CN101459512A - Method for smart card installation/initialization application through untrusted communication channel - Google Patents
Method for smart card installation/initialization application through untrusted communication channel Download PDFInfo
- Publication number
- CN101459512A CN101459512A CNA200710172089XA CN200710172089A CN101459512A CN 101459512 A CN101459512 A CN 101459512A CN A200710172089X A CNA200710172089X A CN A200710172089XA CN 200710172089 A CN200710172089 A CN 200710172089A CN 101459512 A CN101459512 A CN 101459512A
- Authority
- CN
- China
- Prior art keywords
- isp
- application
- key
- smart card
- communication channel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method of installing and applying an intelligent card through an untrusted channel, and an initial method thereof, which assures the completeness, confidentiality and unavailable replication of data in the application, downloading and installation and the initial processes. The technical scheme is that the method comprises firstly recording a first application and a first key written into by a third party machine by an intelligent card, secondly receiving the number of a service provider by the intelligent card, calculating out the key of the service provider through conducting the irreversible algorithm for the number and the first key by the first application, and then sending to the service provider, thirdly mutually identifying the first application on the intelligent card and the service provider and building up a security communication channel, fourthly receiving the application security command data after encrypted by the intelligent card, fifthly decrypting the application security command data and sending to an operating system on the intelligent card by the first application of the intelligent card, and sixthly building up a new application related to the service provided by the operating system. The invention is applied in the field of intelligent cards.
Description
Technical field
The present invention relates to a kind of method that installation/initialization is used on smart card, relate in particular to a kind of on the communication channel of not trusted the mode method that installation/initialization is used on smart card by encrypting and decrypting.
Background technology
Present smart card is widely used in fields such as credit card, Payment Card, transportation card.Prior art can be supported to write a new application to smart card, and can guarantee the data isolation between a plurality of application on the smart card.Also promptly, prior art just can accomplish a plurality of application are packed in the sheet smart card.
Yet the data of a new ISP when writing application toward new smart card are not subjected to effective protection.If there is the malicious person to intercept and capture these data, just may produces pseudo-card or carry out malicious operation (such as increasing the interior remaining sum of card etc.).Therefore loading new application at present can only carry out in the locality, but this will increase new application limit of installation and loaded down with trivial details degree greatly.
Summary of the invention
The objective of the invention is to address the above problem, provide a kind of and smart card has been installed the method for using by the communication channel of not trusted, ensure application download and install data in the process complete, maintain secrecy and not reproducible.
Another object of the present invention is to provide a kind of by the communication channel of not trusted initial method to application of IC cards, ensure application is carried out data in the initialized process complete, maintain secrecy and not reproducible.
Technical scheme of the present invention is: the present invention proposes a kind of communication channel method that installation is used to smart card by not trusted, an ISP installs it by the communication channel of not trusted to smart card and uses, and this method comprises:
A. first of being write by the third-party institution that trusted by this ISP of intelligent card records uses and first key;
B. smart card receives ISP's numbering that this ISP uploads, first use and should to number and this first key calculates ISP's key by non-reversible algorithm by this, and this ISP's key returned to this ISP by the safety channel, so that any ISP can't reversely derive this first key or can't use self ISP's key and ISP's numbering ISP's key of calculating other ISPs under the situation that know other ISPs' numberings;
C. first on this smart card used with this ISP and authenticated and set up secured communication channel mutually by this ISP's key;
D. this smart card receives the application safety order data of this ISP after the encryption that this first application sends;
E. this on this smart card first used this application safety order data of deciphering, and this application safety order data after will deciphering sends to the operating system on this smart card;
F. create new application that should the ISP by the operating system on this smart card.
The above-mentioned communication channel that passes through not to be subjected to trust is installed the method for using to smart card, and wherein, this method also comprises:
G. after new application establishment was finished, this smart card received the application initializes data of this ISP after the encryption that this first application sends;
H. this on this smart card first used these application initializes data of deciphering, and the application initializes data after will deciphering send to the new application of creating of this ISP;
I. on this smart card new application that should the ISP application initializes data after according to this deciphering are carried out initialization procedure.
The above-mentioned communication channel that passes through not to be subjected to trust is installed the method for using to smart card, and wherein, this non-reversible algorithm is the sub-key decentralized algorithm.
The present invention has proposed in addition that a kind of one ISP carries out initialization by the communication channel of not trusted to the application that is present on the smart card by the communication channel of the not trusted initial method to application of IC cards, and this method comprises:
A. first of being write by the third-party institution that trusted by this ISP of intelligent card records uses and first key;
B. smart card receives ISP's numbering that this ISP uploads, first use and should to number and this first key calculates ISP's key by non-reversible algorithm by this, and this ISP's key returned to this ISP by the safety channel, so that any ISP can't reversely derive this first key or can't use self ISP's key and ISP's numbering ISP's key of calculating other ISPs under the situation that know other ISPs' numberings;
C. first on this smart card used with this ISP and authenticated and set up secured communication channel mutually by this ISP's key;
D. this smart card receives the application initializes data of this ISP after the encryption that this first application sends;
E. this on this smart card first used these application initializes data of deciphering, and the application initializes data after will deciphering send to this ISP's application;
F. the application initializes data after the application of this ISP on this smart card is deciphered according to this are carried out initialization procedure.
The above-mentioned initial method that passes through not to be subjected to the communication channel of trusting to application of IC cards, wherein, this non-reversible algorithm is the sub-key decentralized algorithm.
The present invention contrasts prior art following beneficial effect: in the method for the present invention, will use A001 and key K 001 writes smart card by the third-party institution that trusted by the ISP.Smart card is returned to the ISP according to key K 001 and ISP's unique number calculation services supplier key K 002 and by the safety channel.Use between A001 and the ISP and set up secured communication channel by key K 002, the installation of application and initialization are just undertaken by this secured communication channel.Contrast prior art, method of the present invention can realize the secure download and the installation of using in non-trusted disposal environment, and ensure application download and install or initialized process in data complete, secret and not reproducible.
Description of drawings
Fig. 1 is a flow chart of smart card being installed a kind of preferred embodiment of the method for using by the communication channel of not trusted of the present invention.
Fig. 2 is a flow chart of smart card being installed the another kind of preferred embodiment of the method for using by the communication channel of not trusted of the present invention.
Fig. 3 is of the present invention by the communication channel of the not trusted flow chart to a kind of preferred embodiment of the initial method of application of IC cards.
Embodiment
The invention will be further described below in conjunction with drawings and Examples.
Fig. 1 shows flow process of smart card being installed a kind of preferred embodiment of the method for using by the communication channel of not trusted of the present invention.Seeing also Fig. 1, is the detailed description to each step among this method embodiment below.
Step S100: first of being write by the third-party institution of intelligent card records uses the A001 and first key K 001.The third-party institution is here trusted by each ISP.
Step S101: the ISP that smart card reception server supplier (needing to create the ISP of new application A002) uploads numbers ID.It is unique to each ISP that the ISP here numbers ID.
Step S102: the ISP is numbered ID to the application of first on smart card A001 and first key K 001 calculates the key K 002 that belongs to the ISP by non-reversible algorithm, and key K 002 is returned to the ISP by the safety channel.
Non-reversible algorithm for example is the sub-key decentralized algorithm, can guarantee that any one ISP can't reversely derive first key, any one ISP can't know that other ISPs number ISP's key that ISP's key of using self under the situation of ID and ISP's numbering calculate other ISPs.
Step S103: ISP and first uses A001 and authenticates and set up secured communication channel mutually by ISP's key K 002.Mutual authentication process is that the authentication both sides confirm the other side's identity by three exchanging secrets data, and uses the encryption and decryption key of this secret data as escape way.
Step S104: smart card receives the application safety order data of ISP after the encryption that the first application A001 sends.The ISP encrypts the application safety order data by key K 002.
Step S105: first on the smart card used A001 deciphering application safety order data.First uses A001 by key K 002 deciphering application safety order data.
Step S106: the application safety order data after the application of first on smart card A001 will decipher is sent to the operating system on the smart card.
Step S107: the operating system on the smart card is created corresponding with service supplier's new application A002.
Fig. 2 shows flow process of smart card being installed the another kind of preferred embodiment of the method for using by the communication channel of not trusted of the present invention.Seeing also Fig. 2, is that each step among this method embodiment is described in detail below.
Step S200: first of being write by the third-party institution of intelligent card records uses the A001 and first key K 001.The third-party institution is here trusted by each ISP.
Step S201: the ISP that smart card reception server supplier (needing to create the ISP of new application A002) uploads numbers ID.It is unique to each ISP that the ISP here numbers ID.
Step S202: the ISP is numbered ID to the application of first on smart card A001 and first key K 001 calculates the key K 002 that belongs to the ISP by non-reversible algorithm, and key K 002 is returned to the ISP by the safety channel.
Non-reversible algorithm for example is the sub-key decentralized algorithm, can guarantee that any one ISP can't reversely derive first key, any one ISP can't know that other ISPs number ISP's key that ISP's key of using self under the situation of ID and ISP's numbering calculate other ISPs.
Step S203: ISP and first uses A001 and authenticates and set up secured communication channel mutually by ISP's key K 002.
Step S204: smart card receives the application safety order data of ISP after the encryption that the first application A001 sends.The ISP encrypts the application safety order data by key K 002.
Step S205: first on the smart card used A001 deciphering application safety order data.First uses A001 by key K 002 deciphering application safety order data.
Step S206: the application safety order data after the application of first on smart card A001 will decipher is sent to the operating system on the smart card.
Step S207: the operating system on the smart card is created corresponding with service supplier's new application A002.
Step S208: after new application A002 establishment was finished, smart card received the application initializes data of ISP after the encryption that the first application A001 sends.The ISP encrypts the application initializes data by key K 002.
Step S209: first on the smart card used A001 deciphering application initializes data.First uses A001 by key K 002 deciphering application initializes data.
Step S210: the application initializes data that first on the smart card used after A001 will decipher send to the application A002 that the ISP creates.
Step S211: the application A002 on the smart card carries out initialization procedure according to the application initializes data after deciphering.
Fig. 3 shows of the present invention by the communication channel of the not trusted flow process to a kind of preferred embodiment of the initial method of application of IC cards.The ISP has created new application on smart card, embodiment illustrated in fig. 3 is that initialized process is carried out in the new application of having created.
Step S300: first of being write by the third-party institution of intelligent card records uses the A001 and first key K 001.The third-party institution is here trusted by each ISP.
Step S301: the ISP that smart card reception server supplier (needing to create the ISP of new application A002) uploads numbers ID.It is unique to each ISP that the ISP here numbers ID.
Step S302: the ISP is numbered ID to the application of first on smart card A001 and first key K 001 calculates the key K 002 that belongs to the ISP by non-reversible algorithm, and key K 002 is returned to the ISP by the safety channel.
Non-reversible algorithm for example is the sub-key decentralized algorithm, can guarantee that any one ISP can't reversely derive first key, any one ISP can't know that other ISPs number ISP's key that ISP's key of using self under the situation of ID and ISP's numbering calculate other ISPs.
Step S303: ISP and first uses A001 and authenticates and set up secured communication channel mutually by ISP's key K 002.
Step S304: for the new application A002 that has created on smart card, smart card receives the application initializes data of ISP after the encryption that the first application A001 sends.The ISP encrypts the application initializes data by key K 002.
Step S305: first on the smart card used A001 deciphering application initializes data.First uses A001 by key K 002 deciphering application initializes data.
Encryption and decryption adopts existing algorithm, and as the 3DES algorithm that present financial circles are generally used, this algorithm is based on a kind of strong algorithms that adds of U.S.'s digital encryption standard (DES).
Step S306: the application initializes data that first on the smart card used after A001 will decipher send to the application A002 that the ISP creates.
Step S307: the application A002 on the smart card carries out initialization procedure according to the application initializes data after deciphering.
The foregoing description provides to those of ordinary skills and realizes or use of the present invention; those of ordinary skills can be under the situation that does not break away from invention thought of the present invention; the foregoing description is made various modifications or variation; thereby protection scope of the present invention do not limit by the foregoing description, and should be the maximum magnitude that meets the inventive features that claims mention.
Claims (5)
1, a kind of communication channel method that installation is used to smart card by not trusted, an ISP installs it by the communication channel of not trusted to smart card and uses, and this method comprises:
A. first of being write by the third-party institution that trusted by this ISP of intelligent card records uses and first key;
B. smart card receives ISP's numbering that this ISP uploads, first use and should to number and this first key calculates ISP's key by non-reversible algorithm by this, and this ISP's key returned to this ISP by the safety channel, so that any ISP can't reversely derive this first key or can't use self ISP's key and ISP's numbering ISP's key of calculating other ISPs under the situation that know other ISPs' numberings;
C. first on this smart card used with this ISP and authenticated and set up secured communication channel mutually by this ISP's key;
D. this smart card receives the application safety order data of this ISP after the encryption that this first application sends;
E. this on this smart card first used this application safety order data of deciphering, and this application safety order data after will deciphering sends to the operating system on this smart card;
F. create new application that should the ISP by the operating system on this smart card.
2, the communication channel method that installation is used to smart card by not trusted according to claim 1 is characterized in that this method also comprises:
G. after new application establishment was finished, this smart card received the application initializes data of this ISP after the encryption that this first application sends;
H. this on this smart card first used these application initializes data of deciphering, and the application initializes data after will deciphering send to the new application of creating of this ISP;
I. on this smart card new application that should the ISP application initializes data after according to this deciphering are carried out initialization procedure.
3, the communication channel method that installation is used to smart card by not trusted according to claim 1 and 2 is characterized in that this non-reversible algorithm is the sub-key decentralized algorithm.
4, a kind of one ISP carries out initialization by the communication channel of not trusted to the application that is present on the smart card by the communication channel of the not trusted initial method to application of IC cards, and this method comprises:
A. first of being write by the third-party institution that trusted by this ISP of intelligent card records uses and first key;
B. smart card receives ISP's numbering that this ISP uploads, first use and should to number and this first key calculates ISP's key by non-reversible algorithm by this, and this ISP's key returned to this ISP by the safety channel, so that any ISP can't reversely derive this first key or can't use self ISP's key and ISP's numbering ISP's key of calculating other ISPs under the situation that know other ISPs' numberings;
C. first on this smart card used with this ISP and authenticated and set up secured communication channel mutually by this ISP's key;
D. this smart card receives the application initializes data of this ISP after the encryption that this first application sends;
E. this on this smart card first used these application initializes data of deciphering, and the application initializes data after will deciphering send to this ISP's application;
F. the application initializes data after the application of this ISP on this smart card is deciphered according to this are carried out initialization procedure.
5, according to claim 4 by the communication channel of not trusted initial method to application of IC cards, it is characterized in that this non-reversible algorithm is the sub-key decentralized algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710172089XA CN101459512B (en) | 2007-12-11 | 2007-12-11 | Method for smart card installation/initialization application through untrusted communication channel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710172089XA CN101459512B (en) | 2007-12-11 | 2007-12-11 | Method for smart card installation/initialization application through untrusted communication channel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101459512A true CN101459512A (en) | 2009-06-17 |
| CN101459512B CN101459512B (en) | 2010-11-10 |
Family
ID=40770157
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710172089XA Expired - Fee Related CN101459512B (en) | 2007-12-11 | 2007-12-11 | Method for smart card installation/initialization application through untrusted communication channel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101459512B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102055586A (en) * | 2010-12-28 | 2011-05-11 | 北京握奇数据系统有限公司 | Method for exporting key and device thereof |
| WO2012072001A1 (en) * | 2010-11-30 | 2012-06-07 | 飞天诚信科技股份有限公司 | Safe method for card issuing, card issuing device and system |
| WO2013149426A1 (en) * | 2012-04-06 | 2013-10-10 | 中兴通讯股份有限公司 | Method, device and system for authenticating access for application to smart card |
| CN105721143A (en) * | 2016-01-30 | 2016-06-29 | 飞天诚信科技股份有限公司 | Method and device for initializing application of smart card |
| CN105812332A (en) * | 2014-12-31 | 2016-07-27 | 北京握奇智能科技有限公司 | Data protection method |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2809555B1 (en) * | 2000-05-26 | 2002-07-12 | Gemplus Card Int | SECURING DATA EXCHANGES BETWEEN CONTROLLERS |
| US7159114B1 (en) * | 2001-04-23 | 2007-01-02 | Diebold, Incorporated | System and method of securely installing a terminal master key on an automated banking machine |
| US20050235143A1 (en) * | 2002-08-20 | 2005-10-20 | Koninkljke Philips Electronics N.V. | Mobile network authentication for protection stored content |
| CN1204709C (en) * | 2003-07-07 | 2005-06-01 | 江苏移动通信有限责任公司 | Smart card remote card-issuing-writing system based on Internet |
-
2007
- 2007-12-11 CN CN200710172089XA patent/CN101459512B/en not_active Expired - Fee Related
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012072001A1 (en) * | 2010-11-30 | 2012-06-07 | 飞天诚信科技股份有限公司 | Safe method for card issuing, card issuing device and system |
| CN102055586A (en) * | 2010-12-28 | 2011-05-11 | 北京握奇数据系统有限公司 | Method for exporting key and device thereof |
| WO2013149426A1 (en) * | 2012-04-06 | 2013-10-10 | 中兴通讯股份有限公司 | Method, device and system for authenticating access for application to smart card |
| CN105812332A (en) * | 2014-12-31 | 2016-07-27 | 北京握奇智能科技有限公司 | Data protection method |
| CN105721143A (en) * | 2016-01-30 | 2016-06-29 | 飞天诚信科技股份有限公司 | Method and device for initializing application of smart card |
| CN105721143B (en) * | 2016-01-30 | 2019-05-10 | 飞天诚信科技股份有限公司 | The method and apparatus that a kind of pair of application of IC cards is initialized |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101459512B (en) | 2010-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210326870A1 (en) | Payment system | |
| EP3522580B1 (en) | Credential provisioning | |
| CN107735793B (en) | Binding trusted input sessions to trusted output sessions | |
| CN102271037B (en) | Based on the key protectors of online key | |
| CN105450406B (en) | The method and apparatus of data processing | |
| TWI418198B (en) | Method and system for personalizing smart cards using asymmetric key cryptography | |
| CN107004083B (en) | Device key protection | |
| EP3608860A1 (en) | Payment system for authorising a transaction between a user device and a terminal | |
| CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
| CN101999125A (en) | System and method for improving restrictiveness on accessingsoftware applications | |
| CN114175580B (en) | Enhanced secure encryption and decryption system | |
| CN102801730A (en) | Information protection method and device for communication and portable devices | |
| US20190122191A1 (en) | Method for obtaining a security token by a mobile terminal | |
| CN102667800A (en) | Method for securely interacting with a security element | |
| CN101459512B (en) | Method for smart card installation/initialization application through untrusted communication channel | |
| US20200160333A1 (en) | System and method for the protection of consumer financial data utilizing dynamic content shredding | |
| US20170374041A1 (en) | Distributed processing of a product on the basis of centrally encrypted stored data | |
| US20230124498A1 (en) | Systems And Methods For Whitebox Device Binding | |
| CN101945099B (en) | Smart card external authentication method | |
| CN101719228B (en) | Method and device for data management of intelligent card | |
| CN101325486A (en) | Method and apparatus for encapsulating field permission cryptographic key | |
| KR20080042582A (en) | System and method for protecting a user device using a token device | |
| KR101146509B1 (en) | Internet banking transaction system and the method that use maintenance of public security card to be mobile | |
| Sato | The biggest problem of blockchains: key management | |
| KR101210411B1 (en) | Transaction Protection System and Method using Connection of Certificate and OTP Generated by Keystream |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101110 Termination date: 20181211 |