CN101141250A - Instrument equipment, data safety access method, device and system - Google Patents
Instrument equipment, data safety access method, device and system Download PDFInfo
- Publication number
- CN101141250A CN101141250A CNA2007101757127A CN200710175712A CN101141250A CN 101141250 A CN101141250 A CN 101141250A CN A2007101757127 A CNA2007101757127 A CN A2007101757127A CN 200710175712 A CN200710175712 A CN 200710175712A CN 101141250 A CN101141250 A CN 101141250A
- Authority
- CN
- China
- Prior art keywords
- application data
- instrumentation
- data
- management system
- background management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The utility model discloses a safety data access informing method, instrumental equipment, safety data access method, apparatus and system. The utility model detects the to-be-updated field data of the instrumental equipment via the off-stage supervising system, so that based on the communication protocol, the encrypted field data and the control signaling for updating the field data thereof shall be sent to the instrumental equipment. Based on the communication protocol, the instrumental equipment obtains the field data and the control signaling from the off-stage supervising system. Thus, the field data is decrypted. According to the control signaling and the decrypted field data, the field data in the instrumental equipment can be updated. Therefore, the utility model can improve the efficiency of safety authentication and realize the remote and safe revising of the field data which are in the on-site operated instrumental equipment, while the data transmission medium is not needed, so as to facilitate the use.
Description
Technical field
The present invention relates to data processing field, relate in particular to a kind of data security access technique.
Background technology
In the public utilities field, employing prepayment mode collection of charges (comprising water rate, the electricity charge, gas expense etc.) is extensively accepted for utility company and is adopted.The method that this employing prepayment mode is collected the charges, need user's payment applications data of the certain number of storage in advance, background management system can obtain user's use information, and can from user's prepaid application data, deduct the corresponding amount of money according to user's use information, when user's prepaid application data deficiencies, background management system can be controlled this user's rights of using.
The prior art relevant with the present invention provides a kind of prepaid application data access method, in this method, with smart card as the transmission media between background management system and the instrumentation, pass through smart card, background management system passes to instrumentation with the prepaid application data and the managing control information of needs from background management system, and instrumentation also can pass to background management system with its storage payment applications data and by operation informations such as deduction payment datas by smart card.In addition, in order to guarantee the secure access of application data, in process by the interactive information between smart card transmission background management system and the instrumentation, need carry out the double probate process, wherein a verification process is that smart card carries out safety certification and ciphertext read-write operation with the secure access module that is embedded in the instrumentation; Verification process is that smart card and background management system carry out safety certification and ciphertext read-write operation for the second time.
Though prior art can guarantee transmission safety of data and integrality between background management system and the instrumentation, need carry out the double probate process, causes the efficient of safety certification lower.
In addition, because prior art need use smart card as the transmission media between background management system and the instrumentation, can bring many inconvenience to the user, such as, in case smart card is lost or is damaged, then can not upgrade the cost data that prestores in the instrumentation, when the cost data that prestores in the instrumentation can not be paid the expenses such as water, electricity or gas of user's use, instrumentation just was limited to use like this.
Summary of the invention
The invention provides a kind of instrumentation, data safety access method, device and system, it can improve the efficient of safety certification, and is user-friendly.
The embodiment of the invention is achieved through the following technical solutions:
The embodiment of the invention provides a kind of data security access Notification Method, and this method comprises:
The application data that background management system detects instrumentation needs to upgrade; Based on communication protocol, will send instrumentation to through the application data of encryption and the control signaling that need upgrade the application data of described instrumentation.
Wherein, described method also comprises: according to the encryption subkey of the described instrumentation of correspondence and the random number generative process key of generation, use described process key application data to encrypt, obtain the application data after the encryption.
Wherein, described method also comprises: the identifying code and the random number of receiving instrument equipment feedback; Use the checking sub-key of described random number and corresponding described instrumentation, the generative process key, and use described process key to generate corresponding identifying code;
The identifying code that the identifying code that generated and instrumentation are returned compares, and according to the successful property of comparative result specified data renewal process.
Wherein, described method also comprises: the integrity verification sign indicating number of described application data is passed to described instrumentation, be used for described instrumentation this application data is carried out integrity verification.
The embodiment of the invention also provides a kind of data safety access method, and this method comprises:
Based on communication protocol, receive the notice of described background management system; According to described notice, obtain through the application data of encryption and the control signaling that need upgrade the application data of instrumentation;
Described application data is decrypted processing, the application data after obtaining deciphering; According to described control signaling,, need the application data of upgrading in the renewal instrumentation according to the application data after the described deciphering.
Wherein, described described application data is decrypted processing, application data after obtaining deciphering, comprise: obtaining background management system is the random number that the described application data of encryption is produced, use the deciphering sub-key and the described random number generative process key of corresponding described instrumentation, utilize described process key, accessed application data is decrypted, the application data after obtaining to decipher.
Wherein, described method also comprises: upgrade according to resulting application data before the application data of needs renewal in the instrumentation, judge the legitimacy of resulting application data;
The described application data of upgrading according to needs in the resulting application data renewal instrumentation is specially: according to the application data of needs renewal in the resulting valid application Data Update instrumentation.
Wherein, described method also comprises: checking sub-key and the random number that is produced according to the described instrumentation of correspondence generate identifying code; Described identifying code and described random number are fed back to background management system, be used for the successful property of background management system verification msg renewal process.
Wherein, described method also comprises: obtain the integrity verification sign indicating number that background management system sends from described notice; Before the application data in the instrumentation is upgraded, use described integrity verification sign indicating number that the described application data that obtains is carried out integrity verification.
The embodiment of the invention also provides a kind of data security access device, and this data security access device comprises:
The data processing function module is used to utilize background management system for the encryption random number that application data produced and the deciphering sub-key of corresponding local instrumentation, resulting application data is decrypted processing, the application data after obtaining deciphering;
The data modification functional module, the application data after the deciphering that is used for obtaining according to described data processing function module needs the application data of upgrading in the renewal instrumentation.
Wherein, described data processing function module also is used for the checking sub-key and the local random number that is produced according to the described instrumentation of correspondence, generates the identifying code of the successful property that is used for the verification msg renewal process.
Wherein, described data processing function module also is used to obtain the integrity verification sign indicating number that background management system sends, and utilizes the integrality of the accessed application data of described integrity verification sign indicating number checking.
The embodiment of the invention also provides a kind of instrumentation, and this instrumentation comprises:
Data transmission device is used for based on communication protocol, receives the notice of described background management system; According to described notice, obtain through the application data of encryption and the control signaling that need upgrade the application data of instrumentation;
The data security access device is used for resulting application data is decrypted processing, the application data after obtaining deciphering; According to the application data after described control signaling and the described deciphering, need the application data of upgrading in the renewal instrumentation.
Wherein, described data security access device also is used for verifying the legitimacy of the application data after described data security access device is deciphered before the application data that the renewal instrumentation needs to upgrade.
Wherein, described instrumentation also comprises: the legitimate verification device, be used for the application data after the deciphering of described data security access device is carried out legitimate verification, and after checking is passed through, the application data after notifying described data security access device according to described deciphering is carried out the application data renewal.
Wherein, described data security access device also is used to obtain the integrity verification sign indicating number that background management system sends, and utilizes the integrality of the accessed application data of described integrity verification sign indicating number checking.
Wherein, described data security access device also is used for the checking sub-key and the local random number that is produced according to the described instrumentation of correspondence, generates the identifying code of the successful property that is used for the verification msg renewal process;
Described data transmission device also is used for the identifying code that described data security access device is generated and the random number that is produced sends.
The embodiment of the invention also provides a kind of data security access system, and this system comprises:
Background management system, the application data that is used to detect instrumentation needs to upgrade, and based on communication protocol, will send out through the application data of encryption and the control signaling that need upgrade the application data of described instrumentation;
Instrumentation is used for based on communication protocol, receives the notice of described background management system; According to described notice, obtain through the application data of encryption and the control signaling that need upgrade the application data of instrumentation; Resulting application data is decrypted processing, the application data after obtaining deciphering; According to described control signaling, utilize application data after the described deciphering to upgrade to need in the instrumentation application data of upgrading.
The specific embodiments that is provided by the invention described above embodiment as can be seen, the application data that background management system detects instrumentation needs to upgrade, based on communication protocol, will be through the application data of encryption and the control signaling that need upgrade the application data of instrumentation, send instrumentation to, instrumentation obtains application data and the control signaling that background management system sends based on communication protocols parliament, after described application data is decrypted processing, according to the application data after described control signaling and the described deciphering, upgrade and to need the application data upgraded in the instrumentation, as seen, only carry out one time verification process between background management system and the instrumentation, so the embodiment of the invention can improve the efficient of safety certification.
In addition, the embodiment of the invention can also be carried out safe modification to the application data of the instrumentation of scene operation in the distance by network communication, does not need data transmission medium, and is convenient for users to use.
Description of drawings
The flow chart that Fig. 1 provides for first embodiment of the invention;
The structural representation of the data security access system that Fig. 2 provides for fourth embodiment of the invention;
The application schematic diagram that charge is supplemented with money to instrumentation that Fig. 3 provides for first kind of situation of fourth embodiment of the invention;
The application schematic diagram that the instrumentation parameter is made amendment that Fig. 4 provides for second kind of situation of fourth embodiment of the invention;
The structural representation of the instrumentation that Fig. 5 provides for fifth embodiment of the invention;
The structural representation of the data security access device that Fig. 6 provides for sixth embodiment of the invention.
Embodiment
The embodiment of the invention provides a kind of data safety access method, and this method is by background management system and have between the instrumentation of communication function and directly authenticate, and guarantees the fail safe of prepaid data access.
In implementing embodiment of the invention process, the application data that background management system detects instrumentation needs to upgrade, based on communication protocol, will send instrumentation to through the application data of encryption and the control signaling that need upgrade the application data of instrumentation; After the instrumentation application data is decrypted, upgrade the application data that needs upgrade according to the application data after the deciphering.Instrumentation can also return to background management system with the integrity verification sign indicating number and the random number of the data correspondence after upgrading, and by background management system the successful property of data renewal process is verified.The specific implementation process of this first embodiment comprises the steps: as shown in Figure 1
Step 101: the application data that background management system detects instrumentation needs to upgrade, and based on communication protocol, will send instrumentation to through the application data of encryption and the control signaling that need upgrade the application data of instrumentation.
When the application data that background management system detects instrumentation need be upgraded, use the encryption main key of its preservation, generate the encryption subkey of corresponding this instrumentation by the method for agreement, produce random number, and with the random number of encryption subkey and generation algorithm computing generative process key by agreement, the application data that issues is expressly encrypted by the cryptographic algorithm of agreement with the process key then, generate corresponding encrypt data, above-mentioned random number that produces and encrypt data link are constituted the application data territory, communications protocol by agreement, with described application data territory, initial code, the control command that need upgrade the application data of instrumentation, initial code, end code etc. are bundled to packet, and this packet is sent to instrumentation.
When transmits data packets was given instrumentation, this packet can also carry the integrity verification sign indicating number, and described integrity verification sign indicating number is that the data item of integrity verification algorithm application data according to a preconcerted arrangement calculates.
Step 102: instrumentation receives the application data of control signaling and process encryption, and application data is decrypted processing, application data after obtaining deciphering according to the application data after control signaling and the deciphering, needs the application data of upgrading in the renewal instrumentation.
After instrumentation is received packet, packet is resolved, parse the application data territory, obtain above-mentioned random number and encrypt data by the communications protocol identical with background management system.Instrumentation is with the random number of the deciphering sub-key of appointment and the generation algorithm computing generative process key by agreement, with the process key with algorithm that background management system is arranged encrypt data is decrypted then.
After instrumentation is finished above decryption oprerations, judge the legitimacy of data decryption earlier, if legal, then application data is upgraded.
If also comprise the integrity verification sign indicating number in the packet that instrumentation is received, after then instrumentation is received packet, by communications protocol same as described above packet is resolved, parse application data territory and integrity verification sign indicating number, wherein the application data territory comprises above-mentioned random number and encrypt data.Instrumentation is verified with the correctness in integrality identifying code application data territory, if it is correct, then press the algorithm computing generative process key of agreement with the deciphering sub-key of appointment and the random number of generation, with the process key with the algorithm of background management system agreement encrypt data is decrypted then, after finishing decryption oprerations, judge the legitimacy of data decryption earlier, if legal, then application data is upgraded.
In order to guarantee the successful property of data updating process, among above-mentioned first embodiment, can also comprise following content:
Instrumentation utilizes the checking sub-key of appointment and the random number generative process key of generation, carry out computing with the data field of process key pair and background management system agreement again and generate identifying code, and the identifying code that the random number that just produces and computing obtain feeds back to background management system, is used for the successful property of background management system verification msg renewal process.
Background management system receives random number and the identifying code that returns from instrumentation, use the checking master key of its preservation then, generate the checking sub-key of corresponding this instrumentation by the method for agreement, again with verifying sub-key and the random number generative process key that returns from instrumentation, use key pair carries out computing with corresponding data field and generates identifying code, this identifying code compares with the identifying code that returns from instrumentation, if equate, and then prompting operation success; If unequal, prompt alarm information then.
Second embodiment of the invention provides a kind of data security access Notification Method, and the specific implementation process of this embodiment is as follows:
Background management system is according to user's use information, and whether the application data of detecting instrument equipment needs to upgrade;
If do not need to upgrade, whether needs upgrade then to continue application data according to user's use information detector table equipment;
If need to upgrade, then background management system is based on communication protocol, will send instrumentation to through the application data of encryption and the control signaling that need upgrade the application data of described instrumentation, and concrete processing procedure is as follows:
When the application data that background management system detects instrumentation need be upgraded, use the encryption main key of its preservation, generate the encryption subkey of corresponding this instrumentation by the method for agreement, produce random number, and with the random number of encryption subkey and generation algorithm computing generative process key by agreement, the application data that needs upgrade is expressly encrypted by the cryptographic algorithm of agreement with the process key then, generate corresponding encrypt data, above-mentioned random number that produces and encrypt data link are constituted the application data territory, communications protocol by agreement, with initial code, the control command that need upgrade the application data of instrumentation, end code is bundled to packet, and this packet is sent to instrumentation.
When transmits data packets was given instrumentation, this packet can also carry the integrity verification sign indicating number, and described integrity verification sign indicating number is that the data item of integrity verification algorithm application data according to a preconcerted arrangement calculates.
Third embodiment of the invention provides a kind of data safety access method, and the specific implementation process of this embodiment is as follows:
Instrumentation is based on communication protocol, receives the notice of background management system, according to described notice, obtains through the application data of encryption and the control signaling that need upgrade the application data of instrumentation.
Instrumentation is resolved packet by the communications protocol identical with background management system after receiving the packet that background management system issues, and obtains random number and through the application data (being encrypt data) of encryption.
Instrumentation is decrypted processing to described application data through encryption, and the application data after obtaining deciphering according to the application data after control signaling and the deciphering, needs the application data of upgrading in the renewal instrumentation.
Instrumentation with the deciphering sub-key of appointment with resolve random number that communications protocol obtains algorithm computing generative process key by agreement, with the process key with algorithm that background management system is arranged encrypt data is decrypted then.
After instrumentation is finished above decryption oprerations, can judge the legitimacy of data decryption earlier,, then the application data that needs in the instrumentation upgrade be upgraded according to legal data decryption if legal.
If also comprise the integrity verification sign indicating number in the packet that instrumentation is received, after then instrumentation is received packet, by communications protocol same as described above packet is resolved, parse application data territory and integrity verification sign indicating number, wherein the application data territory comprises above-mentioned random number and encrypt data.Instrumentation is at first verified with the correctness in integrality identifying code application data territory, if it is correct, then press the algorithm computing generative process key of agreement with the deciphering sub-key of appointment and above-mentioned random number, with the process key with the algorithm of background management system agreement encrypt data is decrypted then, after finishing decryption oprerations, judge the legitimacy of data decryption earlier,, then the application data that needs in the instrumentation upgrade is upgraded according to legal data decryption if legal.
Fourth embodiment of the invention provides a kind of data security access system, and the structure of this system comprises background management system 100 and instrumentation 200 referring to Fig. 2.
Wherein, background management system 100, the application data that is used to detect instrumentation needs to upgrade, and based on communication protocol, will send out through the application data of encryption and the control signaling that need upgrade the application data of described instrumentation.
Wherein, instrumentation 200 also comprises data transmission device 210 and data security access device 220.
Wherein, data transmission device 210 is used for based on communication protocol, receives the notice of described background management system, according to described notice, obtains through the application data of encryption and the control signaling that need upgrade the application data of instrumentation;
Data security access device 220 is used for resulting application data is decrypted processing, and the application data after obtaining deciphering according to the application data after described control signaling and the described deciphering, needs the application data of upgrading in the renewal instrumentation.
Wherein, data security access device 220 also comprises data processing function module 2201 and data modification functional module 2202.
Wherein, data processing function module 2201, be used to utilize background management system for the encryption random number that application data produced and the deciphering sub-key of corresponding local instrumentation, resulting application data be decrypted processing, the application data after obtaining deciphering.
Data modification functional module 2202, the application data after the deciphering that is used for obtaining according to described data processing function module needs the application data of upgrading in the renewal instrumentation.
The data security access device can be embedded in the instrumentation, support multiple profile form, comprise DIP (Double In-line Package, the dual inline type assembling), SOP encapsulates (Small Out-Line Package), ID-1 type (the ID-1 type card that meets the ISO7816 standard), it can comprise following hardware: CPU and encryption logic, RAM (Random Access Memory, random asccess memory), ROM (Read Only Memory, read-only memory) and EEPROM (ElectronicallyErasable Programmable Read-Only Memory, Electrically Erasable Read Only Memory).Wherein, CPU and encryption logic are used for guaranteeing the safety of EEPROM data; The zone that RAM deposits command parameter, return results, safe condition and odd-job key when being operating system work; ROM is the zone of deposit operation system program; EEPROM is the zone of depositing user's application data.
In two kinds of situation the application of fourth embodiment of the invention is elaborated below:
First kind of situation be under the network environment to instrumentation charge supplement the application of process with money, the user is by the electronics mode, the modes such as phone, SMS, network that comprise send payment request to background management system, as shown in Figure 3,
After background management system is received request, judge earlier whether this user is the registration validated user, if the user is legal, then get in touch with liquidation center again and judge whether this user's relevant account number has enough funds, if the abundance of capital, judge again then whether related capital accounts requires the user to input password, if need password, then point out the user to input password, the encryption main key of preserving then with background management system, according to user profile, as user number, disperse to generate the encryption subkey and communication MAC (the Message Authentication Code of instrumentation correspondence, the message authentication code) checking sub-key, produce a random number more at random, use encryption subkey again, communication mac authentication sub-key carries out 3DES with the random number that is generated respectively and calculates, and generates the process key of corresponding encryption subkey and the process key of corresponding communication mac authentication sub-key.With the process key corresponding that generates charging information is carried out the 3DES cryptographic calculation again and obtain encrypt data with encryption subkey, charging information comprises this recharge amount, trade date and exchange hour, the encrypt data link that the random number that generated in the above process and encryption are obtained constitutes supplements the operational applications data with money, carry out MAC and calculate the MAC sign indicating number supplementing the operational applications data with money with the process key corresponding that generates with communication mac authentication sub-key, the initial value that MAC calculates can be got 4 bytes that generate in the said process in the random number, also can be complete zero of 4 bytes.Background management system generates packet according to the communications protocol of arranging in advance, this packet comprises following content but is not limited to following content: frame head, supplement control command with money, the above-mentioned operational applications data of supplementing with money, above-mentioned MAC sign indicating number and end code, background management system sends to instrumentation with this packet.
Data transmission device in the instrumentation receives the packet that background management system passes down, judges whether to support this control command, if do not support, then makes mistakes and withdraws from; If support this control command,, and send the data decryption verification command to the data security access device just with DATA (data) territory of the application data territory content in the packet as the data decryption verification command.
The data security access device receives the data decryption verification command, data processing function module in the data security access device is with the mac authentication key generative process key SK 1 of appointment, and SK1 is by with the same algorithm computation of background management system and verify the correctness of the MAC sign indicating number in the DATA territory.If incorrect, send error code; If it is correct, then use data designated decruption key generative process key SK 2, supplement encrypt data with money with the SK2 deciphering, and will obtain supplement clear data with money, be this recharge amount, trade date and exchange hour, be kept among the RAM of data security access device, simultaneously these data returned data transmission device to instrumentation.
The data transmission device of instrumentation receives the clear data of supplementing with money that returns, and the correctness of judgment data, if incorrect, then make mistakes and withdraws from; If correct, then the appointment stored value card in the data security access device sends and supplements order with money.
The data security access device sends to the data modification functional module with the clear data of preserving among the RAM of supplementing with money, the data modification functional module is supplemented with money specifying wallet, get 4 byte random numbers and transaction sequence number then, appointment supplemented with money key generative process key SK, with SK to this recharge amount, accumulated recharge amount, trade date, exchange hour also calculates transaction verification sign indicating number TMAC (Transaction MessageAuthentication Code, the transaction verification sign indicating number), and the wallet new balance is kept among the EEPROM of data security access device, simultaneously with getting random number, wallet new balance and TMAC send to the data transmission device of instrumentation.
The data transmission device of instrumentation receives return data, and generates communication data packets, comprises frame head, random number, wallet new balance and transaction verification sign indicating number TMAC, and background management system is given in passback.
The communication data packets that the data transmission device of background management system receiving instrument equipment returns, and carry out verification.After verification is passed through, the data manipulation success is described then; Otherwise, success of data manipulation is described, prompt alarm information then, after fixing a breakdown, background management system carries out the aforesaid operations process again.
Second kind of situation is under the network environment instrumentation to be carried out the application of parameter modification, as shown in Figure 4, demand according to system's operation, when the parameter of revising operating instrumentation when needs is provided with, background management system is with the encryption main key of its preservation, information according to instrumentation, as table number, the encryption subkey and the communication mac authentication sub-key that disperse generating run instrumentation correspondence, random number of regeneration, use encryption subkey again, communication mac authentication sub-key carries out the 3DES computing with the random number that is generated respectively, generates process key corresponding with encryption subkey and the process key corresponding with communication mac authentication sub-key.With the process key corresponding with encryption subkey that generates parameter modification information is carried out the 3DES cryptographic calculation then and obtain encrypt data, parameter information comprises the overdraw thresholding, hoards thresholding, freeze-off time, enabling time.The encrypt data link that the random number that generated in the above process and encryption are obtained constitutes parameter modification operational applications data field, with the process key corresponding that generates parameter modification operational applications data field is carried out MAC and calculate, obtain the MAC sign indicating number with communication mac authentication sub-key.The initial value that MAC calculates is got 4 bytes in the random number that generates 8 bytes in the said process, also can be complete zero of 4 bytes.Background management system generates packet according to the communications protocol of arranging in advance, and this packet comprises frame head, supplements control command with money, above-mentioned parameter retouching operation application data territory, above-mentioned MAC sign indicating number, end code, background management system sends to data transmission device with this packet.
The data transmission device of instrumentation receives the packet that background management system passes down, judges whether to support this control command, if do not support, then makes mistakes and withdraws from; If data transmission device is supported this control command,, send the data security access device of data rewriting parameter command to instrumentation just with the DATA territory of the application data content in the packet as the rewriting parameter command.
The data security access device of instrumentation receives the data rewriting parameter command, by the integrality of data processing function module verification data rewriting parameter command and with its deciphering.The data processing function module is with the mac authentication key generative process key SK 1 of appointment, with SK1 by with the same algorithm computation of background management system and verify the correctness of the MAC sign indicating number in the DATA territory.If incorrect, the data processing function module is sent error code; If it is correct, then use data designated decruption key generative process key SK 2, revise the parameter encrypt data with the SK2 deciphering, and with the parameter clear data that obtains, promptly overdraw thresholding, hoard thresholding, freeze-off time and enabling time, be kept among the RAM of data security access device.
The data processing function module of data security access device is judged the legitimacy of parameter clear data, if illegal, sends error code; If it is legal, the parameter clear data of preserving among the RAM is sent to the data modification functional module of data security access device, the data modification functional module of data security access device is pressed assigned address and is upgraded relevant parameter, get 8 byte random numbers, rewriting key to appointment carries out computing, the generative process key SK, rewrite file identification with SK, initial address, length, enabling time is also calculated identifying code WMAC, and amended parameter is kept among the EEPROM of data security access device, simultaneously getting random number and identifying code WMAC are returned data transmission device to instrumentation.
The data transmission device of instrumentation receives return data, and generates communication data packets, comprises frame head, random number, rewriting identifying code WMAC, and background management system is given in passback.
Background management system receives the communication data packets that data transmission device returns, and carries out verification.
Fifth embodiment of the invention provides a kind of instrumentation, the structure of this equipment is referring to Fig. 5, comprise data transmission device 501 and data security access device 502, the instrumentation function that comprises in its function and the data security access system that fourth embodiment of the invention provides is identical.
Sixth embodiment of the invention provides a kind of data security access device, the structure of this device is referring to Fig. 6, comprise, the data security access device function that comprises in data processing function module 601 and the data modification functional module 602, its function and data security access system that fourth embodiment of the invention provides is identical.
The embodiment that is provided by the foregoing description as can be seen, the present invention needs to upgrade by the application data that background management system detects instrumentation, based on communication protocol, will be through the application data of encryption and the control signaling that need upgrade the application data of instrumentation, send instrumentation to, instrumentation obtains application data and control signaling that background management system sends based on communication protocol, and described application data is decrypted processing; According to the application data after described control signaling and the described deciphering, need the application data of upgrading in the renewal instrumentation.As seen, the present invention can improve the efficient of safety certification, can also carry out safe modification to the application data of the instrumentation of scene operation in the distance by network communication, does not need data transmission medium, and is convenient for users to use.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (18)
1. data security access Notification Method is characterized in that this method comprises:
The application data that background management system detects instrumentation needs to upgrade;
Based on communication protocol, will send instrumentation to through the application data of encryption and the control signaling that need upgrade the application data of described instrumentation.
2. the method for claim 1 is characterized in that, described method also comprises:
According to the encryption subkey of the described instrumentation of correspondence and the random number generative process key of generation, use described process key application data to encrypt, obtain the application data after the encryption.
3. method as claimed in claim 1 or 2 is characterized in that, described method also comprises:
The identifying code and the random number of receiving instrument equipment feedback;
Use the checking sub-key of described random number and corresponding described instrumentation, the generative process key, and use described process key to generate corresponding identifying code;
The identifying code that the identifying code that generated and instrumentation are returned compares, and according to the successful property of comparative result specified data renewal process.
4. method as claimed in claim 1 or 2 is characterized in that, described method also comprises:
The integrity verification sign indicating number of described application data is passed to described instrumentation, be used for described instrumentation this application data is carried out integrity verification.
5. a data safety access method is characterized in that, comprising:
Based on communication protocol, receive the notice of described background management system; According to described notice, obtain through the application data of encryption and the control signaling that need upgrade the application data of instrumentation;
Described application data is decrypted processing, the application data after obtaining deciphering; According to described control signaling,, need the application data of upgrading in the renewal instrumentation according to the application data after the described deciphering.
6. method as claimed in claim 5 is characterized in that, described described application data is decrypted processing, and the application data after obtaining deciphering comprises:
Obtaining background management system is the random number that the described application data of encryption is produced, use the deciphering sub-key and the described random number generative process key of corresponding described instrumentation, utilize described process key, accessed application data is decrypted, the application data after obtaining to decipher.
7. as claim 5 or 6 described methods, it is characterized in that described method also comprises:
Upgrade according to resulting application data before the application data of needs renewal in the instrumentation, judge the legitimacy of resulting application data;
The described application data of upgrading according to needs in the resulting application data renewal instrumentation is specially: according to the application data of needs renewal in the resulting valid application Data Update instrumentation.
8. as claim 5 or 6 described methods, it is characterized in that described method also comprises:
Checking sub-key according to the described instrumentation of correspondence generates identifying code with the random number that is produced; Described identifying code and described random number are fed back to background management system, be used for the successful property of background management system verification msg renewal process.
9. as claim 5 or 6 described methods, it is characterized in that described method also comprises:
From described notice, obtain the integrity verification sign indicating number that background management system sends;
Before the application data in the instrumentation is upgraded, use described integrity verification sign indicating number that the described application data that obtains is carried out integrity verification.
10. a data security access device is characterized in that, described data safety storage device comprises:
The data processing function module is used to utilize background management system for the encryption random number that application data produced and the deciphering sub-key of corresponding local instrumentation, resulting application data is decrypted processing, the application data after obtaining deciphering;
The data modification functional module, the application data after the deciphering that is used for obtaining according to described data processing function module needs the application data of upgrading in the renewal instrumentation.
11. device as claimed in claim 10 is characterized in that, described data processing function module also is used for the checking sub-key and the local random number that is produced according to the described instrumentation of correspondence, generates the identifying code of the successful property that is used for the verification msg renewal process.
12., it is characterized in that described data processing function module also is used to obtain the integrity verification sign indicating number that background management system sends as claim 10 or 11 described devices, and utilize the integrality of the accessed application data of described integrity verification sign indicating number checking.
13. an instrumentation is characterized in that, comprising:
Data transmission device is used for based on communication protocol, receives the notice of described background management system; According to described notice, obtain through the application data of encryption and the control signaling that need upgrade the application data of instrumentation;
The data security access device is used for resulting application data is decrypted processing, the application data after obtaining deciphering; According to the application data after described control signaling and the described deciphering, need the application data of upgrading in the renewal instrumentation.
14. instrumentation as claimed in claim 13 is characterized in that, described data security access device also is used for verifying the legitimacy of the application data after described data security access device is deciphered before the application data that the renewal instrumentation needs to upgrade.
15. instrumentation as claimed in claim 13, it is characterized in that, described instrumentation also comprises: the legitimate verification device, be used for the application data after the described data security access device deciphering is carried out legitimate verification, and after checking was passed through, the application data after notifying described data security access device according to described deciphering was carried out application data and is upgraded.
16. instrumentation as claimed in claim 13 is characterized in that, described data security access device also is used to obtain the integrity verification sign indicating number that background management system sends, and utilizes the integrality of the accessed application data of described integrity verification sign indicating number checking.
17. as claim 13,14,15 or 16 described instrumentations, it is characterized in that,
Described data security access device also is used for the checking sub-key and the local random number that is produced according to the described instrumentation of correspondence, generates the identifying code of the successful property that is used for the verification msg renewal process;
Described data transmission device also is used for the identifying code that described data security access device is generated and the random number that is produced sends.
18. a data security access system is characterized in that, described system comprises:
Background management system, the application data that is used to detect instrumentation needs to upgrade, and based on communication protocol, will send out through the application data of encryption and the control signaling that need upgrade the application data of described instrumentation;
Instrumentation is used for based on communication protocol, receives the notice of described background management system; According to described notice, obtain through the application data of encryption and the control signaling that need upgrade the application data of instrumentation; Resulting application data is decrypted processing, the application data after obtaining deciphering; According to described control signaling, utilize application data after the described deciphering to upgrade to need in the instrumentation application data of upgrading.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101757127A CN101141250A (en) | 2007-10-10 | 2007-10-10 | Instrument equipment, data safety access method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101757127A CN101141250A (en) | 2007-10-10 | 2007-10-10 | Instrument equipment, data safety access method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101141250A true CN101141250A (en) | 2008-03-12 |
Family
ID=39193019
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007101757127A Pending CN101141250A (en) | 2007-10-10 | 2007-10-10 | Instrument equipment, data safety access method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101141250A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102710412A (en) * | 2012-05-07 | 2012-10-03 | 北京握奇数据系统有限公司 | Method and device for compatible management of encryption algorithm |
| CN103684759A (en) * | 2012-09-11 | 2014-03-26 | 中国银联股份有限公司 | Terminal data encrypting method and device |
| CN106899611A (en) * | 2017-03-27 | 2017-06-27 | 广州市麦多科机械有限公司 | A kind of telesecurity communication means and system for weighing-appliance |
| CN107426670A (en) * | 2017-04-28 | 2017-12-01 | 恒宝股份有限公司 | A kind of Bluetooth encryption communication system and communication means |
| CN108293223A (en) * | 2015-11-30 | 2018-07-17 | 华为技术有限公司 | A kind of data transmission method, user equipment and network side equipment |
| CN108763964A (en) * | 2018-04-04 | 2018-11-06 | 青岛海尔科技有限公司 | A kind of data processing method, device, readable storage medium storing program for executing and equipment |
| CN109067528A (en) * | 2018-08-31 | 2018-12-21 | 阿里巴巴集团控股有限公司 | Crypto-operation, method, cryptographic service platform and the equipment for creating working key |
| CN110659048A (en) * | 2019-09-18 | 2020-01-07 | 威胜集团有限公司 | Data writing method of metering instrument, management system and readable storage medium |
| CN112541185A (en) * | 2020-12-12 | 2021-03-23 | 唐山市柳林自动化设备有限公司 | Data security processing terminal equipment |
-
2007
- 2007-10-10 CN CNA2007101757127A patent/CN101141250A/en active Pending
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102710412B (en) * | 2012-05-07 | 2015-07-01 | 北京握奇数据系统有限公司 | Method and device for compatible management of encryption algorithm |
| CN102710412A (en) * | 2012-05-07 | 2012-10-03 | 北京握奇数据系统有限公司 | Method and device for compatible management of encryption algorithm |
| CN103684759A (en) * | 2012-09-11 | 2014-03-26 | 中国银联股份有限公司 | Terminal data encrypting method and device |
| CN108293223A (en) * | 2015-11-30 | 2018-07-17 | 华为技术有限公司 | A kind of data transmission method, user equipment and network side equipment |
| CN106899611B (en) * | 2017-03-27 | 2019-12-10 | 广州市麦多科机械有限公司 | remote safety communication method and system for weighing equipment |
| CN106899611A (en) * | 2017-03-27 | 2017-06-27 | 广州市麦多科机械有限公司 | A kind of telesecurity communication means and system for weighing-appliance |
| CN107426670B (en) * | 2017-04-28 | 2020-01-03 | 恒宝股份有限公司 | Bluetooth encryption communication system and communication method |
| CN107426670A (en) * | 2017-04-28 | 2017-12-01 | 恒宝股份有限公司 | A kind of Bluetooth encryption communication system and communication means |
| CN108763964A (en) * | 2018-04-04 | 2018-11-06 | 青岛海尔科技有限公司 | A kind of data processing method, device, readable storage medium storing program for executing and equipment |
| CN108763964B (en) * | 2018-04-04 | 2021-08-24 | 青岛海尔科技有限公司 | Data processing method and device, readable storage medium and equipment |
| CN109067528A (en) * | 2018-08-31 | 2018-12-21 | 阿里巴巴集团控股有限公司 | Crypto-operation, method, cryptographic service platform and the equipment for creating working key |
| CN109067528B (en) * | 2018-08-31 | 2020-05-12 | 阿里巴巴集团控股有限公司 | Password operation method, work key creation method, password service platform and equipment |
| US11128447B2 (en) | 2018-08-31 | 2021-09-21 | Advanced New Technologies Co., Ltd. | Cryptographic operation method, working key creation method, cryptographic service platform, and cryptographic service device |
| CN110659048A (en) * | 2019-09-18 | 2020-01-07 | 威胜集团有限公司 | Data writing method of metering instrument, management system and readable storage medium |
| CN112541185A (en) * | 2020-12-12 | 2021-03-23 | 唐山市柳林自动化设备有限公司 | Data security processing terminal equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101141250A (en) | Instrument equipment, data safety access method, device and system | |
| CN103905207B (en) | Method and system for unifying APK signature | |
| CN103714639B (en) | A kind of method and system that realize the operation of POS terminal security | |
| CN101098225B (en) | Safety data transmission method and paying method, paying terminal and paying server | |
| CN203386245U (en) | Electronic toll collection (ETC) on board unit on-line issuing system combining mobile terminal | |
| CN103186850B (en) | For obtaining the method for evidence for payment, equipment and system | |
| EP3008852B1 (en) | System and method for encryption | |
| CN102523095B (en) | User digital certificate remote update method with intelligent card protection function | |
| CN103247085A (en) | Front-mounted electronic toll collection (ETC) on board unit online publication system and method | |
| CN101110113A (en) | Multi-use safety device for computing electronic payment code and its generating method | |
| CN103150770A (en) | On board unit embedded secure access module (ESAM) for free stream toll collection and use method thereof | |
| CN101826219A (en) | Rail transportation ticket-card processing intelligent system and data encryption auditing method | |
| CN104077814B (en) | Electronic charging system without parking, equipment, authentication method and method of commerce | |
| CN102867366A (en) | Portable bank card data processing device, system and method | |
| CN102609641A (en) | DRM (digital rights management) system based on distributed keys | |
| CN102238193A (en) | Data authentication method and system using same | |
| CN103281187A (en) | Security authentication method, equipment and system | |
| CN103152174A (en) | Data processing method, device and parking lot management system applied to parking lot | |
| CN102592091A (en) | Digital rights management system and security method based on distributed key | |
| CN103248495A (en) | In-app paying method, server, client side and system | |
| CN110769410B (en) | Method, application module, system and terminal for activating a vehicle-mounted unit device | |
| CN108460597B (en) | Key management system and method | |
| CN102521777B (en) | A kind of method and system realizing remote credit | |
| CN101587458A (en) | Operation method and device for intelligent storing card | |
| CN104680364A (en) | Dynamic signature password device, network transaction system and network transaction method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20080312 |