card is issued. The smart card root key can only exist in the card issuer server and smart card, and is prohibited from being read. In order to ensure the security of the application access, in a preferred embodiment, the card issuer server also carries the first temporary session key while carrying the first authentication content in the authentication response, wherein the card issuer server utilizes the first A temporary session key encrypts the authentication response. At the same time, the first temporary session key is also used for data encryption of the interaction of data after subsequent channel establishment. Correspondingly, on the smart card side, the corresponding second temporary session key and the second authentication content are also generated in the same manner as the card issuer server. In a preferred embodiment, after receiving the authentication response of the authentication information, the smart card Generating the second authentication content and the second temporary session key by using the random number in the authentication information and the root key thereof in a manner corresponding to the card issuer server; the smart card decrypts the authentication response according to the second session key, if If the decryption is successful, the first authentication content obtained by the decryption is compared with the second authentication content. If they are the same, the verification is successful. In the process of the smart card accessing the application, the corresponding secure channel may be established according to the first temporary session key and the second temporary session key, and the information is performed by using the first temporary session key and the second temporary session key. Interaction, in a preferred embodiment, the step of the smart card accessing the application comprises: first, the smart card establishes a secure channel between itself and the application by using the first temporary session key and the second temporary session key; secondly, the smart card passes the security The channel interacts with the application for information. In order to reduce the unnecessary waste of resources and reduce the redundancy of data, when the application is closed or other reasons cause the application to exchange information with the smart card, the secure channel corresponding to the application can be released, and the temporary session key is deleted. In a preferred embodiment, after the smart card connects the application to the smart card, the method further includes: when the application is closed, the smart card releases the secure channel, and then the smart card deletes the second temporary session key. In the above preferred embodiment, each time a smart card is accessed, a secure channel is established, and a pair of temporary session keys are generated for the access, which reduces resource waste and ensures secure access of the terminal application. . In a preferred embodiment of the present invention, the authentication information further carries a first serial number of the smart card when the current access is applied. The first serial number is generated as follows: the smart card adds a predetermined value to the second serial number stored by itself, and obtains a third serial number; the smart card determines whether the third serial number is greater than a predetermined threshold; if yes, assigns a preset initial value Giving the first serial number and the second serial number; if not, assigning the third serial number to the first serial number and the second serial number. For example, the above predetermined value may be set to 1, and the preset initial value is 0. At this time, the smart card stores a serial number (SQNIC) in advance, and the smart card adds 1 to its own SQNIC when the smart card needs to generate authentication information. When the SQNIC count saved in the smart card overflows, SQNIC will be reset to the initial value of 0. The serial number SQRSER corresponding to the SQNIC is also stored on the card issuer server side. In a preferred embodiment, the authentication response is generated according to the authentication information, including: the card issuer server obtains the first serial number (SQNIC) and the smart card from the authentication information. The card issuer server searches for a fourth serial number (SQRSER) corresponding to the smart card stored by the card issuer server according to the smart card identifier; the card issuer server performs verification according to the first serial number and the fourth serial number, and after the verification is passed, the card is issued The merchant server generates an authentication response. The card issuer server performs verification according to the first serial number and the fourth serial number, including: the card issuer server determines whether the first serial number is greater than or equal to the fourth serial number, and if greater than or equal to, the verification succeeds, the card issuer server Assigning the first serial number to the fourth serial number; the card issuer server determines whether the first serial number plus the predetermined value is greater than a predetermined threshold, and if greater, the card issuer server assigns the preset initial value to the fourth serial number . Now, the predetermined value is 1 and the preset initial value is 0. The card issuer server saves different SQNSER for each self-issued smart card. If the SQMC is greater than or equal to SQNSER, the SQN is verified. Update SQNSER, assign the value of the received SQNIC to SQNSER, and then proceed The following authentication steps; if the SQNIC is less than SQNSER, the SQN fails to be verified, and the card issuer refuses to generate an authentication response. If the verification is successful, the card issuer server should also check whether the SQNSER has reached the maximum value, that is, whether SQNSER plus 1 will overflow. If yes, assign SQNSER=0.
实施例 2 本发明实施例还提供了一种应用接入智能卡的认证装置, 位于智能卡中, 如图 3 所示, 包括: 第一接收单元 302, 设置为接收应用发送的接入请求, 将接入请求的认 证信息发送给应用; 第二接收单元 304, 设置为接收认证信息的认证响应, 其中, 应 用从智能卡的卡发行商服务器获取认证响应并发送至智能卡; 接入单元 306, 设置为 当智能卡对认证响应验证通过时, 允许该应用接入智能卡。 在本优选实施方式中, 智能卡在接收到应用的接入请求后, 响应于该接入请求生 成对应于该应用本次接入的认证信息, 并将该认证信息发给应用, 以触发该应用向卡 发行商服务器获取对应于该认证信息的认证响应, 只有在该应用向智能卡返回匹配的 认证响应后, 智能卡才将该应用接入。 通过上述方式, 实现了智能卡对应用接入的鉴 权认证, 从而解决现有技术中没有一种可以通过智能卡完成应用接入的鉴权认证的方 式, 使得智能卡上的数据或功能不能被终端的应用调用, 业务的安全性得不到保证的 技术问题, 实现了应用安全接入智能卡, 使得终端应用可以将业务认证相关数据部署 到智能卡上, 提高了业务的安全性。 因该认证信息是为了从卡发行商服务器获取对应应用本次接入该智能卡的认证响 应, 在本发明实施例一个优选实施方式中, 认证信息携带可以有: 智能卡的智能卡标 识和 /或智能卡为应用本次接入所生成的随机数。 该装置要和上述的应用进行交互以实现应用的接入, 应用已在自己的应用提供商 服务器处进行了注册, 应用提供商服务器和卡发行商服务器存在一定的签约关系, 因 此, 应用可以通过与自身注册的应用提供商服务器存在签约关系的卡发行商服务器获 取认证响应。 为了保证应用接入的安全性, 卡发行商服务器还在认证响应中携带第一认证内容 的同时还携带有第一临时会话密钥, 对应的在智能卡侧, 在一个优选实施方式中, 如 图 4所示, 该装置还包括: 第一生成单元 402, 设置为当认证响应携带有第一认证内 容和第一临时会话密钥时, 在接收认证信息的认证响应之后, 根据认证信息中的随机 数和自身的根密钥按照和卡发行商服务器对应的方式生成第二认证内容和第二临时会 话密钥; 解密单元 404, 设置为根据第二会话密钥对认证响应进行解密, 如果解密成 功, 则对解密得到的第一认证内容和第二认证内容进行比较, 如果相同, 则表明验证 成功。 在智能卡接入应用的过程中, 可以根据上述的第一临时会话密钥和第二临时会话 密钥建立对应的安全信道, 并利用该第一临时会话密钥和第二临时会话密钥进行信息 的交互, 在一个优选实施方式中, 如图 5所示, 接入单元包括: 接入模块 502, 设置 为使用第一临时会话密钥和第二临时会话密钥在自身和应用之间建立安全信道; 交互 模块 504, 设置为通过安全信道与应用进行信息交互。 为了减少资源的不必要浪费, 并减少数据的冗余, 在应用关闭或者是其他原因致 使应用不需要和智能卡进行信息交互时, 可以释放和该应用对应的安全信道, 同时删 除临时会话密钥, 在一个优选实施方式中, 该装置还包括: 释放单元, 设置为当应用 关闭时, 释放安全信道; 删除单元, 设置为删除第二临时会话密钥。 在上述优选实施 方式中, 应用每一次接入智能卡都会进行一个安全信道的建立, 同时会为该次接入生 成一对临时会话密钥, 减少了资源浪费也保证了终端应用的安全接入。 在本发明一个优选实施方式中, 认证信息还携带有应用本次接入时智能卡的第一 序列号。 在一个优选实施方式中, 如图 6所示, 该装置还包括: 第二生成单元 602, 设置为生成携带有应用本次接入时智能卡的第一序列号的认证信息。 在本发明一个优选实施方式中, 如图 7所示, 上述的第二生成单元 602包括: 增 加模块 702, 设置为在自身存储的第二序列号上增加预定值, 得到第三序列号; 判断 模块 704, 设置为判断第三序列号是否大于预定阈值; 第一赋值模块 706, 设置为在判 断出第三序列号大于预定阈值时, 将预设初始值赋值给第一序列号和第二序列号; 第 二赋值模块 708, 设置为在判断出第三序列号不大于预定阈值时, 将第三序列号赋值 给第一序列号和第二序列号。 例如, 上述的预定值可以设置为 1, 预设初始值为 0, 此时, 智能卡预先存储一个 序列号 (SQNIC), 当该智能卡需要产生认证信息时智能卡将自身的 SQNIC加 1。 当 智能卡中所保存的 SQNIC计数溢出后, SQNIC会重新赋值为初始值 0。 本发明实施例还提供了另一种应用接入智能卡的认证装置, 位于卡发行商服务器 中, 如图 8所示, 包括: 第三接收单元 802, 设置为应用发送的认证信息, 其中, 认 证信息携带有智能卡的智能卡标识和 /或智能卡为应用本次接入所生成的随机数; 第三 生成单元 804, 设置为根据认证信息认证响应, 并将认证响应发送给应用。 在一个优选实施方式中, 如图 9所示, 第三生成单元包括: 第一查找模块 902, 设置为器根据智能卡标识查找与智能卡对应的根密钥, 其中, 根密钥是卡发行商服务 器为每一张智能卡分配的密钥信息, 智能卡与根密钥一一对应; 第一生成模块 904, 设置为根据根密钥和随机数生成认证响应。 在上述优选实施方式中, 卡发行商服务器 在发行智能卡时, 为每张智能卡分配一个根密钥 (KIC), 该根密钥可以为 128比特的 对称密钥, 并且与智能卡的智能卡标识 (ICCID) 相对应。 优选地, 卡发行商服务器 保存该根密钥和 ICCID, 卡发行商服务器通过智能卡的 ICCID可以查询到该智能卡的 根密钥 KIC, 智能卡的根密钥 KIC在智能卡发行时就已经保存在智能卡中, 智能卡根 密钥只能存在于卡发行商服务器和智能卡中, 禁止被读出。 为了保证应用接入的安全性, 在一个优选实施方式中, 卡发行商服务器还在认证 响应中携带第一认证内容的同时还携带有第一临时会话密钥, 其中, 卡发行商服务器 利用第一临时会话密钥对认证响应进行加密传输。 同时, 该第一临时会话密钥还设置 为后续信道建立后数据的交互的数据加密。 在本发明实施例一个优选实施方式中, 如 图 10所示, 第三生成单元包括: 第二生成模块 1002, 设置为生成携带有第一认证内 容和第一临时会话密钥的认证响应; 加密模块 1004, 设置为利用第一临时会话密钥对 认证响应进行加密。 在卡发行商服务器侧也存储与 SQNIC对应的序列号 SQRSER,在一个优选实施方 式中, 如图 11所示, 第三生成单元包括: 获取模块 1102, 设置为从认证信息中获取 第一序列号和智能卡标识; 第二查找模块 1104, 设置为根据智能卡标识查找自身存储 的对应于该智能卡的第四序列号; 验证模块 1106, 设置为根据第一序列号和第四序列 号进行验证, 在验证通过后, 生成认证响应。 现以预定值是 1, 预设初始值是 0为例进行说明, 卡发行商服务器为每一个自己 发行的智能卡保存有不同的 SQNSER,如果 SQNIC大于或等于 SQNSER,则验证 SQN 成功, 此时将更新 SQNSER, 将接收到的 SQNIC的值赋值给 SQNSER, 并接着进行 下面的认证步骤; 如果 SQNIC小于 SQNSER, 则验证 SQN失败, 卡发行商拒绝产生 认证响应, 如果验证成功, 卡发行商服务器还应检测 SQNSER是否已到最大值, 即 SQNSER再加 1是否会溢出, 如果是, 则赋值 SQNSER=0。 根据图 3-图 11示出的应用接入智能卡的认证装置,本发明实施例还提供了一种应 用接入智能卡的认证系统,包括: 上述的位于智能卡中的应用接入智能卡的认证装置, 和位于卡发行商服务器中的应用接入智能卡的认证装置。 实施例 3 本发明提供了一种优选的实施例来进一步对本发明进行解释,但是值得注意的是, 该优选实施例只是为了更好的描述本发明, 并不构成对本发明不当的限定。 本发明实施例描述了一种应用接入智能卡的方法流程, 如图 12所示, 包括: 步骤 S1202: 终端应用请求接入智能卡, 具体的, 终端应用向智能卡发起接入请 求, 并请求智能卡产生认证信息。 步骤 S1204: 智能卡在接收到应用发起的接入请求后, 将产生认证信息, 并将该 认证信息返回给应用, 要求应用携带该认证信息所对应的认证响应接入智能卡。 步骤 S1206: 应用在接收到智能卡发送来的认证信息后, 将通过应用提供商服务 器向卡发行商服务器请求所述认证信息所对应的认证响应。 其中, 应用提供商是发布该应用的应用提供商, 卡发行商是该智能卡的生产商。 优选地, 应用提供商和卡发行商之间有着签约关系, 应用提供商发布的应用可以使用 卡发行商发行的智能卡的业务认证功能, 应用向卡发行商服务器请求认证响应的消息 在安全信道中进行传输。 步骤 S1208: 卡发行商服务器产生认证响应后, 通过应用提供商服务器将认证响 应发送给合法的应用, 应用携带认证响应接入智能卡, 智能卡对认证响应进行验证, 以便对应用进行接入控制。 本实施例还提供了一种应用如何获得认证信息和认证响应, 并给智能卡发送认证 响应请求接入智能卡的流程, 如图 13所示, 包括: 步骤 S1302, 应用提供商和卡发行商进行签约。 应用提供商发布的应用可以授权 使用卡发行商发行的智能卡进行业务认证相关操作。 具体的签约过程和现有技术中的 签约采用相同的方式即可, 在此不再赘述。 步骤 S1304, 应用在启动后, 如果应用要接入智能卡, 首先向智能卡发送接入请 求, 请求智能卡产生认证信息。 步骤 S1306, 智能卡在接收到应用发送的接入请求后, 产生认证信息, 并将认证 信息发送给应用, 要求应用提供与认证信息对应的认证响应。 其中, 该认证信息中包 括智能卡的 ICCIDCIC Card Identity, IC卡标识)。 优选地, 该 ICCID是智能卡的卡号, 反映了发行国别、 网号、 发行地区、 发行时间、 生产厂商等信息, ICCID存在于智能 卡的 EFICCID中, 总是可读, 但不能被更改。 步骤 S1308, 应用向应用提供商服务器发起连接请求, 应用提供商服务器和应用 进行相互的认证。 上述的步骤 S1308主要是为了确保应用为应用提供商发布的合法应用。 优选地, 应用和应用提供商服务器之间应建立起安全信道, 应用和应用提供商服务器之间的所 有信息交互都应该加密和完整性保护, 防止攻击者在应用和应用提供商服务器之间接 口上盗取信息。 在本步骤中, 应用和应用提供商服务器之间的认证和安全信道的建立应该由应用 提供商进行规范。 步骤 S1310, 应用向应用提供商服务器发起获取认证响应请求, 请求应用提供商 为其请求认证响应。 在该请求中, 应用要发送智能卡产生的认证信息, 获取认证响应 请求应该在应用和应用提供商服务器之间的安全信道中传输, 被加密和完整性保护。 步骤 S1312, 应用提供商服务器向卡发行商服务器发起连接请求, 应用提供商服 务器和卡发行商服务器进行相互的认证。 在上述的步骤 S1312中, 应用提供商服务器和卡发行商服务器之间应建立起安全 信道, 应用提供商服务器和卡发行商服务器之间的所有信息交互都应该加密和完整性 保护, 防止攻击者在应用提供商服务器和卡发行商服务器之间接口上盗取信息。 在本步骤中, 应用提供商服务器和卡发行商服务器之间的相互认证和安全信道的 建立应该由应用提供商和卡发行商之间的签约所规范。 步骤 S1314,应用提供商服务器将步骤 S1310中的消息经过解密和完整性验证后, 将步骤 S1310请求中认证信息发送给卡发行商服务器, 并请求认证响应。 应用提供商 服务器向卡发行商服务器发送的信息在应用提供商服务器和卡发行商服务器之间的安 全信道中传输, 被加密和完整性保护。 步骤 S1316, 如果卡发行商服务器认为应用提供商服务器是和自身具有签约关系 的, 则卡发行商服务器会将步骤 S1314发送的消息解密并进行完整性验证, 并根据步 骤 S1314中发送的 ICCID查询到智能卡的根密钥 KIC, 并根据根密钥和步骤 S1314中 发送的其他认证信息产生认证响应 (此处的认证响应对应于权利要求中的第一认证内 容) 和应用临时会话密钥 (此处的应用临时会话密钥对应于权利要求中的第一临时会 话密钥)。 应用临时会话密钥用于在应用和智能卡之间的通信建立起临时的安全信道。 应用 临时会话密钥为对称密钥, 卡发行商服务器生成应用临时会话密钥, 通过安全连接传 递给发起请求的合法应用; 智能卡根据认证数据产生应用临时会话密钥。 应用若成功 接入智能卡, 那么应用和智能卡之间将建立起安全信道, 应用和智能卡之间的信息交 互将被应用临时会话密钥加密和完整性保护。 当应用释放了和智能卡的连接通道后, 应用临时会话密钥将失效, 智能卡会删除应用临时会话密钥。 步骤 S1318, 卡发行商服务器在产生了认证响应和应用临时会话密钥后, 将认证 响应和临时会话密钥通过卡发行商服务器和应用提供商服务器之间的安全信道发送给 应用提供商服务器, 认证响应和应用临时会话密钥被加密和完整性保护。 步骤 S1320, 应用提供商服务器将步骤 S1318的消息解密和完整性验证后, 将认 证响应和应用临时会话密钥通过应用提供商服务器和应用之间的安全信道发送给应 用。 认证响应和应用临时会话密钥被加密和完整性保护, 以防止攻击者窃取认证响应 和应用临时会话密钥。 步骤 S1322, 应用将步骤 S1320消息解密和完整性验证后, 向智能卡发送认证响 应信息, 其中, 该认证响应消息包括认证响应, 请求智能卡对认证响应进行验证。 认 证响应信息被应用临时会话密钥加密和完整性保护。 步骤 S1324,智能卡根据应用对应的认证信息产生智能卡侧的应用临时会话密钥, 并产生智能卡所期望的响应消息。 智能卡将认证响应信息进行解密和完整性验证后, 对认证响应进行认证。 步骤 S1326, 如果智能卡认为应用为授权接入智能卡的应用 (即, 认证通过), 则 允许应用接入智能卡, 并使用应用和智能卡所保存的对称的应用临时会话密钥建立起 安全信道, 对应用和智能卡之间的信息交互进行加密和完整性保护。 本发明实施例还提供了一种智能卡对请求接入智能卡的应用进行接入控制的具体 方法, 如图 14所示, 包括: 步骤 S1402, 应用请求接入智能卡。 步骤 S1404, 智能卡产生认证信息, 该认证信息可以包括以下信息: ICCID、 随机 数(RAND)、 SQN® AK。其中, RAND为智能卡产生的一个 128 比特的随机数, SQN ( Sequence Number,序列号)为智能卡产生的 48比特的序列号, AK ( Anonymity Key, 匿名密钥) 为智能卡产生的 48比特的匿名密钥。 其中, ®为异或运算。 其中, 上述的 SQN为智能卡和卡发行商服务器都保存的序列号,其目的是让卡发 行商服务器对智能卡产生的 SQN进行认证,确保智能卡产生的认证信息不被攻击者利 用对卡发行商服务器进行重放攻击。 将智能卡产生的序列号记为 SQNIC, 卡发行商保 有的记为 SQNSER。 智能卡产生 SQNIC ® AK之后, 智能卡中的 SQNIC要自加 1。 当 智能卡中所保存的 SQNIC计数溢出后, SQNIC会重新赋值为 0。 上述的 AK为智能卡产生的匿名密钥,产生的方法为 AK=f5(KIC, RAND),其中, f5算法同 3G安全架构中 AKA过程中 UICC卡中所持有的 f5算法。 上述的 RAND、 AK应保存在智能卡中, 应用释放与智能卡的连接通道后, 对应 的 AK、 RAND应该被删除。 应用再次申请接入智能卡时, 智能卡应该重新产生 AK、 RA Do 智能卡产生的认证信息可以是 RAND||SQNIC ® AK||ICCID。然而,值得注意的是, 上述生成认证信息所涉及的算法和公式仅仅是作为一种优选的实现方式, 本发明不限 于此。 步骤 S1406, 智能卡将认证信息发送给终端上的应用。 步骤 S1408, 应用会使用某种方式向卡发行商服务器请求认证响应, 并将认证信 息传递给卡发行商服务器, 卡发行商服务器通过一些方式确保应用为已签约应用提供 商发布的合法应用, 卡发行商服务器将认证响应传递给已签约应用提供商发布的合法 应用。 步骤 S1410, 卡发行商服务器先利用认证消息中的 ICCID查询到对应该智能卡的 KIC; 然后, 卡发行商服务器利用 KIC和认证信息中的 RAND产生匿名密钥 AK, AK=f5(KIC , RAND) ; 然后, 卡发行商服务器利用匿名密钥 AK 和认证信息中的 SQMC ® AK得到 SQNIC, SQMC=AK® (SQMC ® AK); 卡发行商服务器对 SQNIC 进行认证, 以防止重放攻击。 步骤 S1410中的认证方法具体为:比较 SQNIC和卡发行商服务器保存的 SQNSER, SQNSER和 ICCID 对应, 卡发行商服务器为每一个自己发行的智能卡保存有不同的 SQNSER。 如果 SQNIC大于或等于 SQNSER, 则验证 SQN成功, 此时卡发行商服务 器更新 SQNSER, 并将接收到的 SQNIC的值赋值给 SQNSER, 并继续进行下面的认 证步骤; 如果 SQNIC小于 SQNSER, 则验证 SQN失败, 卡发行商拒绝产生认证响应。 优选地, 如果验证 SQN成功, 卡发行商服务器还应检测 SQNSER是否已到最大 值, 即, SQNSER再加 1是否会出现溢出, 如果是, 则赋值 SQNSER=0。 值得注意的 是, 此处赋初始值为 0仅为一种示意性表述, 本发明不限于此, 还可以小于最大值的 任意值作为初始值。 步骤 S1412, 如果验证 SQN成功, 卡发行商服务器产生认证响应 (RES), 该认 证响应 RES=£2CKIC, RAND)。 £2算法同 3G安全架构中 AKA过程 UICC卡中所持有 的 £2算法。 并且, 卡发行商服务器还会产生应用临时会话密钥 KENC和 KINC, KENC用于 应用和智能卡之间数据的加密, KINC 用于应用和智能卡之间数据的完整性保护。 KENC=fi(RA D,K); KINC=f4(RA D,K)。 β和 f4算法同 3G安全架构中 AKA过程 UICC卡中所持有的 β、 f4算法。 步骤 S1414, 卡发行商服务器会通过某种方式将认证响应 RES、 应用临时会话密 钥 KENC和 KINC传递给应用。卡发行商服务器将认证响应、应用临时会话密钥 KENC 和 KINC传递给已签约应用提供商发布的合法应用。 优选地, 卡发行商服务器仅会将 认证响应发送给和自身签约的应用提供商, 以保证接入的应用为合法的应用, 提高数 据的安全性。 步骤 S1416,应用使用应用临时会话密钥 KENC和 KINC将认证响应 RES加密和 完整性保护。 步骤 S1418, 应用将加密和完整性保护的认证响应发送给智能卡, 请求接入智能 卡。 步骤 S1420,智能卡根据保存的与应用对应的 RAND和智能卡根密钥 KIC产生应 用临时会话密钥 KENC和 KINC, 并使用 KENC和 KINC将认证响应解密和完整性验 证。智能卡根据保存的与应用对应的 RAND和智能卡根密钥 KIC产生期望相应 XRES, XRES= £2(KIC, RAND)0智能卡比较期望相应 XRES和认证响应 RES,如果两者相等, 则允许应用接入智能卡; 如果两者不相等, 则拒绝应用接入智能卡。 步骤 S1422, 应用若成功接入智能卡, 则使用应用和智能卡所保存的对称的应用 临时会话密钥 KENC和 KINC建立起安全信道, 对应用和智能卡之间的信息交互进行 加密和完整性保护。 本发明实施例还描述了一种应用请求接入智能卡, 智能卡对应用进行接入控制的 具体实施方式, 具体步骤如图 15所示, 包括: 步骤 S1502, 应用提供商和卡发行商进行签约。 步骤 S1504, 应用在启动后, 如果应用要接入智能卡, 首先向智能卡发送接入请 求, 请求智能卡产生认证信息。 步骤 S1506, 智能卡接收到来自于应用的接入请求后, 产生认证信息, 其中, 该 认证信息中携带有 ICCID、 随机数 RAND以及 SQN㊉ AK。 步骤 S1508, 智能卡认证信息发送给应用, 要求应用提供与该认证信息对应的认 证响应。 步骤 S1510, 应用向应用提供商服务器发起连接请求, 应用提供商服务器和应用 进行相互的认证, 以确保应用为应用提供商发布的合法应用。 应用和应用提供商服务 器之间应建立起安全信道, 应用和应用提供商服务器之间的所有信息交互都应该进行 加密和完整性的保护, 防止攻击者在应用和应用提供商服务器之间接口上盗取信息。 步骤 S1512, 应用向应用提供商服务器发起获取认证响应的请求, 用于请求应用 提供商为其请求认证响应。 在该请求中, 应用要发送智能卡产生的认证信息, 其中, 认证信息包括 ICCID、 随机数 RAND、 SQN® AK。获取认证响应请求应该在应用和应 用提供商服务器之间的安全信道中传输, 被加密和完整性保护。 步骤 S1514, 应用提供商服务器向卡发行商服务器发起连接请求, 应用提供商服 务器和卡发行商服务器进行相互的认证。 应用提供商服务器和卡发行商服务器之间应 建立起安全信道, 应用提供商服务器和卡发行商服务器之间的所有信息交互都应该进 行加密和完整性保护, 以防止攻击者在应用提供商服务器和卡发行商服务器之间接口 上盗取信息。 步骤 S1516, 应用提供商服务器将步骤 S1512中的消息解密和完整性验证后, 将 步骤 S1512请求中的认证信息 (包括 ICCID、 随机数 RAND、 SQN® AK)发送给卡发行 商服务器, 并请求认证响应。 应用提供商服务器向卡发行商服务器发送的信息在应用 提供商服务器和卡发行商服务器之间的安全信道中传输, 被加密和完整性保护。 步骤 S1518, 如果卡发行商服务器认为应用提供商服务器是和自己具有签约关系 的,卡发行商服务器会将步骤 S1516发送的消息解密并进行完整性验证,得到 ICCID、 随机数 RAND以及 SQN® AK。卡发行商服务器先利用认证消息中的 ICCID查询到对 应的 KIC; 然后卡发行商服务器利用 KIC和认证信息中的 RAND产生匿名密钥 AK, AK=f5(KIC , RAND) ; 然后卡发行商服务器利用匿名密钥 AK 和认证信息中的 SQMC ® AK得到 SQMC, SQMC=AK® (SQMC ® AK); 卡发行商服务器对 SQNIC 进行认证, 以防止重放攻击。 步骤 S1520, 如果验证 SQN成功, 卡发行商服务器会产生认证响应 RES, 可以按 照如下公式得到认证响应, RES=£2(KIC, RAND)0 并且, 卡发行商服务器会产生应用 临时会话密钥 KENC和 KINC, 步骤 S1522, 卡发行商服务器在产生了认证响应 (RES ) 和应用临时会话密钥 (KENC和 KINC) 后, 将 RES和 KENC、 KINC通过卡发行商服务器和应用提供商 服务器之间的安全信道发送给应用提供商服务器。 RES和 KENC、 KINC被加密和完 整性保护。 步骤 S1524,应用提供商服务器将步骤 S1522的消息解密和完整性验证后,将 RES 和 KENC、 KINC通过应用提供商服务器和应用之间的安全信道发送给应用。 RES和 KENC KINC被加密和完整性保护, 以防止攻击者窃取 RES和 KENC、 KINC。 步骤 S1526, 应用将步骤 S1524消息解密和完整性验证后, 向智能卡发送认证响 应信息, 其中包括 RES, 请求智能卡对认证响应进行验证。 认证响应信息被 KENC、 KINC加密和完整性保护。 步骤 S1528, 智能卡根据应用对应的认证信息产生智能卡侧的应用临时会话密钥 KENC KINC, 并产生期望相应 XRES。 智能卡将认证响应信息进行解密和完整性验 证后, 对 RES进行认证。 在步骤 S1528 中, 智能卡根据保存的与所述应用对应的 RAND和智能卡根密钥 KIC产生期望相应 XRES, XRES= £2(KIC, RA D)0 智能卡比较期望相应 XRES和认 证响应 RES, 如果两者相等, 则认证成功, 允许应用接入智能卡; 如果两者不相等, 则认证失败, 拒绝应用接入智能卡。 步骤 S1530, 如果智能卡认为应用为授权接入智能卡的应用, 则允许应用接入智 能卡, 并使用应用和智能卡所保存的对称的应用临时会话密钥建立起安全信道,、应用 若成功接入智能卡, 则使用应用和智能卡所保存的对称的应用临时会话密钥 KENC和 KINC 建立起安全信道, 对所述应用和所述智能卡之间的信息交互进行加密和完整性 保护。 对应用和智能卡之间的信息交互进行加密和完整性保护。 从以上的描述中, 可以看出, 本发明实现了如下技术效果: 智能卡在接收到应用的接入请求后, 响应于该接入请求生成对应于该应用本次接 入的认证信息, 并将该认证信息发给应用, 以触发该应用向卡发行商服务器获取对应 于该认证信息的认证响应, 只有在该应用向智能卡返回匹配的认证响应后, 智能卡才 将该应用接入。 通过上述方式, 实现了智能卡对应用接入的鉴权认证, 从而解决现有 技术中没有一种可以通过智能卡完成应用接入的鉴权认证的方式, 使得智能卡上的数 据或功能不能被终端的应用调用, 业务的安全性得不到保证的技术问题, 实现了智能 卡对请求接入智能卡的应用进行接入控制, 使得终端应用可以将业务认证相关数据部 署到智能卡上, 提高了业务的安全性。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可以用通用 的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布在多个计算装置所 组成的网络上, 可选地, 它们可以用计算装置可执行的程序代码来实现, 从而, 可以 将它们存储在存储装置中由计算装置来执行, 并且在某些情况下, 可以以不同于此处 的顺序执行所示出或描述的步骤, 或者将它们分别制作成各个集成电路模块, 或者将 它们中的多个模块或步骤制作成单个集成电路模块来实现。 这样, 本发明不限制于任 何特定的硬件和软件结合。 以上仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本领域的技术人 员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和原则之内, 所作的任何 修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。 Embodiment 2 The embodiment of the present invention further provides an authentication device for accessing a smart card, which is located in a smart card. As shown in FIG. 3, the method includes: a first receiving unit 302, configured to receive an access request sent by an application, and connect The authentication information of the incoming request is sent to the application; the second receiving unit 304 is configured to receive an authentication response of the authentication information, wherein the application obtains the authentication response from the card issuer server of the smart card and sends the authentication response to the smart card; and the access unit 306 is configured to be When the smart card verifies the authentication response, the application is allowed to access the smart card. In the preferred embodiment, after receiving the access request of the application, the smart card generates authentication information corresponding to the current access of the application in response to the access request, and sends the authentication information to the application to trigger the application. The authentication response corresponding to the authentication information is obtained from the card issuer server, and the smart card accesses the application only after the application returns a matching authentication response to the smart card. In the above manner, the authentication authentication of the application access by the smart card is implemented, so that there is no way in the prior art that the authentication authentication of the application access can be completed by the smart card, so that the data or function on the smart card cannot be used by the terminal. The application is invoked, the security of the service is not guaranteed, and the application security access smart card is implemented, so that the terminal application can deploy the service authentication related data to the smart card, thereby improving the security of the service. In the preferred embodiment of the present invention, the authentication information carries: the smart card identifier of the smart card and/or the smart card is configured to obtain the authentication response of the smart card from the card issuer server. Apply the random number generated by this access. The device needs to interact with the above application to implement application access, the application has been registered at its own application provider server, and the application provider server and the card issuer server have a certain contract relationship, so the application can pass The card issuer server that has a contractual relationship with the application provider server registered by itself acquires the authentication response. In order to ensure the security of the application access, the card issuer server also carries the first temporary session key while carrying the first authentication content in the authentication response, corresponding to the smart card side, in a preferred embodiment, as shown in the figure As shown in FIG. 4, the apparatus further includes: a first generating unit 402, configured to: when the authentication response carries the first authentication content and the first temporary session key, after receiving the authentication response of the authentication information, according to the randomness in the authentication information The number and its own root key generate a second authentication content and a second temporary session key in a manner corresponding to the card issuer server; the decryption unit 404 is configured to decrypt the authentication response according to the second session key, if decrypted into The function compares the first authentication content obtained by the decryption with the second authentication content. If they are the same, it indicates that the verification is successful. In the process of the smart card accessing the application, the corresponding secure channel may be established according to the first temporary session key and the second temporary session key, and the information is performed by using the first temporary session key and the second temporary session key. Interaction, in a preferred embodiment, as shown in FIG. 5, the access unit includes: an access module 502, configured to establish a security between itself and an application using the first temporary session key and the second temporary session key The channel; the interaction module 504 is configured to perform information interaction with the application through the secure channel. In order to reduce the unnecessary waste of resources and reduce the redundancy of data, when the application is closed or other reasons cause the application to exchange information with the smart card, the secure channel corresponding to the application can be released, and the temporary session key is deleted. In a preferred embodiment, the apparatus further comprises: a release unit configured to release the secure channel when the application is closed; and a deletion unit configured to delete the second temporary session key. In the above preferred embodiment, each time a smart card is accessed, a secure channel is established, and a pair of temporary session keys are generated for the access, which reduces resource waste and ensures secure access of the terminal application. In a preferred embodiment of the present invention, the authentication information further carries a first serial number of the smart card when the current access is applied. In a preferred embodiment, as shown in FIG. 6, the apparatus further includes: a second generating unit 602, configured to generate authentication information carrying a first serial number of the smart card when the current access is applied. In a preferred embodiment of the present invention, as shown in FIG. 7, the foregoing second generating unit 602 includes: an adding module 702, configured to add a predetermined value to the second serial number stored by itself, to obtain a third serial number; The module 704 is configured to determine whether the third serial number is greater than a predetermined threshold. The first assigning module 706 is configured to assign the preset initial value to the first serial number and the second sequence when determining that the third serial number is greater than a predetermined threshold. The second assignment module 708 is configured to assign the third serial number to the first serial number and the second serial number when determining that the third serial number is not greater than a predetermined threshold. For example, the above predetermined value may be set to 1, and the preset initial value is 0. At this time, the smart card stores a serial number (SQNIC) in advance, and the smart card adds 1 to its own SQNIC when the smart card needs to generate authentication information. When the SQNIC count saved in the smart card overflows, SQNIC will be reset to the initial value of 0. The embodiment of the present invention further provides another authentication device for accessing the smart card, which is located in the card issuer server. As shown in FIG. 8, the method includes: a third receiving unit 802, configured to send authentication information, wherein the authentication The information carries the smart card identifier of the smart card and/or the smart card is a random number generated by applying the current access; the third generating unit 804 is configured to authenticate the response according to the authentication information, and send the authentication response to the application. In a preferred embodiment, as shown in FIG. 9, the third generating unit includes: a first searching module 902, configured to: search for a root key corresponding to the smart card according to the smart card identifier, where the root key is a card issuer server For each key card assigned to the smart card, the smart card has a one-to-one correspondence with the root key; the first generating module 904 is configured to generate an authentication response according to the root key and the random number. In the above preferred embodiment, the card issuer server assigns a smart key (KIC) to each smart card when issuing the smart card, the root key may be a 128-bit symmetric key, and the smart card identification (ICCID) with the smart card ) Corresponding. Preferably, the card issuer server saves the root key and the ICCID, and the card issuer server can query the root key KIC of the smart card through the ICCID of the smart card, and the root key KIC of the smart card is already saved in the smart card when the smart card is issued. The smart card root key can only exist in the card issuer server and smart card, and is prohibited from being read. In order to ensure the security of the application access, in a preferred embodiment, the card issuer server also carries the first temporary session key while carrying the first authentication content in the authentication response, wherein the card issuer server utilizes the first A temporary session key encrypts the authentication response. At the same time, the first temporary session key is also set to data encryption of the interaction of the data after the subsequent channel establishment. In a preferred embodiment of the present invention, as shown in FIG. 10, the third generating unit includes: a second generating module 1002, configured to generate an authentication response carrying the first authentication content and the first temporary session key; Module 1004, is configured to encrypt the authentication response with the first temporary session key. The serial number SQRSER corresponding to the SQNIC is also stored on the card issuer server side. In a preferred embodiment, as shown in FIG. 11, the third generating unit includes: an obtaining module 1102, configured to obtain the first serial number from the authentication information. And the smart card identifier; the second search module 1104 is configured to search, according to the smart card identifier, the fourth serial number corresponding to the smart card stored by the smart card identifier; the verification module 1106 is configured to perform verification according to the first serial number and the fourth serial number, and verify After passing, an authentication response is generated. Now, the predetermined value is 1 and the preset initial value is 0. The card issuer server stores different SQNSER for each self-issued smart card. If the SQNIC is greater than or equal to SQNSER, the SQN is verified to be successful. Update SQNSER, assign the value of the received SQNIC to SQNSER, and then perform the following authentication steps; if SQNIC is less than SQNSER, verify that SQN fails, and the card issuer refuses to generate an authentication response. If the verification is successful, the card issuer server should also Check if SQNSER has reached the maximum value, that is, whether SQNSER adds 1 or not, if yes, assign SQNSER=0. According to the authentication device of the application access smart card shown in FIG. 3 to FIG. 11 , an embodiment of the present invention further provides an authentication system for accessing a smart card, comprising: the above-mentioned authentication device for accessing the smart card by the application located in the smart card, An authentication device that accesses the smart card with an application located in the card issuer server. Example 3 The present invention has been described in terms of a preferred embodiment of the present invention, but it is to be understood that the preferred embodiment is only for the purpose of describing the present invention. The embodiment of the present invention describes a method for applying the method for accessing a smart card. As shown in FIG. 12, the method includes the following steps: Step S1202: The terminal application requests access to the smart card. Specifically, the terminal application initiates an access request to the smart card, and requests the smart card to generate. Certification Information. Step S1204: After receiving the access request initiated by the application, the smart card generates the authentication information, and returns the authentication information to the application, and requires the application to carry the authentication response corresponding to the authentication information to access the smart card. Step S1206: After receiving the authentication information sent by the smart card, the application requests the authentication response corresponding to the authentication information to the card issuer server through the application provider server. Among them, the application provider is the application provider that publishes the application, and the card issuer is the manufacturer of the smart card. Preferably, the application provider and the card issuer have a contractual relationship, and the application issued by the application provider can use the service authentication function of the smart card issued by the card issuer, and the application requests the authentication response message from the card issuer server in the secure channel. Transfer. Step S1208: After the card issuer server generates the authentication response, the application provider server sends the authentication response to the legitimate application, and the application carries the authentication response to access the smart card, and the smart card verifies the authentication response, so as to perform access control on the application. The embodiment also provides an application process for obtaining the authentication information and the authentication response, and sending the authentication response request to the smart card to access the smart card. As shown in FIG. 13, the method includes the following steps: Step S1302: The application provider and the card issuer sign the contract. . Applications published by application providers can authorize the use of smart cards issued by card issuers for business authentication related operations. The specific signing process and the signing in the prior art may be in the same manner, and are not described herein again. Step S1304: After the application is started, if the application needs to access the smart card, first send an access request to the smart card, requesting the smart card to generate the authentication information. Step S1306: After receiving the access request sent by the application, the smart card generates the authentication information, and sends the authentication information to the application, and requests the application to provide an authentication response corresponding to the authentication information. The authentication information includes an ICCIDCIC Card Identity of the smart card, and an IC card identifier. Preferably, the ICCID is the card number of the smart card, reflecting the information of the issuing country, the network number, the issuing area, the issuing time, the manufacturer, etc. The ICCID exists in the EFECCID of the smart card and is always readable but cannot be changed. Step S1308: The application initiates a connection request to the application provider server, and the application provider server and the application perform mutual authentication. The above step S1308 is mainly to ensure that the application is a legitimate application published by the application provider. Preferably, a secure channel should be established between the application and the application provider server, and all information interaction between the application and the application provider server should be encrypted and integrity protected to prevent an attacker from interfacing between the application and the application provider server. Stealing information. In this step, the establishment of the authentication and secure channel between the application and the application provider server should be regulated by the application provider. Step S1310: The application initiates an acquisition authentication response request to the application provider server, requesting the application provider to request an authentication response. In the request, the application sends the authentication information generated by the smart card, and the authentication response request should be transmitted in the secure channel between the application and the application provider server, encrypted and integrity protected. In step S1312, the application provider server initiates a connection request to the card issuer server, and the application provider server and the card issuer server perform mutual authentication. In the above step S1312, a secure channel should be established between the application provider server and the card issuer server, and all information interaction between the application provider server and the card issuer server should be encrypted and integrity protected to prevent an attacker. Stealing information on the interface between the application provider server and the card issuer server. In this step, mutual authentication and establishment of a secure channel between the application provider server and the card issuer server should be regulated by a contract between the application provider and the card issuer. In step S1314, after the application provider server passes the decryption and integrity verification of the message in step S1310, the authentication information in the request of step S1310 is sent to the card issuer server, and the authentication response is requested. The information sent by the application provider server to the card issuer server is transmitted in a secure channel between the application provider server and the card issuer server, encrypted and integrity protected. Step S1316, if the card issuer server considers that the application provider server has a contractual relationship with itself, the card issuer server decrypts the message sent in step S1314 and performs integrity verification, and queries according to the ICCID sent in step S1314. The root key KIC of the smart card, and generates an authentication response (the authentication response here corresponds to the first authentication content in the claims) and the application temporary session key according to the root key and other authentication information sent in step S1314 (here) The application temporary session key corresponds to the first temporary session key in the claim). The temporary session key is applied to establish a temporary secure channel for communication between the application and the smart card. The temporary session key is applied as a symmetric key, and the card issuer server generates an application temporary session key, which is transmitted to the legitimate application that initiated the request through the secure connection; the smart card generates the application temporary session key according to the authentication data. If the application successfully accesses the smart card, a secure channel will be established between the application and the smart card, and the information interaction between the application and the smart card will be applied with temporary session key encryption and integrity protection. When the application releases the connection channel with the smart card, the application temporary session key will be invalidated, and the smart card deletes the application temporary session key. Step S1318: After generating the authentication response and applying the temporary session key, the card issuer server sends the authentication response and the temporary session key to the application provider server through a secure channel between the card issuer server and the application provider server. The authentication response and application temporary session key are encrypted and integrity protected. Step S1320: After the application provider server decrypts the message of step S1318 and completes the integrity verification, the authentication response and the application temporary session key are sent to the application through a secure channel between the application provider server and the application. The authentication response and application temporary session key are encrypted and integrity protected to prevent an attacker from stealing the authentication response and applying the temporary session key. Step S1322: After the application decrypts the message and integrity verification in step S1320, the application sends the authentication response information to the smart card, where the authentication response message includes an authentication response, and the smart card is requested to verify the authentication response. The authentication response information is applied with temporary session key encryption and integrity protection. Step S1324: The smart card generates an application temporary session key on the smart card side according to the authentication information corresponding to the application, and generates a response message desired by the smart card. After the smart card decrypts and integrity verifies the authentication response information, it authenticates the authentication response. Step S1326: If the smart card considers that the application is an application authorized to access the smart card (ie, the authentication passes), the application is allowed to access the smart card, and the secure channel is established by using the symmetric application temporary session key saved by the application and the smart card. The information exchanges with the smart card for encryption and integrity protection. The embodiment of the present invention further provides a specific method for the smart card to perform access control on the application for accessing the smart card. As shown in FIG. 14, the method includes: Step S1402: The application requests access to the smart card. Step S1404, the smart card generates authentication information, and the authentication information may include the following information: ICCID, random number (RAND), SQN® AK. RAND is a 128-bit random number generated by the smart card, SQN (Sequence Number) is a 48-bit serial number generated by the smart card, and AK (Anonymity Key) is a 48-bit anonymous secret generated by the smart card. key. Among them, ® is an exclusive OR operation. The SQN is a serial number saved by the smart card and the card issuer server, and the purpose is to enable the card issuer server to authenticate the SQN generated by the smart card, and ensure that the authentication information generated by the smart card is not used by the attacker to use the card issuer server. Perform a replay attack. The serial number generated by the smart card is recorded as SQNIC, and the card issuer's record is SQNSER. After the smart card generates SQNIC ® AK, the SQNIC in the smart card must be incremented by 1. When the SQNIC count saved in the smart card overflows, SQNIC will be reset to 0. The above AK is an anonymous key generated by the smart card, and the generated method is AK=f5(KIC, RAND), wherein the f5 algorithm is the same as the f5 algorithm held in the UICC card in the AKA process in the 3G security architecture. The above RAND and AK should be saved in the smart card. After the application releases the connection channel with the smart card, the corresponding AK and RAND should be deleted. When the application applies for access to the smart card again, the smart card should regenerate the AK, RA Do. The authentication information generated by the smart card can be RAND||SQNIC ® AK||ICCID. However, it is worth noting that the above-described algorithms and formulas for generating authentication information are merely preferred implementations, and the present invention is not limited thereto. Step S1406: The smart card sends the authentication information to the application on the terminal. In step S1408, the application requests the authentication response from the card issuer server in some manner, and passes the authentication information to the card issuer server. The card issuer server ensures that the application is a legitimate application issued by the contracted application provider by using some means. The publisher server passes the authentication response to the legitimate application published by the contracted application provider. Step S1410, the card issuer server first queries the KIC corresponding to the smart card by using the ICCID in the authentication message; then, the card issuer server generates the anonymous key AK by using the KIC and the RAND in the authentication information, AK=f5(KIC, RAND) Then, the card issuer server obtains SQNIC, SQMC=AK® (SQMC ® AK) using the anonymous key AK and SQMC ® AK in the authentication information; the card issuer server authenticates the SQNIC to prevent replay attacks. The authentication method in step S1410 is specifically: comparing SQNIC and SQNSER saved by the card issuer server, SQNSER and ICCID, and the card issuer server stores different SQNSERs for each self-issued smart card. If the SQNIC is greater than or equal to SQNSER, then the SQN is verified to be successful. At this time, the card issuer server updates the SQNSER, and assigns the value of the received SQNIC to the SQNSER, and proceeds to the following authentication step; if the SQNIC is smaller than the SQNSER, the verification of the SQN fails. The card issuer refuses to generate an authentication response. Preferably, if the verification SQN is successful, the card issuer server should also check if the SQNSER has reached the maximum value, that is, whether SQNSER is incremented by 1 or not, and if so, assign SQNSER=0. It should be noted that the initial value of 0 is only a schematic expression, and the present invention is not limited thereto, and any value smaller than the maximum value may be used as the initial value. In step S1412, if the verification SQN is successful, the card issuer server generates an authentication response (RES), which is RES=£2CKIC, RAND). The £2 algorithm is the same as the £2 algorithm held in the AKA process UICC card in the 3G security architecture. Moreover, the card issuer server also generates application temporary session keys KENC and KINC, KENC for data encryption between the application and the smart card, and KINC for data integrity protection between the application and the smart card. KENC=fi(RA D,K) ; KINC=f4(RA D,K). The β and f4 algorithms are the same as the β and f4 algorithms held in the AKA process UICC card in the 3G security architecture. In step S1414, the card issuer server will pass the authentication response RES, the application temporary session key KENC and the KINC to the application in some manner. The card issuer server passes the authentication response, the application temporary session keys KENC and KINC to the legitimate application published by the contracted application provider. Preferably, the card issuer server only sends the authentication response to the application provider that is contracted with itself to ensure that the accessed application is a legitimate application, thereby improving data security. In step S1416, the application encrypts and integrity protects the authentication response RES using the application temporary session keys KENC and KINC. Step S1418: The application sends the authentication response of the encryption and integrity protection to the smart card to request access to the smart card. In step S1420, the smart card generates an application temporary session key KENC and KINC according to the saved RAND and smart card root key KIC corresponding to the application, and decrypts the authentication response and integrity verification using KENC and KINC. The smart card generates the desired XRES according to the saved RAND and smart card root key KIC corresponding to the application, XRES= £2(KIC, RAND) 0 The smart card compares the expected XRES and the authentication response RES, and if the two are equal, the application is allowed to access. Smart card; if the two are not equal, the application is denied access to the smart card. Step S1422: If the application successfully accesses the smart card, the application establishes a secure channel by using the symmetric application temporary session keys KENC and KINC stored by the smart card, and encrypts and protects the information interaction between the application and the smart card. The embodiment of the present invention further describes a specific implementation manner in which an application requests access to a smart card, and the smart card performs access control on the application. The specific steps are as shown in FIG. 15 , including: Step S1502 : The application provider and the card issuer perform signing. Step S1504: After the application is started, if the application needs to access the smart card, first send an access request to the smart card, requesting the smart card to generate the authentication information. Step S1506: After receiving the access request from the application, the smart card generates the authentication information, where the authentication information carries the ICCID, the random number RAND, and the SQN ten AK. Step S1508: The smart card authentication information is sent to the application, and the application is required to provide an authentication response corresponding to the authentication information. In step S1510, the application initiates a connection request to the application provider server, and the application provider server and the application perform mutual authentication to ensure that the application is a legitimate application issued by the application provider. A secure channel should be established between the application and the application provider server. All information interaction between the application and the application provider server should be protected by encryption and integrity to prevent the attacker from interfacing between the application and the application provider server. Steal information. Step S1512: The application initiates a request for obtaining an authentication response to the application provider server, for requesting the application provider to request an authentication response for the application. In the request, the application sends the authentication information generated by the smart card, wherein the authentication information includes an ICCID, a random number RAND, and an SQN® AK. The get authentication response request should be transmitted in the secure channel between the application and the application provider server, encrypted and integrity protected. In step S1514, the application provider server initiates a connection request to the card issuer server, and the application provider server and the card issuer server perform mutual authentication. A secure channel should be established between the application provider server and the card issuer server. All information interaction between the application provider server and the card issuer server should be encrypted and integrity protected to prevent the attacker from being on the application provider server. Stealing information on the interface with the card publisher server. Step S1516, after the application provider server decrypts the message and integrity verification in step S1512, sends the authentication information (including ICCID, random number RAND, SQN® AK) in the request of step S1512 to the card issuer server, and requests authentication. response. The information sent by the application provider server to the card issuer server is transmitted in a secure channel between the application provider server and the card issuer server, encrypted and integrity protected. Step S1518, if the card issuer server considers that the application provider server has a contractual relationship with itself, the card issuer server decrypts the message sent in step S1516 and performs integrity verification to obtain an ICCID, a random number RAND, and an SQN® AK. The card issuer server first queries the pair with the ICCID in the authentication message. The KIC; then the card issuer server uses the KIC and RAND in the authentication information to generate the anonymous key AK, AK=f5(KIC, RAND); then the card issuer server utilizes the anonymous key AK and the SQMC ® AK in the authentication information Get SQMC, SQMC=AK® (SQMC ® AK); The card issuer server authenticates the SQNIC to prevent replay attacks. Step S1520, if the verification SQN is successful, the card issuer server generates an authentication response RES, and the authentication response can be obtained according to the following formula, RES=£2(KIC, RAND) 0, and the card issuer server generates the application temporary session key KENC. And KINC, step S1522, after the card issuer server generates the authentication response (RES) and applies the temporary session key (KENC and KINC), the RES and KENC, KINC are passed between the card issuer server and the application provider server. The secure channel is sent to the application provider server. RES and KENC, KINC are encrypted and integrity protected. In step S1524, after the application provider server decrypts the message and integrity verification in step S1522, the RES and KENC and KINC are sent to the application through a secure channel between the application provider server and the application. RES and KENC KINC are encrypted and integrity protected to prevent attackers from stealing RES and KENC, KINC. Step S1526, after the application decrypts the message and integrity verification in step S1524, the application sends the authentication response information to the smart card, including the RES, and requests the smart card to verify the authentication response. The authentication response information is protected by KENC, KINC encryption and integrity. Step S1528: The smart card generates an application temporary session key KENC KINC on the smart card side according to the authentication information corresponding to the application, and generates a desired XRES. After the smart card decrypts and completes the authentication response information, it authenticates the RES. In step S1528, the smart card generates a desired XRES according to the saved RAND and smart card root key KIC corresponding to the application, XRES=£2(KIC, RA D) 0, the smart card compares the expected XRES and the authentication response RES, if two If the two are equal, the authentication succeeds, and the application is allowed to access the smart card. If the two are not equal, the authentication fails, and the application is denied access to the smart card. Step S1530: If the smart card considers that the application is an application authorized to access the smart card, the application is allowed to access the smart card, and the secure channel is established by using the symmetric application temporary session key saved by the application and the smart card, and if the application successfully accesses the smart card, Then, the secure channel is established by using the symmetric application temporary session keys KENC and KINC held by the application and the smart card, and the information interaction between the application and the smart card is encrypted and integrity protected. Encryption and integrity protection for information interaction between applications and smart cards. From the above description, it can be seen that the present invention achieves the following technical effects: after receiving an access request of an application, the smart card generates authentication information corresponding to the current access of the application in response to the access request, and The authentication information is sent to the application to trigger the application to obtain an authentication response corresponding to the authentication information to the card issuer server, and the smart card accesses the application only after the application returns a matching authentication response to the smart card. In the above manner, the authentication authentication of the application access by the smart card is implemented, so that there is no way in the prior art that the authentication authentication of the application access can be completed by the smart card, so that the data or function on the smart card cannot be used by the terminal. The application is invoked, and the security of the service is not guaranteed. The smart card implements access control for the application that requests the access to the smart card, so that the terminal application can deploy the service authentication related data to the smart card, thereby improving the security of the service. . Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above are only the preferred embodiments of the present invention, and are not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 Claim
1. 一种应用接入智能卡的认证方法, 包括: 1. An authentication method for an application access smart card, including:
智能卡接收应用发送的接入请求, 将所述接入请求的认证信息发送给所述 应用;  Receiving, by the smart card, an access request sent by the application, and sending the authentication information of the access request to the application;
所述智能卡接收所述认证信息的认证响应, 其中, 所述应用从所述智能卡 的卡发行商服务器获取所述认证响应并发送至所述智能卡;  Receiving, by the smart card, an authentication response of the authentication information, where the application acquires the authentication response from a card issuer server of the smart card and sends the authentication response to the smart card;
当所述智能卡对所述认证响应验证通过时, 允许所述应用接入到所述智能 卡。  When the smart card verifies the authentication response, the application is allowed to access the smart card.
2. 根据权利要求 1所述的方法, 其中, 所述应用从所述智能卡的卡发行商服务器 获取所述认证响应, 包括: 所述应用利用应用提供商服务器从所述卡发行商服 务器获取所述认证响应。 2. The method according to claim 1, wherein the obtaining, by the application, the authentication response from a card issuer server of the smart card, comprises: the application acquiring an application from the card issuer server by using an application provider server Describe the certification response.
3. 根据权利要求 2所述的方法, 其中, 所述应用利用应用提供商服务器从所述卡 发行商服务器获取所述认证响应, 包括: The method according to claim 2, wherein the application acquires the authentication response from the card issuer server by using an application provider server, including:
所述应用和所述应用提供商服务器之间进行相互认证并建立第一安全连 接, 所述应用通过所述第一安全连接将所述认证信息发送给所述应用提供商服 务器;  Performing mutual authentication and establishing a first secure connection between the application and the application provider server, and the application sends the authentication information to the application provider server by using the first secure connection;
所述应用提供商服务器和所述卡发行商服务器之间进行相互认证并建立第 二安全连接, 所述应用提供商服务器通过所述第二安全连接将所述认证信息转 发给所述卡发行商服务器;  Mutual authentication and establishment of a second secure connection between the application provider server and the card issuer server, the application provider server forwarding the authentication information to the card issuer through the second secure connection Server
所述卡发行商服务器接收所述应用提供商服务器转发的所述认证信息; 当所述卡发行商服务器对所述认证信息验证通过后, 所述卡发行商服务器 根据所述认证信息生成所述认证响应;  Receiving, by the card issuer server, the authentication information forwarded by the application provider server; after the card issuer server verifies the authentication information, the card issuer server generates the Certification response;
所述卡发行商服务器通过所述第二安全连接将所述认证响应发送给所述应 用提供商服务器, 由所述应用提供商服务器通过所述第一安全连接将所述认证 响应转发至所述应用。  Sending, by the card issuer server, the authentication response to the application provider server via the second secure connection, and forwarding, by the application provider server, the authentication response to the application.
4. 根据权利要求 3所述的方法, 其中, 所述卡发行商服务器根据所述认证信息生 成所述认证响应, 包括: 所述卡发行商服务器根据智能卡标识查找与所述智能卡对应的根密钥, 其 中, 所述根密钥是所述卡发行商服务器为每一张智能卡分配的密钥信息, 所述 智能卡与所述根密钥一一对应, 所述认证信息携带有所述智能卡的智能卡标识 和所述智能卡为所述应用本次接入所生成的随机数; The method according to claim 3, wherein the card issuer server generates the authentication response according to the authentication information, including: The card issuer server searches for a root key corresponding to the smart card according to the smart card identifier, where the root key is key information allocated by the card issuer server for each smart card, and the smart card and the smart card Corresponding to the root key, the authentication information carries the smart card identifier of the smart card and the smart card is a random number generated by the application for the current access;
所述卡发行商服务器根据所述根密钥和所述随机数生成所述认证响应。 根据权利要求 4所述的方法, 其中, 所述认证响应携带有第一认证内容和第一 临时会话密钥, 其中, 所述卡发行商服务器利用所述第一临时会话密钥对所述 认证响应进行加密传输。 根据权利要求 5所述的方法, 其中, 所述智能卡接收所述认证信息的认证响应 之后, 还包括:  The card issuer server generates the authentication response based on the root key and the random number. The method according to claim 4, wherein the authentication response carries a first authentication content and a first temporary session key, wherein the card issuer server uses the first temporary session key to authenticate the The response is encrypted. The method according to claim 5, wherein, after the smart card receives the authentication response of the authentication information, the method further includes:
所述智能卡根据所述认证信息中的随机数和自身的根密钥按照和所述卡发 行商服务器对应的方式生成第二认证内容和第二临时会话密钥;  The smart card generates a second authentication content and a second temporary session key according to a random number in the authentication information and a root key thereof according to the card issuing server.
所述智能卡根据所述第二会话密钥对所述认证响应进行解密, 如果解密成 功, 则对解密得到的所述第一认证内容和所述第二认证内容进行比较, 如果相 同, 则表明验证成功。 根据权利要求 6所述的方法, 其中, 所述智能卡接入所述应用, 包括: 所述智能卡使用所述第一临时会话密钥和所述第二临时会话密钥在自身和 所述应用之间建立安全信道;  The smart card decrypts the authentication response according to the second session key, and if the decryption is successful, compares the decrypted first authentication content and the second authentication content, and if they are the same, indicates verification success. The method according to claim 6, wherein the smart card accessing the application comprises: the smart card using the first temporary session key and the second temporary session key in itself and the application Establish a secure channel;
所述智能卡通过所述安全信道与所述应用进行信息交互。 根据权利要求 7所述的方法, 其中, 所述智能卡将所述应用接入所述智能卡之 后, 还包括:  The smart card interacts with the application through the secure channel. The method according to claim 7, wherein, after the smart card connects the application to the smart card, the method further includes:
当所述应用关闭时, 所述智能卡释放所述安全信道;  The smart card releases the secure channel when the application is closed;
所述智能卡删除所述第二临时会话密钥。 根据权利要求 1所述的方法, 其中, 所述认证信息携带有所述应用本次接入时 所述智能卡的第一序列号。 根据权利要求 9所述的方法, 其中, 所述第一序列号按如下步骤生成: 所述智能卡在自身存储的第二序列号上增加预定值, 得到第三序列号; 所述智能卡判断所述第三序列号是否大于预定阈值; 若是, 则将预设初始值赋值给所述第一序列号和所述第二序列号; 若否, 则将所述第三序列号赋值给所述第一序列号和所述第二序列号。 The smart card deletes the second temporary session key. The method according to claim 1, wherein the authentication information carries a first serial number of the smart card when the application is accessed this time. The method according to claim 9, wherein the first serial number is generated as follows: the smart card adds a predetermined value to a second serial number stored by itself, to obtain a third serial number; the smart card determines the Whether the third serial number is greater than a predetermined threshold; If yes, assigning a preset initial value to the first serial number and the second serial number; if not, assigning the third serial number to the first serial number and the second serial number .
11. 根据权利要求 10所述的方法,其中,所述卡发行商服务器根据所述认证信息生 成认证响应, 包括: 11. The method of claim 10, wherein the card issuer server generates an authentication response based on the authentication information, comprising:
所述卡发行商服务器从所述认证信息中获取所述第一序列号和所述智能卡 标识;  The card issuer server acquires the first serial number and the smart card identifier from the authentication information;
所述卡发行商服务器根据所述智能卡标识查找自身存储的对应于该智能卡 的第四序列号;  The card issuer server searches for a fourth serial number corresponding to the smart card stored by itself according to the smart card identifier;
所述卡发行商服务器根据所述第一序列号和所述第四序列号进行验证, 在 验证通过后, 所述卡发行商服务器生成所述认证响应。  The card issuer server verifies according to the first serial number and the fourth serial number, and after the verification is passed, the card issuer server generates the authentication response.
12. 根据权利要求 11所述的方法,其中,所述卡发行商服务器根据所述第一序列号 和所述第四序列号进行验证, 包括: 12. The method according to claim 11, wherein the card issuer server performs verification according to the first serial number and the fourth serial number, including:
所述卡发行商服务器判断所述第一序列号是否大于或等于所述第四序列 号, 如果大于或等于, 则验证成功, 所述卡发行商服务器将所述第一序列号赋 值给所述第四序列号。  Determining, by the card issuer server, whether the first serial number is greater than or equal to the fourth serial number, if the verification is successful, the card issuer server assigns the first serial number to the The fourth serial number.
13. 根据权利要求 12所述的方法,其中,所述卡发行商服务器将所述第一序列号赋 值给所述第四序列号之后, 还包括: 13. The method according to claim 12, wherein after the card issuer server assigns the first serial number to the fourth serial number, the method further comprises:
所述卡发行商服务器判断所述第一序列号加上所述预定值后是否大于所述 预定阈值, 如果大于, 则所述卡发行商服务器将所述预设初始值赋值给所述第 四序列号。  Determining, by the card issuer server, whether the first serial number is greater than the predetermined threshold after adding the predetermined value, and if greater than, the card issuer server assigns the preset initial value to the fourth serial number.
14. 一种应用接入智能卡的认证装置, 位于智能卡中, 包括: 14. An authentication device for accessing a smart card, located in a smart card, comprising:
第一接收单元, 设置为接收应用发送的接入请求, 将所述接入请求的认证 信息发送给所述应用;  The first receiving unit is configured to receive an access request sent by the application, and send the authentication information of the access request to the application;
第二接收单元, 设置为接收所述认证信息的认证响应, 其中, 所述应用从 所述智能卡的卡发行商服务器获取所述认证响应并发送至所述智能卡;  a second receiving unit, configured to receive an authentication response of the authentication information, where the application obtains the authentication response from a card issuer server of the smart card and sends the authentication response to the smart card;
接入单元, 设置为当所述智能卡对所述认证响应验证通过时, 允许所述应 用接入到所述智能卡。  The access unit is configured to allow the application to access the smart card when the smart card verifies the authentication response.
15. 根据权利要求 14所述的装置, 其中, 还包括: 第一生成单元, 设置为当所述认证响应携带有第一认证内容和第一临时会 话密钥时, 在接收所述认证信息的认证响应之后, 根据所述认证信息中的随机 数和自身的根密钥按照和所述卡发行商服务器对应的方式生成第二认证内容和 第二临时会话密钥; The device according to claim 14, further comprising: a first generating unit, configured to: when the authentication response carries the first authentication content and the first temporary session key, after receiving the authentication response of the authentication information, according to the random number in the authentication information and the self Generating a second authentication content and a second temporary session key in a manner corresponding to the card issuer server;
解密单元, 设置为根据所述第二会话密钥对所述认证响应进行解密, 如果 解密成功, 则对解密得到的所述第一认证内容和所述第二认证内容进行比较, 如果相同, 则表明验证成功。  a decryption unit, configured to decrypt the authentication response according to the second session key, and if the decryption is successful, compare the decrypted first authentication content and the second authentication content, if they are the same, Indicates that the verification is successful.
16. 根据权利要求 15所述的装置, 其中, 所述接入单元包括: 接入模块, 设置为使用所述第一临时会话密钥和所述第二临时会话密钥在 自身和所述应用之间建立安全信道; 16. The apparatus according to claim 15, wherein the access unit comprises: an access module, configured to use the first temporary session key and the second temporary session key in itself and the application Establish a secure channel between them;
交互模块, 设置为通过所述安全信道与所述应用进行信息交互。  An interaction module is configured to perform information interaction with the application through the secure channel.
17. 根据权利要求 14所述的装置, 其中, 还包括: 第二生成单元, 设置为生成携带有所述应用本次接入时所述智能卡的第一 序列号的所述认证信息。 The device according to claim 14, further comprising: a second generating unit, configured to generate the authentication information carrying the first serial number of the smart card when the application is accessed this time.
18. 根据权利要求 17所述的装置, 其中, 所述第二生成单元包括: The device according to claim 17, wherein the second generating unit comprises:
增加模块, 设置为在自身存储的第二序列号上增加预定值, 得到第三序列 号;  Adding a module, being set to increase a predetermined value on the second serial number stored by itself, to obtain a third serial number;
判断模块, 设置为判断所述第三序列号是否大于预定阈值; 第一赋值模块, 设置为在判断出所述第三序列号大于预定阈值时, 将预设 初始值赋值给所述第一序列号和所述第二序列号;  a determining module, configured to determine whether the third serial number is greater than a predetermined threshold; the first assigning module is configured to: assign a preset initial value to the first sequence when determining that the third serial number is greater than a predetermined threshold Number and the second serial number;
第二赋值模块, 设置为在判断出所述第三序列号不大于所述预定阈值时, 将所述第三序列号赋值给所述第一序列号和所述第二序列号。  The second assignment module is configured to assign the third serial number to the first serial number and the second serial number when determining that the third serial number is not greater than the predetermined threshold.
19. 一种应用接入智能卡的认证装置, 位于卡发行商服务器中, 包括: 19. An authentication device for accessing a smart card, located in a card issuer server, comprising:
第三接收单元, 设置为应用发送的认证信息, 其中, 所述认证信息携带有 智能卡的智能卡标识和 /或所述智能卡为所述应用本次接入所生成的随机数; 第三生成单元, 设置为根据所述认证信息生成认证响应, 并将所述认证响 应发送给所述应用。  The third receiving unit is configured to send the authentication information sent by the application, where the authentication information carries the smart card identifier of the smart card and/or the smart card is a random number generated by the application for the current access; the third generating unit, It is configured to generate an authentication response according to the authentication information, and send the authentication response to the application.
20. 根据权利要求 19所述的装置, 其中, 所述第三生成单元包括: 第一查找模块, 设置为器根据所述智能卡标识查找与所述智能卡对应的根 密钥, 其中, 所述根密钥是所述卡发行商服务器为每一张智能卡分配的密钥信 息, 所述智能卡与所述根密钥一一对应; The device according to claim 19, wherein the third generating unit comprises: a first search module, configured to search for a root key corresponding to the smart card according to the smart card identifier, where the root key is key information allocated by the card issuer server for each smart card, where The smart card has a one-to-one correspondence with the root key;
第一生成模块, 设置为根据所述根密钥和所述随机数生成所述认证响应。  The first generation module is configured to generate the authentication response according to the root key and the random number.
21. 根据权利要求 19所述的装置, 其中, 所述第三生成单元包括: The device according to claim 19, wherein the third generating unit comprises:
第二生成模块, 设置为生成携带有第一认证内容和第一临时会话密钥的所 述认证响应;  a second generating module, configured to generate the authentication response that carries the first authentication content and the first temporary session key;
加密模块, 设置为利用所述第一临时会话密钥对所述认证响应进行加密。  An encryption module is configured to encrypt the authentication response with the first temporary session key.
22. 根据权利要求 19所述的装置, 其中, 所述第三生成单元包括: 获取模块, 设置为从所述认证信息中获取第一序列号和智能卡标识; 第二查找模块, 设置为根据所述智能卡标识查找自身存储的对应于该智能 卡的第四序列号; The device according to claim 19, wherein the third generating unit comprises: an acquiring module, configured to obtain a first serial number and a smart card identifier from the authentication information; and a second searching module, configured to The smart card identifier finds a fourth serial number corresponding to the smart card stored by itself;
验证模块, 设置为根据所述第一序列号和所述第四序列号进行验证, 在验 证通过后, 生成所述认证响应。  The verification module is configured to perform verification according to the first serial number and the fourth serial number, and after the verification is passed, generate the authentication response.
23. 一种应用接入智能卡的认证系统, 包括权利要求 14-18中任一项所述的位于所 述智能卡中的应用接入智能卡的认证装置, 和权利要求 19-22中任一项所述的 位于所述卡发行商服务器中的应用接入智能卡的认证装置。 An authentication system for accessing a smart card, comprising the authentication device of the application access smart card located in the smart card according to any one of claims 14-18, and the method of any one of claims 19-22 An authentication device for accessing a smart card by an application located in the card issuer server.
PCT/CN2012/075684 2012-04-06 2012-05-17 Method, device and system for authenticating access for application to smart card WO2013149426A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210099919.1 2012-04-06
CN201210099919.1A CN103368735B (en) 2012-04-06 2012-04-06 Using authentication method, the device and system of access smart card

Publications (1)

Publication Number Publication Date
WO2013149426A1 true WO2013149426A1 (en) 2013-10-10

Family

ID=49299942

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/075684 WO2013149426A1 (en) 2012-04-06 2012-05-17 Method, device and system for authenticating access for application to smart card

Country Status (2)

Country Link
CN (1) CN103368735B (en)
WO (1) WO2013149426A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105610766A (en) * 2014-11-20 2016-05-25 中兴通讯股份有限公司 Method and device for logging in to cloud desktop
CN106156548B (en) * 2015-04-10 2019-01-08 杭州海康威视数字技术股份有限公司 Authentication method and device for program encryption
CN105245526B (en) * 2015-10-19 2018-06-19 中国联合网络通信集团有限公司 Call the method and apparatus of SIM card application
CN106778251A (en) * 2015-11-20 2017-05-31 北京计算机技术及应用研究所 Prevent the password authentication method of Replay Attack
CN109981284B (en) * 2019-03-11 2022-04-29 三未信安科技股份有限公司 Method and device for realizing elliptic curve digital signature
CN111211906B (en) * 2019-12-20 2023-09-26 福建魔方电子科技有限公司 Method, system, device, equipment and medium for realizing one-machine one-secret of terminal equipment
CN111954196B (en) * 2020-08-18 2021-02-26 龙杰科技(深圳)有限公司 Smart card recharging method and system based on Bluetooth, terminal equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101042737A (en) * 2006-03-24 2007-09-26 中国银联股份有限公司 Smart card and method for creating application and insertion objects in smart card
CN101459512A (en) * 2007-12-11 2009-06-17 结行信息技术(上海)有限公司 Method for smart card installation/initialization application through untrusted communication channel
CN101719821A (en) * 2008-10-09 2010-06-02 爱思开电讯投资(中国)有限公司 System for managing application program of intelligent card and method thereof
CN101729493A (en) * 2008-10-28 2010-06-09 中兴通讯股份有限公司 Method and system for distributing key

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1870040A (en) * 2006-03-24 2006-11-29 陈龙军 Electronic transaction identification method and reading and transmission equipment used by it
FR2923047B1 (en) * 2007-10-31 2012-12-21 Sagem Securite METHOD FOR MANAGING ACCESS RIGHTS IN A CHIP CARD
CN101231768B (en) * 2008-01-25 2010-09-08 北京深思洛克软件技术股份有限公司 Multi-application intelligent card and method for realizing intelligent card multi application
CN101511051B (en) * 2008-12-31 2012-09-19 北京握奇数据系统有限公司 Method, system and equipment for downloading application business of telecom smart card
US20110055573A1 (en) * 2009-09-03 2011-03-03 International Business Machines Corporation Supporting flexible use of smart cards with web applications
CN102034036A (en) * 2010-09-07 2011-04-27 北京握奇数据系统有限公司 Permission management method and equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101042737A (en) * 2006-03-24 2007-09-26 中国银联股份有限公司 Smart card and method for creating application and insertion objects in smart card
CN101459512A (en) * 2007-12-11 2009-06-17 结行信息技术(上海)有限公司 Method for smart card installation/initialization application through untrusted communication channel
CN101719821A (en) * 2008-10-09 2010-06-02 爱思开电讯投资(中国)有限公司 System for managing application program of intelligent card and method thereof
CN101729493A (en) * 2008-10-28 2010-06-09 中兴通讯股份有限公司 Method and system for distributing key

Also Published As

Publication number Publication date
CN103368735A (en) 2013-10-23
CN103368735B (en) 2018-05-04

Similar Documents

Publication Publication Date Title
JP6533203B2 (en) Mobile device supporting multiple access control clients and corresponding method
US9936384B2 (en) Systems and methods for providing security to different functions
EP2879421B1 (en) Terminal identity verification and service authentication method, system, and terminal
KR101287227B1 (en) Virtual subscriber identity module
US20060059344A1 (en) Service authentication
US20060089123A1 (en) Use of information on smartcards for authentication and encryption
US9608971B2 (en) Method and apparatus for using a bootstrapping protocol to secure communication between a terminal and cooperating servers
WO2013149426A1 (en) Method, device and system for authenticating access for application to smart card
WO2013182154A1 (en) Method, system and terminal for encrypting/decrypting application program on communication terminal
JP2013504832A (en) Method and apparatus for reliable authentication and logon
CN101621794A (en) Method for realizing safe authentication of wireless application service system
CN109525565B (en) Defense method and system for short message interception attack
US8670567B2 (en) Recovery of expired decryption keys
EP2815553A2 (en) Mobile apparatus supporting a plurality of access control clients, and corresponding methods
CN104994498B (en) The method and system that a kind of terminal applies are interacted with mobile phone card application
EP2747333A1 (en) A secure storage system including a virtual safe device and a mobile secure storage device
KR102035158B1 (en) Method and apparatus of constructing secure infra-structure for using embedded universal integrated circuit card
JP2017139026A (en) Method and apparatus for reliable authentication and logon
CN109818903B (en) Data transmission method, system, device and computer readable storage medium
WO2009155812A1 (en) Terminal access method, access management method, network equipment and communication system
CN101742507B (en) System and method for accessing Web application site for WAPI terminal
JP2015111440A (en) Method and apparatus for trusted authentication and log-on
CN111246480A (en) Application communication method, system, equipment and storage medium based on SIM card
Loutrel et al. A smartcard for authentication in WLANs

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12873511

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12873511

Country of ref document: EP

Kind code of ref document: A1