WO2015161694A1

WO2015161694A1 - Secure data interaction method and system

Info

Publication number: WO2015161694A1
Application number: PCT/CN2015/071584
Authority: WO
Inventors: 李东声
Original assignee: 天地融科技股份有限公司
Priority date: 2014-04-25
Filing date: 2015-01-26
Publication date: 2015-10-29
Also published as: AU2015251467B2; AU2015251467A1; CA2946914C; CA2946914A1

Abstract

Provided are a secure data interaction method and system, the method comprising: a terminal scans an intelligent cryptographic device within signal coverage, and acquires the identifier information of the scanned intelligent cryptographic device; a background system server acquires the identifier information of the intelligent cryptographic device, and completes the authentication of the intelligent cryptographic device; after the background system server completes the authentication of the intelligent cryptographic device, the terminal acquires user information corresponding to the intelligent cryptographic device; and the terminal stores the user information in a pre-established current user list. By using the method, the terminal first reads the identifier information of the intelligent cryptographic device, and then utilizes the identifier information of the intelligent cryptographic device to obtain the user information corresponding to the intelligent cryptographic device, such that a customer makes payment without the use of a wallet, a credit card, a mobile phone or other methods, thus simplifying the interactive operation between the customer and a merchant, and improving user experience.

Description

Data security interaction method and system

Technical field

The present invention relates to the field of information security, and in particular, to a data security interaction method and system.

Background technique

Mobile payment is a service that allows users to use their mobile terminals (such as smart phones, PDAs, tablets, laptops, etc.) to pay for goods or services they consume. The unit or individual sends the payment instruction directly or indirectly to the banking financial institution through the mobile terminal, the Internet or proximity sensing to generate the behavior of money payment and capital circulation, thereby realizing the mobile payment function. Mobile payment combines mobile terminals, the Internet, application providers, and financial institutions to provide users with financial services such as money payment and payment.

Mobile payment mainly includes remote payment and near-field payment. Remote payment refers to the user logging in to the bank's webpage through the mobile terminal for payment, account operation, etc., which is mainly applied to the shopping and consumption of online e-commerce websites; near-field payment refers to the instant payment to the merchant through the mobile terminal when the consumer purchases the goods or services. The payment is made, the processing of the payment is performed on site, and the offline operation of the mobile network is not required, and the local communication with the vending machine and the POS machine is realized by using the radio frequency (NFC), infrared, Bluetooth, and the like of the mobile terminal.

In the entire mobile payment process, the participants involved in the payment include: consumer users, merchants, mobile operators, third-party service providers, banks. Consumer users and merchants are the service objects of the system, mobile operators provide network support, banks provide bank-related services, and third-party service providers provide payment platform services to achieve business through the combination of all parties. The electronic and mobileization of payment methods has become an inevitable development trend, and the security issue of mobile payment systems is the core issue of mobile e-commerce security.

How to ensure the security of data interaction in the process of mobile payment is an urgent problem to be solved.

Summary of the invention

The present invention is directed to solving one of the above problems.

A primary object of the present invention is to provide a data security interaction method.

Another main object of the present invention is to provide a data security interaction system.

In order to achieve the above object, the technical solution of the present invention is specifically implemented as follows:

An aspect of the present invention provides a data security interaction method, including: a terminal scanning a smart cryptographic device within a signal coverage area, and obtaining the scanned identification information of the smart cryptographic device; the background system server obtains the Identification information of the smart cryptographic device, and completing authentication of the smart cryptographic device; in the background system After the server completes the authentication of the smart cryptographic device, the terminal acquires user information corresponding to the smart cryptographic device; the terminal stores the user information into a pre-established current user list.

In addition, the background system server obtains the identification information of the smart cryptographic device, and completes the authentication of the smart cryptographic device, including: the terminal generates first to-be-signed information; and the terminal sends the first to-be-sending to the smart cryptographic device. a signature information and an authentication instruction; after receiving the first to-be-signed information and the authentication instruction, the smart cryptographic device performs signature calculation on the first to-be-signed information by using a private key of the smart cryptographic device to obtain a first a signature information; the smart cryptographic device sends the first signature information and the smart cryptographic device certificate to the terminal; after receiving the first signature information and the smart cryptographic device certificate, the terminal sends the authentication to the background system server. Request information, identification information of the smart cryptographic device, the first to-be-signed information, the first signature information, and the smart cryptographic device certificate; the background system server receives the authentication request information, the smart Identification information of the cryptographic device, the first to-be-signed information, and the first signature information After the smart password device certificate is used, the root certificate corresponding to the pre-stored smart password device certificate is used to verify whether the smart password device certificate is legal; the background system server uses the smart password after verifying that the smart password device certificate is legal. The public key of the device verifies the first signature information; after the background system server verifies that the first signature information is passed, the background system server completes the authentication of the smart cryptographic device.

In addition, the background system server obtains the identification information of the smart cryptographic device, and completes the authentication of the smart cryptographic device, including: the terminal sends the identification information of the smart cryptographic device to the background system server; the background system server receives After the identification information of the smart cryptographic device is sent, the first to-be-signed information is generated, and the first to-be-signed information is sent to the terminal; after receiving the first to-be-signed information, the terminal sends the information to the smart cryptographic device. The first to-be-signed information and the authentication instruction; after receiving the first to-be-signed information and the authentication instruction, the smart cryptographic device performs the first to-be-signed information by using a private key of the smart cryptographic device The signature calculation is performed to obtain the first signature information; the smart cryptographic device sends the first signature information and the smart cryptographic device certificate to the terminal; after receiving the first signature information and the smart cryptographic device certificate, the terminal sends a The background system server sends the authentication request information, the first signature information, and the smart password setting a certificate, the background system server, after receiving the authentication request information, the first signature information, and the smart password device certificate, verifying whether the smart password device certificate is legal by using a root certificate corresponding to the pre-stored smart password device certificate. After the background system server verifies that the smart cryptographic device certificate is legal, the first signature information is verified by using the public key of the smart cryptographic device; after the background system server verifies that the first signature information is passed, The authentication of the smart cryptographic device is completed.

In addition, the acquiring, by the terminal, the user information corresponding to the smart cryptographic device includes: sending, by the terminal, identification information of the smart cryptographic device and a user information read request to the background system server; After the identification information of the smart cryptographic device and the user information read request, according to the smart password setting Obtaining the user information corresponding to the smart cryptographic device; the background system server obtains the response information of the user information read request according to the user information, and sends the user information to the terminal to read The response information of the request; after receiving the response information of the user information read request, the terminal obtains the user information according to the response information of the user information read request.

In addition, the acquiring, by the terminal, the user information corresponding to the smart cryptographic device includes: the terminal sending a user information reading request to the smart cryptographic device; the smart cryptographic device obtaining pre-stored user information, and according to the user Obtaining response information of the user information reading request, and transmitting response information of the user information reading request to the terminal; after receiving the response information of the user information reading request, the terminal according to the The user information is obtained from the response information of the user information read request.

In addition, the performing, by the background system server, the authentication of the smart cryptographic device includes: the background system server sending the user information corresponding to the smart cryptographic device to the terminal; and the terminal acquiring the user corresponding to the smart cryptographic device The information includes: the terminal receiving user information corresponding to the smart cryptographic device sent by the background system server.

In addition, after the step of scanning the smart cryptographic device in the signal coverage and obtaining the scanned identification information of the smart cryptographic device, the method further includes: obtaining, by the terminal, signal coverage at the terminal And generating, by the identifier information of all the smart cryptographic devices, the real-time identification list; the terminal, according to the preset time interval, the identification information of the smart cryptographic device in the real-time identification list and the smart cryptographic device in the current user list The identification information is compared; if the identification information of the smart cryptographic device in the real-time identification list is not in the current user list, the terminal is configured to acquire the smart password according to the scanned identification information of the smart cryptographic device. a step of the user information corresponding to the device; and if the identification information of the smart cryptographic device in the current user list is not in the real-time identification list, deleting the smart cryptographic device in the current user list that is not in the real-time identification list User information.

In addition, after the step of scanning the smart cryptographic device in the signal coverage and obtaining the scanned identification information of the smart cryptographic device, the method further includes: obtaining, by the terminal, signal coverage at the terminal And generating, by the identifier information of all the smart cryptographic devices, the real-time identification list; the terminal, according to the preset time interval, the identification information of the smart cryptographic device in the real-time identification list and the smart cryptographic device in the current user list The identification information is compared; if the identification information of the smart cryptographic device in the real-time identification list is not in the current user list, the terminal is configured to acquire the smart password according to the scanned identification information of the smart cryptographic device. a step of the user information corresponding to the device, and after the terminal obtains the user information, storing the user information in the real-time identifier list; and if the identifier information of the smart cryptographic device in the real-time identifier list is In the current user list, the smart in the current user list The user information storage device to said real-time code In the identification list, the real-time identification list is used as the updated current user list.

In addition, after receiving the first to-be-signed information and the authentication instruction, the smart cryptographic device performs signature calculation on the first to-be-signed information by using a private key of the smart cryptographic device, and obtains the first signature information, including The smart cryptographic device converts from a sleep state to an awake state after receiving the first to-be-signed information and the authentication command; the smart cryptographic device utilizes a private key pair of the smart cryptographic device in an awake state The first signature information is subjected to signature calculation to obtain first signature information.

In addition, after the background system server obtains the identification information of the smart cryptographic device, the method further includes: the background system server determining whether the identification information of the smart cryptographic device includes the pre-stored smart in the background system server In the password device exception list, the background system server obtains the instruction to lock the smart password device after determining that the identification information of the smart password device is in the abnormal list of the smart password device, and uses the private key of the background system server Signing the smart cryptographic device command to obtain the second signature information, and transmitting, by the terminal, the locked smart cryptographic device command and the second signature information to the smart cryptographic device; the smart cryptographic device receives the After the smart cryptographic device command and the second signature information are locked, the second signature information is verified by using a pre-stored public key in the background system server certificate; the smart cryptographic device is verifying the second signature information After passing, according to the instructions for locking the smart password device Row lock operation.

In addition, the method further includes: the background system server receiving the smart password device registration application, and reviewing the smart password device registration application; the background system server, after reviewing the smart password device registration application, The smart cryptographic device sends a smart cryptographic device key pair generation command; after receiving the smart cryptographic device key pair generation instruction, the smart cryptographic device generates a smart cryptographic device key pair; the smart cryptographic device The background system server sends the public key in the smart cryptographic device key pair; after the background system server receives the public key in the smart cryptographic device key pair, the smart cryptographic device certificate is generated, and the The smart cryptographic device sends the smart cryptographic device certificate; the smart cryptographic device stores the smart cryptographic device certificate.

In addition, the smart cryptographic device obtains a smart PIN device account cancellation application, uses the private key of the smart cryptographic device to sign the account cancellation application to obtain third signature information, and sends the smart password to the background system server. And the third signature information; the background system server, after receiving the smart password device account cancellation application and the third signature information, using the public key pair in the pre-stored smart password device certificate The third signature information is verified; after the third-party signature information is verified, the background system server deletes the pre-stored smart password device certificate, and generates a smart password device account completion information to the smart password. And sending, by the device, the smart cryptographic device to complete the information; and after receiving the information about the completion of the smart cryptographic device, the smart cryptographic device deletes the private key of the smart cryptographic device.

In addition, the background system server receives the identification information of the smart cryptographic device and the user information read After the step of requesting, the step of the background system server sending the response information of the user information read request to the terminal, the method further includes: the background system server using the terminal to the smart password The device sends the user authorization request information; after receiving the user authorization request information, the smart cryptographic device generates authorization information, and sends the authorization information to the background system server by using the terminal; the background system server receives After the authorization information, the step of the background system server transmitting the response information of the user information read request to the terminal is performed.

In addition, after the smart cryptographic device receives the user authorization request information, the step of generating the authorization information includes: after receiving the user authorization request information, the smart cryptographic device converts from a sleep state to an awake state; The smart cryptographic device generates authorization information in the awake state.

In addition, before the terminal scans the smart cryptographic device within the signal coverage area and obtains the scanned identification information of the smart cryptographic device, the method further includes: the smart cryptographic device enters a scanable state.

Another aspect of the present invention provides a data security interaction system, including: a terminal, a background system server, and a smart cryptographic device; the terminal configured to scan a smart cryptographic device within a signal coverage area, and obtain the scanned smart sensible device Identification information of the cryptographic device; after the background system server completes the authentication of the smart cryptographic device, acquiring user information corresponding to the smart cryptographic device; storing the user information in a pre-established current user list; The background system server is configured to obtain identification information of the smart cryptographic device, and complete authentication of the smart cryptographic device.

In addition, the terminal is further configured to generate first to-be-signed information, send the first to-be-signed information and an authentication command to the smart cryptographic device, and receive the first signature information and the smart cryptographic device sent by the smart cryptographic device. a certificate, the authentication request information, the identification information of the smart cryptographic device, the first to-be-signed information, the first signature information, and the smart cryptographic device certificate are sent to the background system server; Receiving the first to-be-signed information and the authentication instruction sent by the terminal, performing signature calculation on the first to-be-signed information by using a private key of the smart cryptographic device, to obtain first signature information, and obtaining the first signature information; Sending the first signature information and the smart password device certificate; the background system server is further configured to receive the authentication request information sent by the terminal, the identification information of the smart cryptographic device, and the first to-be-signed information. The first signature information and the smart password device certificate, using a pre-stored smart password device The root certificate corresponding to the book verifies whether the smart cryptographic device certificate is legal; after verifying that the smart cryptographic device certificate is legal, the first signature information is verified by using the public key of the smart cryptographic device; and the first signature is verified After the information is passed, the authentication of the smart cryptographic device is completed.

In addition, the terminal is further configured to send the identification information of the smart cryptographic device to the background system server, receive the first to-be-signed information sent by the background system server, and send the first to-be-signed information to the smart cryptographic device. And the authentication command; receiving the first signature information and the smart password device certificate sent by the smart cryptographic device, and sending the authentication request information, the first signature information, and the smart cryptographic device certificate to the background system server; The system server is further configured to receive the identification information of the smart cryptographic device sent by the terminal, generate first to-be-signed information, and send the first to-be-signed information to the terminal; and receive the authentication sent by the terminal Requesting information, the first signature information, and the smart cryptographic device certificate, verifying whether the smart cryptographic device certificate is legal by using a root certificate corresponding to the pre-stored smart cryptographic device certificate; and verifying that the smart cryptographic device certificate is legal, using The public key of the smart cryptographic device verifies the first signature information; after verifying that the first signature information is passed, the authentication of the smart cryptographic device is completed; the smart cryptographic device is further configured to receive the terminal Transmitting the first to-be-signed information and the authentication instruction, using the smart Code private key of the first device the information to be signed signature calculation, to obtain a first signature information; transmitting to the terminal the first signature information and the cryptographic smart device certificates.

In addition, the terminal is further configured to send the identification information of the smart cryptographic device and the user information read request to the background system server, and receive the response information of the user information read request sent by the background system server, Obtaining the user information according to the response information of the user information reading request; the background system server is further configured to receive the identification information of the smart cryptographic device and the user information reading request sent by the terminal, according to The identification information of the smart cryptographic device acquires user information corresponding to the smart cryptographic device; obtains response information of the user information read request according to the user information, and sends the user information read request to the terminal Response information.

In addition, the terminal is further configured to send a user information read request to the smart cryptographic device, receive response information of the user information read request sent by the smart cryptographic device, and read the request according to the user information. Receiving the user information in response to the information; the smart cryptographic device is further configured to obtain pre-stored user information, and obtain response information of the user information read request according to the user information, and send the User information read request response information.

In addition, the background system server is further configured to send the user information corresponding to the smart cryptographic device to the terminal; the terminal is further configured to receive user information corresponding to the smart cryptographic device sent by the background system server. .

In addition, the terminal is further configured to: after the terminal scans the smart cryptographic device within the signal coverage range, and obtains the scanned identification information of the smart cryptographic device, obtains all the signal coverage within the terminal And the identification information of the smart cryptographic device is compared with the identification information of the smart cryptographic device in the current user list according to the preset time interval; If the identification information of the smart cryptographic device in the real-time identification list is not in the current user list, Obtaining, by the identifier information of the smart cryptographic device, the user information corresponding to the smart cryptographic device; and if the identification information of the smart cryptographic device in the current user list is not in the real-time identifier list, deleting the current User information of the smart cryptographic device that is not in the real-time identification list in the user list.

In addition, the terminal is further configured to: after the terminal scans the smart cryptographic device within the signal coverage range, and obtains the scanned identification information of the smart cryptographic device, obtains all the signal coverage within the terminal And the identification information of the smart cryptographic device is compared with the identification information of the smart cryptographic device in the current user list according to the preset time interval; If the identification information of the smart cryptographic device in the real-time identities list is not in the current user list, obtaining the user information corresponding to the smart cryptographic device according to the scanned identification information of the smart cryptographic device, and in the After the terminal obtains the user information, the user information is stored in the real-time identifier list; and if the identifier information of the smart cryptographic device in the real-time identifier list is in the current user list, the User information of the smart cryptographic device in the current user list is stored to the real-time identifier Table; the real-time identification of the updated list as a list of current users.

In addition, the smart cryptographic device is further configured to: transition from a sleep state to an awake state after receiving the first to-be-signed information and the authentication command; and use a private key pair of the smart cryptographic device in an awake state The first to-be-signed information is used for signature calculation to obtain first signature information.

In addition, the background system server is further configured to: after the background system server obtains the identification information of the smart cryptographic device, determine whether the identification information of the smart cryptographic device includes a smart password pre-stored in the background system server. After determining that the identification information of the smart cryptographic device is in the abnormal list of the smart cryptographic device, obtaining an instruction to lock the smart cryptographic device, and using the private key pair of the background system server to lock the smart cryptographic device command Performing a signature to obtain the second signature information, and transmitting, by the terminal, the locked smart cryptographic device instruction and the second signature information to the smart cryptographic device; the smart cryptographic device is further configured to receive the background system server And verifying, by using the pre-stored public key in the background system server certificate, the second signature information by using the locked smart cryptographic device command and the second signature information sent by the terminal; After the signature information is passed, the smart password device is locked according to the So that the locking operation.

In addition, the background system server is further configured to receive a smart password device registration application, and review the smart password device registration application; and send the smart to the smart password device after reviewing the smart password device registration application The cryptographic device key pair generates an instruction; receiving the public key in the smart cryptographic device key pair sent by the smart cryptographic device, generating the smart cryptographic device certificate, and transmitting the smart cryptographic device to the smart cryptographic device a smart cryptographic device, configured to receive the smart cryptographic device key pair generation command sent by the background system server, generate a smart cryptographic device key pair, and send the smart cryptographic setting to the background system server The public key in the backup key pair; storing the smart password device certificate.

In addition, the smart cryptographic device is further configured to obtain a smart PIN device account cancellation application, and use the private key of the smart cryptographic device to sign the account cancellation application to obtain third signature information, and send the third signature information to the background system server. Receiving the smart password device account cancellation application and the third signature information; receiving the smart password device account completion information sent by the background system server, deleting the private key of the smart password device; the background system server, And configured to receive the smart cryptographic device account cancellation application and the third signature information sent by the smart cryptographic device, and verify the third signature information by using a pre-stored public key in the smart cryptographic device certificate; After verifying that the third signature information is passed, the pre-stored smart password device certificate is deleted, and the smart password device account completion information is generated, and the smart password device account completion information is sent to the smart password device.

In addition, the background system server is further configured to send user authorization request information to the smart cryptographic device through the terminal, and receive the authorization information sent by the smart cryptographic device through the terminal, and send the device to the terminal. And the smart cryptographic device is further configured to receive the user authorization request information sent by the background system server by using the terminal, generate authorization information, and send the authorization information to the The background system server sends the authorization information.

In addition, the smart cryptographic device is further configured to: after receiving the user authorization request information, transition from a sleep state to an awake state; and generate authorization information in the awake state.

Furthermore, the smart cryptographic device is further configured to enter a scannable state before being scanned by the terminal.

It can be seen from the technical solution provided by the present invention that the terminal of the merchant can obtain the user information corresponding to the smart cryptographic device by first reading the identification information of the smart cryptographic device and then using the identification information of the smart cryptographic device. Therefore, the customer can pay for the product without using a wallet, a credit card, a mobile phone, etc., thereby simplifying the interaction between the customer and the merchant, and improving the user experience.

DRAWINGS

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those of ordinary skill in the art will be able to obtain other figures from these drawings without the inventive effort.

1 is a schematic structural diagram of a data security interaction system provided by the present invention;

2 is a flow chart of a data security interaction method provided by the present invention.

detailed description

The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

In the description of the present invention, it should be noted that the terms "installation", "connected", and "connected" are to be understood broadly, and may be fixed or detachable, for example, unless otherwise explicitly defined and defined. Connected, or integrally connected; can be mechanical or electrical; can be directly connected, or indirectly connected through an intermediate medium, can be the internal communication of the two components. The specific meaning of the above terms in the present invention can be understood in a specific case by those skilled in the art. Moreover, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.

The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

The data security interaction method provided by the present invention is applicable to the system architecture shown in FIG. 1, and includes: a background system server, a terminal, and a smart cryptographic device. among them:

The background system server can complete the management of the smart cryptographic device and the storage and delivery management of the user information, for example, including registration, account cancellation, authentication, authentication, etc. of the smart cryptographic device, which can provide banking related services and payment platform services. Financial services; may include a combination of one or more servers, such as a payment server, an authentication server, and a management server.

The terminal can be a terminal of the merchant terminal, to complete the initiation of the mobile payment, the maintenance of the user information, etc., the terminal can automatically scan the smart password device within the coverage of the signal, and establish a communication connection with the smart password device to obtain the smart password device. Corresponding user information. The terminal (such as a POS machine) of the present invention adds a wireless communication function module, and a dedicated network connection is used between the background and the terminal to ensure security.

The smart cryptographic device has a function of secure payment (for example, electronic signature, dynamic password generation), and the smart cryptographic device has a wireless communication module (for example: Bluetooth, infrared, RFID, NFC, light, sound wave, heat, vibration, WIFI, etc.), The wireless communication module communicates with the terminal. The smart cryptographic device can also include a wired interface (for example, an audio interface, a USB interface, a serial port, etc.), and communicates with the terminal through a wired interface. In addition, the smart password device can also have a connection option function. If the user does not enable the function, the terminal cannot obtain the identification information of the smart password device and the corresponding user information. For example, a smart cryptographic device can enter a state that can be scanned for the terminal to scan to the smart cryptographic device. The connection option function of the smart password device can be implemented for the hardware switch set on the smart password device, or can be implemented by the software for the smart password device.

As shown in FIG. 2, the data security interaction method provided by the present invention includes the following steps 1 to 7.

Step 1: The smart password device registers with the background system server.

The background system server receives the smart password device registration application and audits the smart password device registration application; specifically, the user holding the smart password device can apply for the registration of the smart password device at the bank counter, or can handle the smart through the Internet. After the registration request of the cryptographic device, the background system server receives the registration application and reviews the legality of the identity of the user.

After the auditing of the smart password device registration application, the background system server sends a smart password device key pair generation instruction to the smart password device; specifically, the background system server approves the legality of the user identity, and then agrees to the user's smart password. The device performs registration, and sends a key pair generation instruction to the smart cryptographic device, and is configured to instruct the smart cryptographic device to generate a smart cryptographic device key pair, the smart cryptographic device key pair including a pair of public and private keys.

After receiving the instruction of the smart cryptographic device key pair, the smart cryptographic device generates a smart cryptographic device key pair. Specifically, a smart key device may preset a key pair generation manner, and the smart cryptographic device receives the smart password. After the device key pair generates an instruction, the smart cipher device key pair is generated according to the preset key pair generation manner, that is, a pair of public and private keys are generated.

The smart cryptographic device sends the public key in the smart cryptographic device key pair to the background system server; specifically, the smart cryptographic device can forward the public key in the smart cryptographic device key pair generated by the smart cryptographic device to the background system through the trusted communication link The server sends the key to ensure the security of the public key of the smart cryptographic device. The public key of the smart cryptographic device key pair generated by the server can also be sent to the background system server through the Internet to improve the public key of the smart cryptographic device. Convenience of transmission.

After receiving the public key in the smart cryptographic device key pair, the background system server generates a smart cryptographic device certificate and sends the smart cryptographic device certificate to the smart cryptographic device; specifically, the background system server can use the private key of the background system server to the user. The information and the public key of the smart cryptographic device are calculated to generate a smart cryptographic device certificate; the backend system server may further include a CA server, and the user's information and the public key of the smart cryptographic device are calculated by the private key of the CA server to generate a smart password. The device certificate can also send the user's information and the public key of the smart cryptographic device to the CA. The CA calculates the smart cryptographic device certificate by calculating the user's information and the public key of the smart cryptographic device according to the private key of the CA. The background system server sends the smart password device.

The smart password device stores the smart password device certificate. Specifically, after receiving the smart password device certificate sent by the background system server, the smart password device stores the smart password device certificate in a storage area where the security function is executed. Of course, for different background system servers, the smart cryptographic device can also store different smart cryptographic device certificates sent by different background system servers.

Of course, the terminal can also register with the backend system server.

Step 2: The terminal scans the smart cryptographic device within the signal coverage area, and obtains the identification information of the scanned smart cryptographic device.

Specifically, the terminal may send the query signal (such as the serial number of the terminal) to query the smart cryptographic device within the coverage of a certain wireless signal according to a certain time interval;

The smart cryptographic device listens to the query of the terminal (query scan). After the smart cryptographic device enters the signal coverage of the terminal, the smart cryptographic device sends the identification information of the smart cryptographic device to the terminal, and the terminal scans the identification information of the smart cryptographic device. .

In the following, two methods for implementing terminal scanning to obtain identification information of a smart cryptographic device are provided:

(1) The terminal can use the IAC (Inquiry Access Code) to query the smart cryptographic device within the coverage of a certain wireless signal;

The smart cryptographic device listens (query scans) the query of the terminal, and sends the address and clock information of the smart cryptographic device to the terminal after the smart cryptographic device enters the signal coverage of the terminal;

The smart cryptographic device listens to paging information from the terminal and performs paging scanning;

The terminal pages the smart cryptographic device that has been queried;

After receiving the paging information, the smart cryptographic device sends a DAC (Device Access Code) of the smart cryptographic device to the terminal.

(2) The terminal sends an inquiry signal to query a smart cryptographic device within a certain wireless signal coverage range;

The smart cryptographic device listens (query scans) the query signal of the terminal, and sends the address of the smart cryptographic device to the terminal after the smart cryptographic device enters the signal coverage of the terminal.

Of course, the present invention only uses the above two examples to describe how the terminal obtains the identification information of the smart cryptographic device, but the present invention is not limited thereto. Based on the above two methods for obtaining the identification information of the smart cryptographic device, the smart cryptographic device may receive When any information is sent to the terminal, the information sent by the terminal can be used as a sleep wake-up signal, and the smart cryptographic device switches the sleep state to the awake state (ie, the normal working mode) according to the sleep wake-up signal. At the same time, the smart cryptographic device can automatically reply to the sleep state after any command execution ends. The smart cryptographic device enters a sleep state to save power of the smart cryptographic device and prolong its service life.

Before the terminal scans the smart password device, the smart password device also needs to enter a state that can be scanned, so that the terminal can scan the smart password device, wherein the smart password device enters the scanable state and can pass the smart password device. The set hardware switch is enabled, and can also be implemented by the smart password device software.

Step 3: The background system server authenticates the smart cryptographic device.

The terminal generates the first to-be-signed information. Specifically, the terminal may generate the random number as the first to-be-signed information by using the random number generator, or may use its own serial number, MAC address, or other identification information as the first to-be-signed information. The information may also be a combination of a random number and identification information as the first to-be-signed information. The information that can be signed by the smart cryptographic device can be used as the first to-be-signed information, so that the smart cryptographic device returns the signature information and sends the information to the background system server, so that the background system server authenticates the smart cryptographic device. The random number can be one of a combination of numbers, letters, special characters, or the like.

The terminal sends the first to-be-signed information and the authentication command to the smart cryptographic device; specifically, the terminal may send the first to-be-signed information and the authentication command to the smart cryptographic device through the wireless communication link, so as to ensure the convenience of the information transmission; The first to-be-signed information and the authentication instruction may be sent to the smart cryptographic device through a wired interface to improve the security of the information transmission.

After receiving the first to-be-signed information and the authentication command, the smart cryptographic device performs signature calculation on the first to-be-signed information by using the private key of the smart cryptographic device to obtain the first signature information;

In addition, after receiving the first to-be-signed information and the authentication command, the smart cryptographic device performs the signature calculation on the first signature information by using the private key of the smart cryptographic device to obtain the first signature information, and the smart cryptographic device may also be in the step of obtaining the first signature information. After receiving the first to-be-signed information and the authentication command, the dormant state is switched to the awake state; the smart cryptographic device performs signature calculation on the first to-be-signed information by using the private key of the smart cryptographic device in the awake state to obtain the first signature information. The sleep state is changed to the awake state to complete the normal work, and after the smart cryptographic device completes the work, it is switched to the sleep state again to reduce the power loss and prolong the service life.

The smart cryptographic device sends the first signature information and the smart cryptographic device certificate to the terminal;

After receiving the first signature information and the smart cryptographic device certificate, the terminal sends the authentication request information, the identification information of the smart cryptographic device, the first to-be-signed information, the first signature information, and the smart cryptographic device certificate to the background system server. Specifically, in this step, the terminal only plays the role of data forwarding, and improves data transmission efficiency.

After receiving the authentication request information, the identification information of the smart cryptographic device, the first to-be-signed information, the first signature information, and the smart cryptographic device certificate, the background system server verifies whether the smart cryptographic device certificate is verified by using the root certificate corresponding to the pre-stored smart cryptographic device certificate. Specifically, the background system server also obtains the root certificate corresponding to the smart password device certificate, so as to verify the legality of the smart password device.

In order to ensure the security of the data interaction and the legality of the smart cryptographic device, the background system server also determines the authentication request information, the identification information of the smart cryptographic device, the first to-be-signed information, the first signature information, and the smart cryptographic device certificate. Whether the identification information of the smart cryptographic device is included in the abnormal list of the smart cryptographic device pre-stored in the background system server; the background system server obtains the instruction to lock the smart cryptographic device after determining that the identification information of the smart cryptographic device is in the abnormal list of the smart cryptographic device, And using the private key of the background system server to sign the locked smart password device instruction to obtain the second signature information, and sending the locked smart password device instruction and the second signature information to the smart password device through the terminal; the smart password device receives the locked smart password After the device instruction and the second signature information, the second signature information is verified by using the public key in the pre-stored background system server certificate; after verifying that the second signature information is passed, the smart cryptographic device performs a locking operation according to the instruction of the locked smart cryptographic device.

Specifically, the smart password device abnormal list may be a blacklist, a loss list, an invalidation list, or the like, which is an illegal list of the smart password device identity; if the smart password device identification information is in the smart password device abnormal list, the smart password device is specified. It is an illegal smart password device. At this time, in order to ensure security, the background system server sends a lock instruction to the illegal smart password device through the terminal to lock the illegal smart password device, and the background system server also signs the lock command. To ensure the legal source of the lock instruction, to avoid malicious operations that illegally lock the smart password device.

Of course, the present invention is not limited to this, and for practical applications, as long as the illegal smart cryptographic device can be legally locked.

In addition, the background system server may not sign the lock instruction and only send the lock command to the illegal terminal to lock the illegal terminal.

The smart cryptographic device may perform the locking operation according to the instruction of the locked smart cryptographic device, and may include any manner in which the smart cryptographic device refuses to execute any request, destroys the certificate stored by itself, and the like.

Of course, the background system server can also perform any request to reject the illegal smart cryptographic device after sending the lock instruction.

It can be seen that when the user loses the smart password device, the background system server can report the loss, and the background system server registers the device identification code of the smart password device on the loss list; or the account abnormality is reported, etc., the background system server These smart cryptographic devices are also registered in the blacklist. Devices in these exception lists are registered as exception devices on the exception list. Before each transaction, the background system server authenticates the smart password device. During the authentication process, the device identifier is compared with the abnormal list. If the smart password device is locked on the list. Applying this method, if someone steals another person's smart password device and attempts to illegally use the smart password device to transfer funds to steal user funds, the background system server can remotely authenticate the smart password device before each transaction. The smart password device is locked, so that even if the smart password device is illegally stolen by others, the user account can be protected from loss.

After verifying that the smart cryptographic device certificate is legal, the background system server verifies the first signature information by using the public key of the smart cryptographic device;

After verifying that the first signature information is passed, the background system server completes the authentication of the smart cryptographic device. Specifically, after verifying that the first signature information is passed, the background system server may also generate an authentication completion message and send it to the terminal to notify the terminal. The certification is completed.

The authentication of the smart cryptographic device by the background system server can ensure the legality of the smart cryptographic device and improve the security of subsequent processing. At the same time, it can prevent phishing risks, prevent transaction risks such as tampering, remote hijacking and man-in-the-middle attacks, thus effectively protecting the security of smart cryptographic device holders.

Step 4: The terminal obtains user information.

Specifically, in this step, the terminal obtains the user information corresponding to the smart cryptographic device according to the information of the scanned smart cryptographic device (for example, the user's photo, name, account, and the like), which may be, but not limited to, the following manner. Obtain the user information corresponding to the smart password device:

Method 1: The terminal obtains user information corresponding to the smart password device from the background system server:

The terminal sends the identification information of the smart cryptographic device and the user information read request to the background system server; specifically, when the terminal sends the identification information of the smart cryptographic device and the user information read request to the background system server, the terminal may directly send the request to the background system server. Identification information of the smart cryptographic device and a user information read request.

After receiving the identification information of the smart cryptographic device and the user information reading request, the background system server obtains the user information corresponding to the smart cryptographic device according to the identification information of the smart cryptographic device; specifically, the background system server prestores each registered smart device. The user information corresponding to the cryptographic device is used to obtain the user information corresponding to the smart cryptographic device according to the received identification information of the smart cryptographic device.

In addition, in order to ensure the security of the user information, the background system server also needs to authorize the smart password device holder to send the user information corresponding to the smart password device to the terminal. The background system server sends the user authorization request information to the smart cryptographic device through the terminal (for example, the user authorization request information may be a random number); after receiving the user authorization request information, the smart cryptographic device generates authorization information (for example, the authorization information may be And the information obtained by signing the random number), and sending the authorization information to the background system server by the terminal; and after the background system server receives the authorization information, performing the step of the background system server transmitting the response information of the user information read request to the terminal. Of course, the background system server can also use the private key of the background system server to sign the user authorization request information, and then send the information to the smart cryptographic device through the terminal. After receiving the signed information, the smart cryptographic device verifies the signature, and after the verification is passed. The user authorization request information is considered to be from a legitimate background system server, and the request is confirmed to authorize the background system server; the smart cryptographic device can also use the private key of the smart cryptographic device to sign the authorization information and then send it to the background through the terminal. After receiving the signed information, the system server verifies the signature. After the verification is passed, the authorization information is considered to be from the correct smart password device to perform subsequent operations according to the authorization information. The above is only a few ways for the background system server to request authorization from the smart cryptographic device. The present invention is not limited thereto, and the above various combinations of variants should also fall within the protection scope of the present invention.

Of course, after the smart cryptographic device receives the user authorization request information, it can also be converted from the sleep state to Wake-up state; the smart cryptographic device generates authorization information in the awake state. In order to save energy and extend the life of smart password devices.

The background system server obtains the response information of the user information read request according to the user information, and sends the response information of the user information read request to the terminal;

After receiving the response information of the user information read request, the terminal obtains the user information according to the response information of the user information read request.

Manner 2: The terminal obtains user information corresponding to the smart password device from the smart password device:

The terminal sends a user information read request to the smart cryptographic device;

The smart cryptographic device obtains pre-stored user information, and obtains response information of the user information read request according to the user information, and sends response information of the user information read request to the terminal;

In addition, if the holder of the smart cryptographic device refuses to send the user information, the refusal information may be sent to the terminal through a button set on the smart cryptographic device or through software control to ensure the security of the user information.

Manner 3: The background system server sends the user information corresponding to the smart cryptographic device to the smart cryptographic device directly through the terminal while completing the authentication:

When the background system server completes the authentication of the smart cryptographic device, the background system server also sends the user information corresponding to the smart cryptographic device to the terminal; specifically, the background system server may also send the authentication to the terminal after completing the authentication of the smart cryptographic device. The completion message is sent to the terminal system server to authenticate the smart cryptographic device. When the background system server sends the authentication completion message to the terminal, the pre-stored user information corresponding to the smart cryptographic device can be obtained according to the identification information of the smart cryptographic device. Send the user information corresponding to the smart password device to the terminal.

The terminal obtains the user information corresponding to the smart cryptographic device, that is, the terminal directly obtains the user information corresponding to the smart cryptographic device from the information sent by the background system server.

The terminal stores the user information in the pre-established current user list. Specifically, the detected smart password device is constantly changing due to the change of the passenger flow in the store where the terminal is located and the flow of the personnel. At this time, the current user list may be Update by, but not limited to, the following:

Update method one:

The terminal obtains identification information of all the smart cryptographic devices within the signal coverage of the terminal, and generates a real-time identification list;

The terminal compares the identification information of the smart cryptographic device in the real-time identification list with the identification information of the smart cryptographic device in the current user list according to a preset time interval;

If the identification information of the smart cryptographic device in the real-time identification list is not in the current user list, the step of obtaining the user information corresponding to the smart cryptographic device according to the identification information of the scanned smart cryptographic device; and if the current user list is intelligent If the identification information of the cryptographic device is not in the real-time identification list, the user information of the smart cryptographic device that is not in the real-time identification list in the current user list is deleted.

The current user list is updated in this manner to ensure that the user information corresponding to the smart cryptographic device in the coverage of the terminal signal can be updated to the current user list in time, and the user information corresponding to the smart cryptographic device within the coverage of the terminal signal is removed. It can be deleted from the current user list in time to ensure security.

Update method 2:

If the identification information of the smart cryptographic device in the real-time identification list is not in the current user list, the step of obtaining the user information corresponding to the smart cryptographic device according to the identification information of the scanned smart cryptographic device is performed, and after the terminal obtains the user information, The user information is stored in the real-time identification list; and if the identification information of the smart cryptographic device in the real-time identification list is in the current user list, the user information of the smart cryptographic device in the current user list is stored in the real-time identification list;

The real-time identification list is taken as the updated current user list.

By updating the current user list in this manner, only the user information corresponding to the smart cryptographic device within the signal coverage of the terminal can be updated in time to improve the update efficiency. With this method, when acquiring the user information, the terminal can copy the user information corresponding to the original smart password device in the store directly from the original current user list to the real-time identification list, and the user information corresponding to the customer of the newly entered store can pass. A user information read request is obtained from the background system server or the smart cryptographic device to obtain.

It can be seen that when the traffic of the store where the terminal is located does not require any operation by the merchant, the current user list can be automatically updated, which facilitates the management and maintenance of the information of the merchant's store staff.

In addition, the terminal may display the user information corresponding to the user in the stored current user list, so that the holder of the smart password device can view the user information to ensure the correctness of the transaction.

In the prior art, the transaction process requires a device with an account storage function such as a SIM card or a smart card, and the user needs to perform operations such as swiping the mobile phone, so that the merchant can obtain the account information of the user.

Different from the prior art, the terminal of the merchant can obtain the user information corresponding to the smart cryptographic device by first reading the identification information of the smart cryptographic device and then using the identification information of the smart cryptographic device. Therefore, customers can use the wallet without Credit card, mobile phone, etc. to pay for goods, which simplifies the interaction between the customer and the merchant, and enhances the user experience.

Step 5: Transaction information processing.

The terminal generates transaction information according to the user information corresponding to the smart cryptographic device to be traded, and obtains the transaction request information according to the transaction information; specifically, the transaction information may include information such as the transaction amount, the account information of both parties of the payment and payment, and the identification information of both parties of the payment and payment. The transaction information may also include an electronic statement, and the user may review the transaction details according to the electronic statement, such as the specific transaction time, the transaction number, the transaction amount, the purchased item, and the like.

The terminal sends the transaction request information to the smart cryptographic device. Specifically, the terminal may send the transaction request information by using, but not limited to, the following: the terminal encodes the transaction request information and sends the signal through the sound wave; or the terminal performs graphic coding on the transaction request information. Displayed for the smart cryptographic device to perform image acquisition; or the terminal transmits the transaction request information through a communication interface that the terminal matches with the smart cryptographic device.

After receiving the transaction request information, the smart cryptographic device obtains the transaction information according to the transaction request information;

In order to save the power of the smart cryptographic device and prolong the service life, the smart cryptographic device can also switch from the sleep state to the awake state after receiving the transaction request information; the smart cryptographic device obtains the transaction information according to the transaction request information in the awake state.

The smart password device prompts the transaction information; specifically, the smart password device can display the transaction information through the display screen, and can also play the transaction information in a voice manner through a speaker or the like. Of course, the smart cryptographic device can also prompt the user to know the real transaction information by other means to ensure the security of the transaction. In addition, after the smart cryptographic device obtains the transaction information, the key information can be extracted from the transaction information, and the smart cryptographic device only prompts the key information. For the specific prompting manner, refer to the prompting manner of the smart cryptographic device for the transaction information.

The smart cryptographic device receives the confirmation command and generates the transaction confirmation information; specifically, the smart cryptographic device can receive the confirmation command by detecting the information sent when the confirmation button set on the smart cryptographic device is pressed, or can detect the touch screen by detecting The information confirmation confirmation command sent when the virtual confirmation key is displayed is clicked, and the biometric information such as the detected voice, fingerprint, and iris may be used as a confirmation command or the like. Further, the smart cryptographic device may generate the transaction confirmation information by, but not limited to, the smart cryptographic device signing the transaction information by using the private key of the smart cryptographic device, generating the transaction signature information as the transaction confirmation information; or generating the dynamic password as the smart cryptographic device. Transaction confirmation information. Of course, in order to prevent duplicate transactions and ensure the security of the user's account, each time the smart cryptographic device generates the transaction confirmation information, the smart cryptographic device also generates a single transaction identifier, and uses the private key of the smart cryptographic device to transaction information and a single transaction. The identifier is signed, the transaction signature information is generated as the transaction confirmation information; or the smart cryptographic device generates a single transaction identifier, and the single transaction identifier is signed by the private key of the smart cryptographic device to obtain the signature information of the single transaction identifier, and the dynamic password is generated. The signature information of the single transaction identifier and the dynamic password are used as transaction confirmation information to ensure that one transaction is successfully executed only once, and the single transaction identifier may be a random number or the like. Due to The transmission line of the wireless network is unstable, and the smart password device may not receive the receipt. If the single transaction identifier is not set, the terminal may need to hold the user of the smart password device when the signature information of the smart password device is not received. The verification signature operation is performed multiple times, that is, the smart cryptographic device sends the signature information to the terminal multiple times, so that the terminal may use the multiple signature values to generate multiple transaction data packets and send them to the background system server, thereby The corresponding account is repeatedly debited. If a single transaction identifier is set, when the line is unstable, the smart cryptographic device will continue to sign the transaction information and the same single transaction identifier and then send it to the terminal until the transaction success receipt information is received. The terminal generates a transaction data packet by using the signature sent by the smart cryptographic device, and the background system server receives the transaction data packet to determine the single transaction identifier inside, if the single transaction identifier has been saved in the transaction log, that is, already After the transaction is over, the transaction data packet will not be processed again, and no multiple or repeated debits will be incurred, thus protecting the account funds of the smart password device user.

The terminal receives the transaction confirmation information. Specifically, the terminal may receive the transaction confirmation information by using, but not limited to, the following manner: the terminal receives the sound wave signal sent by the smart password device and decodes the sound wave signal to obtain the transaction confirmation information (for example, the sound wave identification device may be used. The sound wave signal is recognized, the sound wave signal is decoded by the sound wave decoder to obtain the transaction confirmation information); or the terminal collects the image information displayed by the smart password device and decodes the image information (for example, the two-dimensional code, the barcode, etc.) to obtain the transaction confirmation information. (For example, the image acquisition device is used to collect the image information, and the decoder is used to decode the image information to obtain the transaction confirmation information); or the terminal receives the transaction confirmation information through the communication interface matched by the terminal and the smart cryptographic device; or the terminal inputs through the terminal. The information is obtained by confirming the transaction.

The terminal obtains the transaction data packet according to the transaction confirmation information, and sends the transaction data packet to the background system server; specifically, the transaction data package may also include other information such as transaction information. The transaction information may include information such as the transaction amount, the account information of the parties to the payment, and the identification information of both parties. The transaction information may also include an electronic statement, and the user may review the transaction details according to the electronic statement, for example, the specific transaction time, the transaction. Single number, transaction amount, purchased items, etc.

After receiving the transaction data packet, the background system server obtains the transaction confirmation information according to the transaction data packet;

The background system server verifies the transaction confirmation information, and executes the transaction after the verification is passed; specifically, the background system server only confirms that the transaction has been verified by the legal smart password device after verifying that the transaction confirmation information is verified, and The transaction is executed based on the confirmed result. Of course, in order to ensure that the holder of the smart cryptographic device knows that the transaction has been completed, the background system server may also send the transaction success receipt information to the smart cryptographic device through the terminal; after receiving the transaction success receipt information, the smart cryptographic device prompts the transaction success receipt information. The transaction success receipt information may also include an electronic statement, and the user may review the transaction details according to the electronic statement, such as the specific transaction time, the transaction number, the transaction amount, the purchased item, and the like. The background system server may also send a transaction success receipt information to the terminal, so that the terminal knows that the transaction is completed. The transaction success receipt information can also be the background system server using the background system service. After the private key of the server is signed, it is sent to the smart cryptographic device through the terminal, and the smart cryptographic device prompts the user to know after signing the signed information.

Step 6: Refund.

When a customer needs a refund, they can perform but are not limited to the following ways to achieve a refund:

Method 1: The terminal sends the refund information to the smart password device; specifically, the refund information may include: any combination of the account number of the refund, the refund amount, the refund transaction ticket number, and the identification information of both parties of the refund, and the refund The information can also include an electronic statement, and the user can review the refund details based on the electronic statement, such as the specific refund time, the refund transaction number, the refund amount, and the returned item. The terminal may also send the refund information by, but not limited to, the following: the terminal encodes the refund information and sends the sound signal through the sound wave signal; or the terminal graphically encodes the refund information and displays it for the smart password device to perform image collection; or the terminal passes The communication interface that the terminal matches with the smart cryptographic device sends a refund information.

After receiving the refund information, the smart password device prompts the refund information; specifically, after receiving the refund information, the smart password device prompts the user to know the refund information by any means such as voice play or display display, so that The user determines that the refund information is a true refund information.

In order to save the power of the smart cryptographic device and prolong the service life, the smart cryptographic device can also switch from the sleep state to the awake state after receiving the refund information; the smart cryptographic device prompts the refund information in the awake state.

The smart cryptographic device receives the refund confirmation instruction and signs the refund information by using the private key of the smart cryptographic device to generate a refund confirmation information; specifically, the user passes the smart after determining that the refund information is true refund information. Confirm the physical button or virtual button set on the password device. After the smart cryptographic device sends the refund confirmation information to the terminal (for example, after transmitting the sound wave signal corresponding to the refund confirmation information, or after displaying the image information corresponding to the refund confirmation information for a predetermined time), the awake state is changed to the sleep state. .

The terminal receives the refund confirmation information and sends the refund confirmation information to the background system server. Specifically, the terminal may receive the refund confirmation information by, but not limited to, receiving the sound wave signal sent by the smart password device and decoding the sound wave signal. Refund confirmation information (for example, the sound wave identification device can be used to identify the sound wave signal, the sound wave signal is decoded by the sound wave decoder to obtain the refund confirmation information); or the terminal collects the image information displayed by the smart cryptographic device and the image information (for example) , QR code, barcode, etc.) to obtain the refund confirmation information (for example, the image acquisition device is used to collect the image information, and the decoder is used to decode the image information to obtain the refund confirmation information); or the terminal passes the terminal and the smart password. The device-matched communication interface receives the refund confirmation message. At the same time, the terminal can send a refund confirmation message to the backend system server through a secure private network.

After receiving the refund confirmation information, the background system server verifies the refund confirmation information and performs a refund operation after the verification is passed.

The following provides an application scenario for refund, but the present invention is not limited to this:

The store generates refund information according to the customer's refund intention (the refund information may be obtained by searching for the recorded transaction information, or may be a regenerated refund information or other forms of refund information);

After receiving the refund information, the smart cryptographic device changes from the sleep state to the awake state, and displays the refund information for the customer to confirm;

The customer confirms that the refund information is correct. Press the confirmation button on the smart password device to confirm. After receiving the refund confirmation command, the smart password device signs the refund information with the private key of the smart password device to obtain the refund confirmation information. And send a refund confirmation message to the terminal;

After receiving the refund confirmation information, the terminal sends the refund confirmation information to the background system server;

After receiving the refund confirmation information, the background system server verifies the refund confirmation information by using the public key of the smart password device. After the verification is passed, the refund operation is performed, and the refund success receipt information is sent to the terminal and/or the smart password. device.

Mode 2: The difference between the second mode and the first mode is that before the terminal sends the refund information to the smart cryptographic device, the terminal further receives the refund request sent by the smart cryptographic device, and generates the refund information according to the refund request. Specifically, the customer can generate a refund request by pressing a button on the smart password device, and the smart password device sends the refund request to the terminal after receiving the refund request. The refund information can also include an electronic statement, and the user can review the refund details based on the electronic statement, such as the specific refund time, the refund transaction number, the refund amount, and the returned item. Of course, any implementation that can trigger a smart cryptographic device to generate a refund request is within the scope of the present invention.

In order to save the power of the smart cryptographic device and prolong the service life, the smart cryptographic device can also switch from the sleep state to the awake state before sending the refund request to the terminal; the smart cryptographic device sends a refund request to the terminal in the awake state. After the smart cryptographic device sends a refund request, it transitions from the awake state to the sleep state. When the smart cryptographic device receives the refund information sent by the terminal, it changes from the sleep state to the awake state, and performs an operation of prompting the refund information and generating the refund confirmation information in the awake state. After the smart cryptographic device sends the refund confirmation information to the terminal (for example, after transmitting the sound wave signal corresponding to the refund confirmation information, or after displaying the image information corresponding to the refund confirmation information for a predetermined time), the awake state is changed to the sleep state. .

Method 3: The smart password device sends a refund request to the terminal; specifically, the customer can generate a refund request by pressing a button on the smart password device, and the smart password device sends the refund request after receiving the refund request. Give the terminal. Of course, any implementation that can trigger a smart cryptographic device to generate a refund request is within the scope of the present invention.

In order to save the power of the smart cryptographic device and prolong the service life, the smart cryptographic device can also switch from the sleep state to the awake state before sending the refund request to the terminal; the smart cryptographic device sends the awake state to the terminal. Refund request.

The terminal generates a refund request identifier, and sends a refund request identifier to the smart password device. Specifically, the terminal may generate a random number, and the random number is used as a refund request identifier, and the random number is configured to be provided to the smart password device to generate a refund. Information.

After receiving the refund request identifier, the smart password device generates a refund information, and uses the private key of the smart password device to sign the refund information, obtains the refund confirmation information, and sends a refund confirmation information to the terminal; specific, intelligent The password device generates the refund information by using the refund request identifier, the refund amount, the refund account and the like, and the refund information may further include any combination of the refund transaction ticket number and the identification information of both parties of the refund; The amount can be input through the keys on the smart password device. Of course, it can also be input by other means (for example, voice input). The refund account can be input through the keys on the smart password device, and can also be pre-stored in the smart by reading. The refund account in the password device is input; of course, the transaction information can be saved on the smart password device after the transaction is completed, and the transaction information can be queried to obtain the refund amount and the refund account. The smart cryptographic device may also send the refund information by, but not limited to, the following: the smart cryptographic device encodes the refund information and transmits the sound signal; or the smart cryptographic device graphically encodes the refund information and displays it for the terminal to perform image collection. Or the smart cryptographic device sends a refund message via the communication interface that the smart cryptographic device matches the terminal.

In order to save the power of the smart cryptographic device and prolong the service life, the smart cryptographic device can also send the refund confirmation information to the terminal (for example, after transmitting the sound wave signal corresponding to the refund confirmation information, or displaying the image information corresponding to the refund confirmation information) After the predetermined time has elapsed, the state transitions from the awake state to the sleep state.

The terminal receives the refund confirmation information and sends the refund confirmation information to the background system server. Specifically, the terminal may receive the refund confirmation information by, but not limited to, receiving the sound wave signal sent by the smart password device and decoding the sound wave signal. Refund confirmation information (for example, the sound wave identification device can be used to identify the sound wave signal, the sound wave signal is decoded by the sound wave decoder to obtain the refund confirmation information); or the terminal collects the image information displayed by the smart cryptographic device and the image information (for example) , QR code, barcode, etc.) to obtain the refund confirmation information (for example, the image acquisition device is used to collect the image information, and the decoder is used to decode the image information to obtain the refund confirmation information); or the terminal passes the terminal and the smart password. The device-matched communication interface receives the refund confirmation message. In addition, the terminal sends a refund confirmation message to the backend system server through a private network.

After receiving the refund confirmation information, the background system server verifies the refund confirmation information and performs a refund operation after the verification is passed. Specifically, the background system server verifies the refund confirmation information by using the public key of the smart cryptographic device.

The following provides a refund application scenario for mode 3, but the present invention is not limited to this:

The smart cryptographic device is switched from a sleep state to an awake state; for example, it can be held by the smart cryptographic device. The guest's key operation causes the smart cryptographic device to enter an awake state;

The customer can generate a refund request by pressing a button on the smart password device, and the smart password device sends the refund request to the terminal after receiving the refund request;

The terminal may generate a random number R, and the random number is R as a refund request identifier, and send a refund request identifier to the smart password device;

The smart password device generates the refund information, and uses the private key of the smart password device to sign the refund information, obtain the refund confirmation information, and send the refund confirmation information to the terminal; wherein the refund information includes at least: a refund request Information such as identification, refund amount, refund account, etc., wherein the refund amount, refund account and other information can be input by the customer through the button on the smart password device, or the refund amount can be passed by the customer through the button on the smart password device Input, refund account is read from the information pre-stored by the smart password device, or the refund amount, refund account and other information can be read from the information pre-stored by the smart password device;

After receiving the refund confirmation information, the terminal sends a refund confirmation message to the background system server;

In the above three refund methods, the refund confirmation information may also include a single refund identifier, and the single refund identifier may be a random number to ensure that one refund is successfully executed only once. Of course, the single refund identifier may be generated by the terminal or generated by the smart password device, and may be signed by the smart password device in the refund confirmation information.

Of course, after performing the refund operation, the background system server may also send a refund success receipt information to the terminal and/or the smart password device, so that the store and/or the customer can know that the refund is successful.

It can be seen that through the above refund process, the operation of the customer in the refund process can be greatly simplified, and the security function related to the application of the smart password device can ensure the security of the customer refund process and bring a seamless use experience to the consumer.

Step 7: Sell out.

Including the cancellation of the terminal and the cancellation of the smart password device, the following only describes the account of the smart password device:

The smart password device obtains the smart password device account cancellation application, uses the private key of the smart password device to sign the account cancellation application to obtain the third signature information, and sends the smart password device account cancellation application and the third signature information to the background system server; The third signature information may be sent by the terminal or manually.

After receiving the smart PIN device account cancellation application and the third signature information, the background system server verifies the third signature information by using the public key in the pre-stored smart cryptographic device certificate.

After verifying that the third signature information is passed, the background system server deletes the pre-stored smart password device certificate, generates a smart password device account completion information, and sends the smart password device to the smart password device to complete the information; specifically, When the back-end system server performs the account cancellation, in addition to deleting the pre-stored smart password device certificate, the information corresponding to the smart password device can be placed in the default account list of the back-end system server and other other account operations.

After receiving the information about the completion of the smart cryptographic device, the smart cryptographic device deletes the private key of the smart cryptographic device. Specifically, the smart cryptographic device can perform the verification operation on the signature information, and after the verification is passed, perform the deletion operation.

The back-end system server ensures the legality of the smart password device by managing the registration, account cancellation, authentication and locking of the smart password device, and prevents the property loss caused by the illegal use of the smart password device.

It should be noted that the above steps 1 to 7 are not performed in sequence, and only a few of them may be completed. In addition, the above steps 1 to 7 are not limited to the same application scenario, regardless of the application scenario. It is within the scope of the present invention to use any of the steps of the present invention and to perform the transaction safely.

Hereinafter, an exemplary application scenario of the present invention is given:

In this application scenario, a wireless communication module is integrated on the smart cryptographic device, and the state control module forms a novel smart cryptographic device configurable as a secure payment of the present invention. The smart cryptographic device includes a wireless communication module, which may be a Bluetooth communication module or a WIFI communication module, etc., and the wireless communication module may perform inquiry scanning and page scanning on other devices, and may perform signal and data interaction with other wireless devices. At the same time, the smart cryptographic device further includes a state control module, which can control the working state of the wireless communication module of the smart cryptographic device and the host. Moreover, the smart cryptographic device of the present invention has two states: a sleep state and an awake state. In the sleep state, only the transceiver (wireless communication module) and the state control module are in operation, the CPU is turned off, and the instruction operation cannot be performed (for example, signature, Receiving and transmitting data, etc., so that the smart cryptographic device is in a low power state. When other wireless devices send the smart cryptographic device application command from the outside, the state control module can identify these signals, generate a wake-up signal, wake up the CPU to the awake state, and start executing the application command. When the command is executed, the CPU will go to sleep again.

In the following, a brief description of the complete transaction process of the present invention is provided:

The smart cryptographic device is in a dormant state, and the user enters the wireless signal coverage of the terminal with the smart cryptographic device, and the smart cryptographic device and the terminal complete the interactive identification of the wireless device, that is, the terminal can know that the smart cryptographic device enters the store where the terminal is located and A smart cryptographic device establishes a connection.

After the terminal establishes a connection with the smart cryptographic device, the terminal sends a request for the authentication device to the smart cryptographic device. When the smart cryptographic device receives the request, the state control module sends a wakeup signal, and the CPU is woken up, and the smart cryptographic device enters the wakeup. Status and perform the appropriate action.

After completing the corresponding instruction, the smart cryptographic device returns to the sleep state, and continues to maintain the device interaction identification with the terminal, so that the terminal can determine whether the holder of the smart cryptographic device leaves the store.

The terminal proposes to read the user information to the background system server, and the background system server proposes to input the user authorization information, and the terminal sends a user authorization request to the smart password device.

The smart cryptographic device in the sleep state receives the user authorization request sent from the terminal, and enters the awake state. The smart cryptographic device will display the request from the terminal, prompting the user to judge whether it is authorized.

The user determines whether to authorize according to the request sent by the displayed terminal. If authorized, press the confirmation button on the smart password device to cause the smart password device to generate authorization information and send it to the terminal, and then enter the sleep state. Otherwise, the smart password device ends execution. Command, go directly to sleep state.

At the time of settlement, the terminal sends a user transaction confirmation request command to the sleepy smart cryptographic device, and the smart cryptographic device in the sleep state receives the command to enter the awake state, and the smart cryptographic device displays the received transaction information, and the user confirms. If the transaction information is correct, press the enter key to cause the smart password device to sign the transaction information and return it to the terminal; otherwise, the execution operation is completed and the smart password device goes to sleep.

In the following, another application scenario of the present invention is given:

The terminal establishes a current user list on the local server, where the current user list can be used to store user information corresponding to the smart password device held by the customer in the current store;

The terminal local server monitors the smart cryptographic device in the wireless signal coverage of the terminal by using a wireless method (for example, using a wireless detecting device);

The customer carries a smart cryptographic device with wireless communication function (sleeping state) to shop, and when the customer enters the wireless signal coverage of the terminal, the smart cryptographic device can be searched by the terminal and establish a wireless connection with the terminal;

The terminal sends the random number R1 to the smart cryptographic device, and sends an authentication command to the smart cryptographic device;

The smart cryptographic device in the dormant state is woken up after receiving the authentication command sent by the terminal, and enters the awake state;

The smart cryptographic device summarizes R1 and encrypts the digest with its private key to generate a signature S, and sends the signature value S and the smart cryptographic device certificate to the terminal;

After receiving the signature S and the smart password device certificate sent by the smart cryptographic device, the terminal sends the signature S, the smart cryptographic device certificate, the previously generated random number R1, and the obtained identification information of the smart cryptographic device to the background system server;

The background system server verifies the legality of the smart password device certificate by using the root certificate corresponding to the smart password device certificate; if the verification fails, the process ends;

If the verification is passed, the background system server verifies the signature S using the public key of the smart cryptographic device; if the verification fails, the process ends;

If the verification succeeds, the background system server authenticates the smart password device, and sends the user information such as the user account to the terminal;

After receiving the user information sent by the background system server, the terminal stores the user information in the current user list.

After the customer has finished shopping, he will settle at the cashier's office;

The terminal settles the amount, and selects an account corresponding to the smart password device held by the customer in the current user list;

The terminal generates transaction information by using any combination of the purchased goods, the transaction amount, the account of the payment and payment parties, and the identification information of the payment and payment parties, and sends the transaction information to the smart cryptographic device;

After receiving the transaction information, the smart cryptographic device transfers to the awake state, and displays the transaction information on the screen, waiting for the user to confirm;

The customer confirms the transaction information, if there is a problem, press cancel, the transaction is aborted, and the smart password device goes to sleep state;

If the user confirms that the transaction information is correct, press the confirmation button set on the smart password device, and the smart password device generates a random number as a single transaction identifier, so that the smart password device signs the transaction information and the single transaction identifier;

The smart cryptographic device sends the signature information to the terminal, and the terminal sends the transfer request and the signature information to the background system server;

After receiving the transfer request and the signature information, the background system server verifies the signature, and after the verification signature is passed, completes the transfer, and sends the payment completion information to the terminal successfully. Of course, the background system server may also send the payment completion information through the terminal. Give the smart password device so that the customer knows that the transaction is complete;

The terminal receives the payment completion information, delivers the goods to the customer, and the settlement is completed.

The smart password device is authenticated by the background system server. When the smart password device is trusted, the smart password device is used to manually confirm the displayed information during the transaction, and the transaction security of the smart password device holder is also ensured.

Based on the data security interaction method provided by the present invention, when a customer enters a store to conduct a transaction, the payment does not need to be completed with a related account carrier device such as a mobile phone, a bank card or a financial IC card, and the payment process of the original technology requires a SIM card or a smart card. For devices with account storage, users also need to perform operations such as swiping and swiping the phone to complete the transaction. By adopting the method provided by the invention, the customer can complete the payment without using the wallet, the credit card, the mobile phone, etc., thereby simplifying the interaction between the customer and the merchant in the payment process, improving the payment efficiency, and improving the customer in the near field payment process. The experience; while using the security features of smart cryptographic devices to ensure the security of the customer payment process.

After the customer purchases the goods, the terminal does not need to be obtained by allowing the customer to manually swipe or swipe the phone. The user information is because the user information is already stored in the current user list of the terminal when entering the store. When the customer checks out, the customer only needs to report his or her name, and the terminal can directly send the transaction information such as the amount after the settlement to the customer. The smart password device is displayed, at this time, the customer only needs to use the smart password device to confirm and output the transaction confirmation information, the terminal generates the transaction data packet and sends it to the background system server, and the background system server verifies that the transaction data packet is accurate and then transfers the money. Processing, you can complete the payment process.

When the customer leaves the signal coverage of the store, the network connection between the smart cryptographic device and the terminal is automatically interrupted, and the user information disappears from the current user list of the store. If the customer enters another store again, he will automatically enter the current user list of the other store and start another shopping. This eliminates the need for the customer to perform any operations, and only requires the customer to put a small smart password device into the pocket while shopping, and the invention can provide a seamless user experience.

Any process or method description in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code that includes one or more executable instructions for implementing the steps of a particular logical function or process. And the scope of the preferred embodiments of the invention includes additional implementations, in which the functions may be performed in a substantially simultaneous manner or in an opposite order depending on the functions involved, in the order shown or discussed. It will be understood by those skilled in the art to which the embodiments of the present invention pertain.

It should be understood that portions of the invention may be implemented in hardware, software, firmware or a combination thereof. In the above-described embodiments, multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.

One of ordinary skill in the art can understand that all or part of the steps carried by the method of implementing the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, one or a combination of the steps of the method embodiments is included.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium.

The above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

In the description of the present specification, the description with reference to the terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" and the like means a specific feature described in connection with the embodiment or example. A structure, material or feature is included in at least one embodiment or example of the invention. In the present specification, the schematic representation of the above terms does not necessarily mean the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in a suitable manner in any one or more embodiments or examples.

Although the embodiments of the present invention have been shown and described, it is understood that the foregoing embodiments are illustrative and not restrictive Variations, modifications, alterations and variations of the above-described embodiments are possible within the scope of the invention. The scope of the invention is defined by the appended claims and their equivalents.

Claims

A data security interaction method, comprising:

The terminal scans the smart cryptographic device within the signal coverage area, and obtains the identification information of the scanned smart cryptographic device;

The background system server obtains the identification information of the smart cryptographic device, and completes the authentication of the smart cryptographic device;

After the background system server completes the authentication of the smart cryptographic device, the terminal acquires user information corresponding to the smart cryptographic device;

The terminal stores the user information in a pre-established current user list.
The method according to claim 1, wherein the background system server obtains the identification information of the smart cryptographic device, and completing the authentication of the smart cryptographic device comprises:

The terminal generates first to-be-signed information;

Transmitting, by the terminal, the first to-be-signed information and an authentication instruction to the smart cryptographic device;

After receiving the first to-be-signed information and the authentication command, the smart cryptographic device performs signature calculation on the first to-be-signed information by using a private key of the smart cryptographic device to obtain first signature information.

The smart cryptographic device sends the first signature information and a smart cryptographic device certificate to the terminal;

After receiving the first signature information and the smart cryptographic device certificate, the terminal sends the authentication request information, the identification information of the smart cryptographic device, the first to-be-signed information, and the first signature information to the background system server. And the smart password device certificate;

After receiving the authentication request information, the identification information of the smart cryptographic device, the first to-be-signed information, the first signature information, and the smart cryptographic device certificate, the background system server uses the pre-stored smart password. The root certificate corresponding to the device certificate verifies whether the smart password device certificate is legal;

After verifying that the smart cryptographic device certificate is legal, the background system server verifies the first signature information by using a public key of the smart cryptographic device;

After the background system server verifies that the first signature information is passed, the background system server completes the authentication of the smart cryptographic device.
The method according to claim 1, wherein the background system server obtains the identification information of the smart cryptographic device, and completing the authentication of the smart cryptographic device comprises:

Sending, by the terminal, identification information of the smart cryptographic device to the background system server;

After receiving the identification information of the smart cryptographic device, the background system server generates the first to-be-signed information. Sending the first to-be-signed information to the terminal;

After receiving the first to-be-signed information, the terminal sends the first to-be-signed information and an authentication command to the smart cryptographic device;

After receiving the first to-be-signed information and the authentication command, the smart cryptographic device performs signature calculation on the first to-be-signed information by using a private key of the smart cryptographic device to obtain first signature information.

The smart cryptographic device sends the first signature information and a smart cryptographic device certificate to the terminal;

After receiving the first signature information and the smart cryptographic device certificate, the terminal sends the authentication request information, the first signature information, and the smart cryptographic device certificate to the background system server;

After receiving the authentication request information, the first signature information, and the smart cryptographic device certificate, the background system server verifies whether the smart cryptographic device certificate is legal by using a root certificate corresponding to the pre-stored smart cryptographic device certificate;

After verifying that the smart cryptographic device certificate is legal, the background system server verifies the first signature information by using a public key of the smart cryptographic device;

After the background system server verifies that the first signature information is passed, the background system server completes the authentication of the smart cryptographic device.
The method according to any one of claims 1 to 3, wherein the acquiring, by the terminal, the user information corresponding to the smart cryptographic device comprises:

Sending, by the terminal, identification information of the smart cryptographic device and a user information read request to the background system server;

After receiving the identification information of the smart cryptographic device and the user information reading request, the background system server obtains user information corresponding to the smart cryptographic device according to the identification information of the smart cryptographic device;

The background system server obtains response information of the user information read request according to the user information, and sends response information of the user information read request to the terminal;

After receiving the response information of the user information read request, the terminal obtains the user information according to the response information of the user information read request.
The method according to any one of claims 1 to 3, wherein the acquiring, by the terminal, the user information corresponding to the smart cryptographic device comprises:

The terminal sends a user information read request to the smart cryptographic device;

The smart cryptographic device obtains pre-stored user information, and obtains response information of the user information read request according to the user information, and sends response information of the user information read request to the terminal;

After receiving the response information of the user information read request, the terminal reads the request according to the user information. The user information is obtained in response to the information.
A method according to any one of claims 1 to 3, characterized in that

The background system server completing the authentication of the smart cryptographic device includes:

Sending, by the background system server, user information corresponding to the smart cryptographic device to the terminal;

The acquiring, by the terminal, the user information corresponding to the smart cryptographic device includes:

The terminal receives user information corresponding to the smart cryptographic device sent by the background system server.
The method according to any one of claims 1 to 6, wherein after the step of scanning the smart cryptographic device within the signal coverage and obtaining the scanned identification information of the smart cryptographic device, the terminal The method also includes:

The terminal obtains identification information of all the smart cryptographic devices within the signal coverage of the terminal, and generates a real-time identification list;

The terminal compares the identifier information of the smart cryptographic device in the real-time identifier list with the identifier information of the smart cryptographic device in the current user list according to a preset time interval;

If the identifier information of the smart cryptographic device in the real-time identities list is not in the current user list, the terminal is configured to acquire the user information corresponding to the smart cryptographic device according to the scanned identifier information of the smart cryptographic device. If the identification information of the smart cryptographic device in the current user list is not in the real-time identifier list, the user information of the smart cryptographic device that is not in the real-time identifier list in the current user list is deleted.
The method according to any one of claims 1 to 6, wherein after the step of scanning the smart cryptographic device within the signal coverage and obtaining the scanned identification information of the smart cryptographic device, the terminal The method also includes:

The terminal obtains identification information of all the smart cryptographic devices within the signal coverage of the terminal, and generates a real-time identification list;

The terminal compares the identifier information of the smart cryptographic device in the real-time identifier list with the identifier information of the smart cryptographic device in the current user list according to a preset time interval;

If the identifier information of the smart cryptographic device in the real-time identities list is not in the current user list, the terminal is configured to acquire the user information corresponding to the smart cryptographic device according to the scanned identifier information of the smart cryptographic device. Step, and after the terminal obtains the user information, storing the user information into the real-time identifier list; and if the identifier information of the smart cryptographic device in the real-time identifier list is in the current user list And storing the user information of the smart cryptographic device in the current user list into the real-time identifier list;

The real-time identification list is taken as the updated current user list.
The method according to any one of claims 2 to 8, wherein the smart cryptographic device receives the location After the first to-be-signed information and the authentication instruction are described, the first signature information is signed and calculated by using the private key of the smart cryptographic device, and obtaining the first signature information includes:

After receiving the first to-be-signed information and the authentication instruction, the smart cryptographic device transitions from a sleep state to an awake state;

The smart cryptographic device performs signature calculation on the first to-be-signed information by using a private key of the smart cryptographic device in an awake state to obtain first signature information.
The method according to any one of claims 1 to 9, wherein after the background system server obtains the identification information of the smart cryptographic device, the method further includes:

Determining, by the background system server, whether the identification information of the smart cryptographic device is included in an abnormal list of smart cryptographic devices pre-stored in the background system server;

After determining, by the background system server, that the identifier information of the smart cryptographic device is in the abnormal list of the smart cryptographic device, acquiring a command for locking the smart cryptographic device, and using the private key pair of the background system server to lock the smart cryptographic device command Performing a signature to obtain second signature information, and transmitting, by the terminal, the locked smart cryptographic device instruction and the second signature information to the smart cryptographic device;

After receiving the locked smart cryptographic device command and the second signature information, the smart cryptographic device verifies the second signature information by using a pre-stored public key in the background system server certificate;

After verifying that the second signature information is passed, the smart cryptographic device performs a locking operation according to the locked smart cryptographic device instruction.
The method according to any one of claims 1 to 10, further comprising:

Receiving, by the background system server, a smart password device registration application, and reviewing the smart password device registration application;

After the background system server verifies that the smart password device registration application is approved, the background system server sends a smart password device key pair generation instruction to the smart password device;

After receiving the smart cryptographic device key pair generation instruction, the smart cryptographic device generates a smart cryptographic device key pair;

Sending, by the smart cryptographic device, the public key in the smart cryptographic device key pair to the background system server;

After receiving the public key in the smart cryptographic device key pair, the background system server generates the smart cryptographic device certificate, and sends the smart cryptographic device certificate to the smart cryptographic device;

The smart cryptographic device stores the smart cryptographic device certificate.
The method of claim 11 wherein

Obtaining, by the smart cryptographic device, a smart cryptographic device account cancellation application, using the private key of the smart cryptographic device The account cancellation application obtains the third signature information, and sends the smart password device account cancellation application and the third signature information to the background system server; the background system server receives the smart password device account cancellation application After the third signature information, the third signature information is verified by using the public key in the pre-stored smart cryptographic device certificate; after the third-party signature information is verified, the background system server deletes the pre-stored The smart password device certificate, and generate a smart password device account completion information, and send the smart password device account completion information to the smart password device; the smart password device receives the smart password device to complete the account cancellation After the information, the private key of the smart cryptographic device is deleted.
The method according to claim 4, wherein after the background system server receives the identification information of the smart cryptographic device and the user information read request, the background system server sends the terminal system server to the terminal Before the step of the user information reading the response information of the request, the method further includes:

The background system server sends user authorization request information to the smart cryptographic device through the terminal;

After receiving the user authorization request information, the smart cryptographic device generates authorization information, and sends the authorization information to the background system server by using the terminal;

After receiving the authorization information, the background system server performs the step of the background system server sending the response information of the user information read request to the terminal.
The method according to claim 13, wherein the step of generating the authorization information after the smart cryptographic device receives the user authorization request information comprises:

After receiving the user authorization request information, the smart cryptographic device transitions from a sleep state to an awake state;

The smart cryptographic device generates authorization information in an awake state.
The method according to any one of claims 1 to 14, wherein the method further scans the smart cryptographic device within the signal coverage range and obtains the scanned identification information of the smart cryptographic device. include:

The smart cryptographic device enters a state that can be scanned.
A data security interaction system, comprising: a terminal, a background system server, and a smart cryptographic device;

The terminal is configured to scan the smart cryptographic device within the signal coverage range, and obtain the scanned identification information of the smart cryptographic device; after the background system server completes the authentication of the smart cryptographic device, obtain the User information corresponding to the smart cryptographic device; storing the user information in a pre-established current user list;

The background system server is configured to obtain identification information of the smart cryptographic device, and complete authentication of the smart cryptographic device.
The system of claim 16 wherein:

The terminal is further configured to generate first to-be-signed information, send the first to-be-signed information and an authentication instruction to the smart cryptographic device, and receive the first signature information and the smart cryptographic device certificate sent by the smart cryptographic device. Sending, to the background system server, authentication request information, identification information of the smart cryptographic device, the first to-be-signed information, the first signature information, and the smart cryptographic device certificate;

The smart cryptographic device is configured to receive the first to-be-signed information and the authentication command sent by the terminal, and perform signature calculation on the first to-be-signed information by using a private key of the smart cryptographic device to obtain a first a signature information; sending the first signature information and a smart cryptographic device certificate to the terminal;

The background system server is further configured to receive the authentication request information sent by the terminal, the identification information of the smart cryptographic device, the first to-be-signed information, the first signature information, and the smart cryptographic device. a certificate, using the root certificate corresponding to the pre-stored smart cryptographic device certificate to verify whether the smart cryptographic device certificate is legal; after verifying that the smart cryptographic device certificate is legal, verifying the first signature information by using the public key of the smart cryptographic device After verifying that the first signature information is passed, the authentication of the smart cryptographic device is completed.
The system of claim 16 wherein:

The terminal is further configured to send the identifier information of the smart cryptographic device to the background system server, receive the first to-be-signed information sent by the background system server, and send the first to-be-signed information and the authentication command to the smart cryptographic device. Receiving the first signature information and the smart password device certificate sent by the smart cryptographic device, and sending the authentication request information, the first signature information, and the smart cryptographic device certificate to the background system server;

The background system server is further configured to receive the identification information of the smart cryptographic device sent by the terminal, generate first to-be-signed information, and send the first to-be-signed information to the terminal; The authentication request information, the first signature information, and the smart cryptographic device certificate verify whether the smart cryptographic device certificate is legal by using a root certificate corresponding to the pre-stored smart cryptographic device certificate; and verifying that the smart cryptographic device certificate is legal After the first signature information is verified by using the public key of the smart cryptographic device; after the first signature information is verified, the authentication of the smart cryptographic device is completed;

The smart cryptographic device is further configured to receive the first to-be-signed information sent by the terminal and the authentication instruction, and perform signature calculation on the first to-be-signed information by using a private key of the smart cryptographic device to obtain First signature information; sending the first signature information and the smart cryptographic device certificate to the terminal.
A system according to any one of claims 16 to 18, wherein

The terminal is further configured to send the identification information of the smart cryptographic device and the user information read request to the background system server, and receive the response information of the user information read request sent by the background system server, according to the The response information of the user information read request obtains the user information;

The background system server is further configured to receive the identification information of the smart cryptographic device sent by the terminal to And the user information reading request, obtaining user information corresponding to the smart cryptographic device according to the identification information of the smart cryptographic device; obtaining response information of the user information reading request according to the user information, and The terminal transmits response information of the user information read request.
A system according to any one of claims 16 to 18, wherein

The terminal is further configured to send a user information read request to the smart cryptographic device; receive response information of the user information read request sent by the smart cryptographic device, and read response information according to the user information request Obtaining the user information;

The smart cryptographic device is further configured to obtain pre-stored user information, obtain response information of the user information read request according to the user information, and send the response information of the user information read request to the terminal. .
A system according to any one of claims 16 to 18, wherein

The background system server is further configured to send user information corresponding to the smart cryptographic device to the terminal;

The terminal is further configured to receive user information corresponding to the smart cryptographic device sent by the background system server.
A system according to any one of claims 16 to 21, wherein

The terminal is further configured to: after the terminal scans the smart cryptographic device within the signal coverage range, and obtains the scanned identification information of the smart cryptographic device, obtain all the smart passwords within the signal coverage range of the terminal. The identification information of the device is generated, and the real-time identification list is generated; and the identification information of the smart cryptographic device in the real-time identification list is compared with the identification information of the smart cryptographic device in the current user list according to a preset time interval; If the identification information of the smart cryptographic device in the real-time identification list is not in the current user list, obtain the user information corresponding to the smart cryptographic device according to the scanned identification information of the smart cryptographic device; and if the current If the identification information of the smart cryptographic device in the user list is not in the real-time identifier list, the user information of the smart cryptographic device that is not in the real-time identifier list in the current user list is deleted.
A system according to any one of claims 16 to 21, wherein

The terminal is further configured to: after the terminal scans the smart cryptographic device within the signal coverage range, and obtains the scanned identification information of the smart cryptographic device, obtain all the smart passwords within the signal coverage range of the terminal. The identification information of the device is generated, and the real-time identification list is generated; and the identification information of the smart cryptographic device in the real-time identification list is compared with the identification information of the smart cryptographic device in the current user list according to a preset time interval; Obtaining the user information corresponding to the smart cryptographic device according to the scanned information of the smart cryptographic device, and obtaining the user information corresponding to the smart cryptographic device, and obtaining the user information of the smart cryptographic device. After the user information, the user information is stored in the real-time identification list; and if the identification information of the smart cryptographic device in the real-time identification list is in the current user list, then the In the current user list The user information of the smart cryptographic device is stored in the real-time identification list; the real-time identification list is used as the updated current user list.
A system according to any one of claims 17 to 23, wherein

The smart cryptographic device is further configured to: after receiving the first to-be-signed information and the authentication command, transition from a sleep state to an awake state; and in the awake state, use a private key of the smart cryptographic device to The signature information is calculated by the signature information to obtain the first signature information.
A system according to any one of claims 16 to 24, wherein

The background system server is further configured to determine, after the background system server obtains the identification information of the smart cryptographic device, whether the identifier information of the smart cryptographic device includes an abnormality of a smart cryptographic device pre-stored in the background system server. In the list, after determining that the identification information of the smart cryptographic device is in the abnormal list of the smart cryptographic device, acquiring an instruction to lock the smart cryptographic device, and signing the locked smart cryptographic device command by using the private key of the background system server Obtaining second signature information, and sending, by the terminal, the locked smart cryptographic device instruction and the second signature information to the smart cryptographic device;

The smart cryptographic device is further configured to receive the locked smart cryptographic device command and the second signature information sent by the background system server by using the terminal, and use the pre-stored public key pair in the background system server certificate The second signature information is verified; after verifying that the second signature information is passed, performing a locking operation according to the locked smart cryptographic device instruction.
A system according to any one of claims 16 to 25, wherein

The background system server is further configured to receive a smart password device registration application, and perform an audit on the smart password device registration application; and after the auditing the smart password device registration application passes, send the smart password device to the smart password device a key pair generation instruction; receiving a public key in the smart cryptographic device key pair sent by the smart cryptographic device, generating the smart cryptographic device certificate, and transmitting the smart cryptographic device certificate to the smart cryptographic device;

The smart cryptographic device is further configured to receive the smart cryptographic device key pair generation instruction sent by the background system server, generate a smart cryptographic device key pair, and send the smart cryptographic device key to the background system server. The public key of the pair; storing the smart cryptographic device certificate.
The system of claim 26 wherein:

The smart cryptographic device is further configured to obtain a smart PIN device account cancellation application, use the private key of the smart cryptographic device to sign the account cancellation application to obtain third signature information, and send the third signature information to the background system server. Receiving the smart password device account cancellation application and the third signature information; receiving the smart password device account completion information sent by the background system server, and deleting the private key of the smart password device;

The background system server is further configured to receive the smart password device and send the account sent by the smart cryptographic device And applying the third signature information to verify the third signature information by using a public key in the pre-stored smart cryptographic device certificate; after verifying that the third signature information is passed, deleting the pre-stored smart password The device certificate is generated, and the smart password device account completion information is generated, and the smart password device account completion information is sent to the smart password device.
The system of claim 19 wherein:

The background system server is further configured to send user authorization request information to the smart cryptographic device through the terminal; and receive the authorization information sent by the smart cryptographic device by using the terminal, and send the user to the terminal Response information of the information read request;

The smart cryptographic device is further configured to receive the user authorization request information sent by the background system server by using the terminal, generate authorization information, and send the authorization information to the background system server by using the terminal.
The system of claim 28 wherein:

The smart cryptographic device is further configured to: after receiving the user authorization request information, transition from a sleep state to an awake state; and generate authorization information in the awake state.
A system according to any one of claims 16 to 29, wherein

The smart cryptographic device is further configured to enter a scannable state before being scanned by the terminal.