CN101789068A - Card reader safety certification device and method - Google Patents

Card reader safety certification device and method Download PDF

Info

Publication number
CN101789068A
CN101789068A CN200910105232A CN200910105232A CN101789068A CN 101789068 A CN101789068 A CN 101789068A CN 200910105232 A CN200910105232 A CN 200910105232A CN 200910105232 A CN200910105232 A CN 200910105232A CN 101789068 A CN101789068 A CN 101789068A
Authority
CN
China
Prior art keywords
card reader
terminal
authentication
session
signal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910105232A
Other languages
Chinese (zh)
Other versions
CN101789068B (en
Inventor
蔡丽金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Jingfeng Huida Science & Technology Co Ltd
Original Assignee
Shenzhen Jingfeng Huida Science & Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Jingfeng Huida Science & Technology Co Ltd filed Critical Shenzhen Jingfeng Huida Science & Technology Co Ltd
Priority to CN2009101052322A priority Critical patent/CN101789068B/en
Publication of CN101789068A publication Critical patent/CN101789068A/en
Application granted granted Critical
Publication of CN101789068B publication Critical patent/CN101789068B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a card reader and card reader safety certification method, device and system belonging to the field of data safety. The card reader comprises a data transmission module and a safety certification module, wherein the data transmission module carries out data transmission with a terminal and/or an external card and sets a data encryption algorithm and a certification algorithm for certification; and the safety certification module is connected and communicated with the data transmission module and the terminal and sets the data encryption algorithm and the certification algorithm for certification with the data transmission module and/or the terminal. The card reader safety certification method, device and system enhance the safety of communication and the reliability of the card reader through the certification before a conversation and enhance the confidentiality of data through the encryption during the conversation.

Description

Card reader safety certification device and method
Technical field
The present invention relates to the data security field, specially refer to card reader, card reader safety certification method, Apparatus and system.
Background technology
Card reader is the equipment that can carry out exchanges data with smart card, storage card or other types card.Described card reader is connected to PC by USB or other serial ports, can and PC between carry out exchanges data, but receive and send the data communication agreement that data all need to follow described card reader.
Card reader is a data transmission communication module, be responsible for receiving data by certain data communication protocol format from terminal (for example PC or other electronic equipments), and, be transmitted to described card after the reorganization data with the data communication protocol format that these data can receive according to the card that is connected with card reader; Otherwise, receive the data communication protocol format that can receive according to terminal device after the data from card, return to terminal after reorganizing data.
Present card reader has the deficiency of following aspect: between terminal and the card reader, do not pass through encryption according to the data of data communication protocol transmission, data are intercepted easily; Terminal and card reader are carried out before the exchanges data, need not to carry out any authentication each other, can not guarantee the security of exchanges data.
Summary of the invention
One of purpose of the present invention has promoted the reliability and the safety of data transmission of card reader for a kind of card reader, card reader safety certification method, Apparatus and system are provided.
The present invention proposes a kind of card reader, and described card reader comprises:
Data transmission module carries out data transmission with terminal and/or add-on card; Data encryption algorithm and identifying algorithm are set, authenticate;
Security authentication module is connected communication with data transmission module with terminal, data encryption algorithm and identifying algorithm are set, and authenticates with data transmission module and/or terminal.
Preferably, described data transmission module comprises:
Send receiving element, send and receive the authentication signal that utilizes data encryption algorithm ciphered data signal and utilize identifying algorithm to encrypt;
The Card Reader authentication ' unit authenticates authentication signal decrypted authentication after receiving and generation authentication signal for security authentication module.
Preferably, described security authentication module comprises:
Signal receiving unit receives the authentication signal that data transmission module and/or terminal are utilized data encryption algorithm ciphered data signal and/or utilized identifying algorithm to encrypt;
Encryption and decryption/authentication ' unit with described authentication signal decrypted authentication, and can utilize identifying algorithm encrypting and authenticating signal to authenticate for data transmission module and/or terminal;
The unit is set up in session, behind authentication success, receives authenticate-acknowledge, sets up the session between data transmission module and the terminal, and the generation session information sends described terminal to.
Preferably, described session information comprises Session ID and session key.
Preferably, described security authentication module also comprises the key generation unit, produces session key, encryption session according to described Session ID.
Preferably, described encryption and decryption/authentication ' unit comprises that also the data that send described card reader to terminal encrypt and/or utilize session key to send the data decryption of card reader to terminal.
The present invention also proposes a kind of card reader safety certification system, and the reading card device authenticates with the communication between terminals that is connected communication with it, and described system comprises:
Card reader and terminal, the authentication signal that transmission and reception utilize identifying algorithm to encrypt, and the authentication signal decrypted authentication after will receiving;
Security authentication module is connected communication with card reader with terminal, receive the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt; With described authentication signal decrypted authentication; And can utilize identifying algorithm encrypting and authenticating signal to authenticate for card reader and/or terminal;
Behind the authentication success, set up the session between card reader and the terminal, and the generation session information sends described terminal to.
The present invention also proposes a kind of card reader safety certification method, and the reading card device authenticates with the communication between terminals that is connected communication with it, comprises step:
Utilize identifying algorithm encrypting and authenticating signal to authenticate for card reader and/or terminal;
Receive the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt;
With described authentication signal deciphering back authentication;
Behind the authentication success, set up the session between card reader and the terminal, and the generation session information sends described terminal to.
Preferably, behind the described authentication success, set up the session between card reader and the terminal, and produce the step that session information sends described terminal to and also comprise step:
Produce session key, encryption session according to described Session ID.
The present invention also proposes a kind of card reader safety certification device, is connected communication with card reader and/or terminal, and described device comprises:
Signal receiving unit receives the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt;
Encryption and decryption/authentication ' unit with described authentication signal deciphering back authentication, and can utilize identifying algorithm encrypting and authenticating signal to authenticate for card reader and/or terminal;
The unit is set up in session, behind authentication success, sets up the session between card reader and the terminal, and the generation session information sends described terminal to.
Card reader of the present invention, card reader safety certification method, Apparatus and system by the authentication before the session, have strengthened the security of communication and the reliability of card reader; By the encryption in the session, strengthen the confidentiality of data.
Description of drawings
Fig. 1 is the structural representation of first embodiment of the invention card reader;
Fig. 2 is the structural representation of second embodiment of the invention card reader;
Fig. 3 is the structural representation of third embodiment of the invention card reader;
Fig. 4 is the structural representation of fourth embodiment of the invention card reader safety certification system;
Fig. 5 is the workflow synoptic diagram of fifth embodiment of the invention card reader safety certification method;
Fig. 6 is the workflow synoptic diagram of sixth embodiment of the invention card reader safety certification method;
Fig. 7 is the structural representation of seventh embodiment of the invention card reader safety certification device;
Fig. 8 is another structural representation of seventh embodiment of the invention card reader safety certification device.
The realization of the object of the invention, functional characteristics and advantage will be in conjunction with the embodiments, are described further with reference to accompanying drawing.
Embodiment
The invention provides a kind of card reader, card reader safety certification method, Apparatus and system, card reader and with terminal that card reader is connected between, set up the session communication that needs by authentication, and encryption session communication, protected data; And card reader inside need authenticate, and guarantees that card reader can be by not counterfeit.
With reference to Fig. 1, first embodiment of the invention proposes a kind of card reader, and it comprises data transmission module 21 and security authentication module 22.
Described data transmission module 21 carries out data transmission with terminal 30 and/or add-on card 10; Data encryption algorithm and identifying algorithm are set, carry out data encryption and authentication; Described terminal 30 can be PC or other electronic equipments; Described add-on card 10 can be the card that smart card, storage card or other types can be carried out exchanges data.
Described security authentication module 22 is connected communication with data transmission module 21 with terminal 30, and data encryption algorithm and identifying algorithm are set, and authenticates with data transmission module 21 and/or terminal 30.
Described data transmission module 21 and terminal 30 in the time of need carrying out session, can be initiated authentication, after data being utilized identifying algorithm encrypt, send described security authentication module 22 to; Utilize identifying algorithm deciphering back authentication through described security authentication module 22, and form authentication signal after the information of utilizing identifying algorithm encrypted data transmission module 21 or terminal 30 to send into, return to described data transmission module 21 or terminal 30 respectively; Described data transmission module 21 and terminal 30 authenticate by deciphering, confirm that deciphering back data are to encrypt the data that send, then authentication success when initiating authentication.
Present embodiment by the authentication before the session, has strengthened the security of communication; Simultaneously, the described data transmission module 21 of card reader and the authentication between the described security authentication module 22 make the described data transmission module 21 and described security authentication module 22 of card reader can not be strengthened the reliability of card reader by counterfeit.
With reference to Fig. 2, second embodiment of the invention proposes a kind of card reader based on first embodiment, and it comprises data transmission module 21 and security authentication module 22.
Described data transmission module 21 comprises transmission receiving element 211 and Card Reader authentication ' unit 212, and described transmission receiving element 211 sends and receives and utilizes identifying algorithm to encrypt the authentication signal that produces; Described Card Reader authentication ' unit 212 is with authentication signal deciphering and the authentication after receiving.
Described security authentication module 22 comprises that signal receiving unit 221, encryption and decryption/authentication ' unit 222 and session set up unit 223, described authentication signal receiving element 221 receives data transmission module 21 and/or terminal 30 and utilizes identifying algorithm to encrypt the authentication signal that produces; Described encryption and decryption/authentication ' unit 222 with described authentication signal deciphering back authentication, sends data transmission module 21 to after the information of utilizing identifying algorithm encrypted data transmission module 21 or terminal 30 to send into again and/or terminal 30 authenticates; Unit 223 is set up in described session, behind authentication success, sets up the session between data transmission module 21 and the terminal 30, and the generation session information sends described terminal 30 to.
Described session information comprises Session ID and session key etc.; Described session key can be according to generations such as described Session IDs.
Described Session ID can carry out unique identification to session.
The present embodiment data encryption algorithm can be a symmetry algorithm; Identifying algorithm can be an asymmetric arithmetic etc.; Described authentication signal can be a random number, and described random number is to be produced by the authenticator; Described authenticator can be data transmission module 21 and terminal 30 and security authentication module 22 etc.
Owing to comprise PKI and private key in the asymmetric arithmetic, therefore, in the present embodiment, Card Reader private key and authentication PKI be set in the described data transmission module 21; Terminal secret key and authentication PKI are set in the described terminal 30; Authentication private key, Card Reader PKI and terminal public key are set in the described security authentication module 22.
Described data transmission module 21, can initiate authentication, it can be to security authentication module 22 requests one safety certification random number, and self generate a Card Reader random number, the Card Reader private key that utilizes Card Reader authentication ' unit 212 with described safety certification random number and card reader random number encryption after, use to send receiving element 211 and send described security authentication module 22 to; The random number that described security authentication module 22 receives after encrypting by signal receiving unit 221, after utilizing the Card Reader PKI deciphering of encryption and decryption/authentication ' unit 222, the safety certification random number and the security authentication module 22 inner original random number of preserving that obtain after the deciphering are compared, two random number then authentification failures inequality, refusal continues communication; Two random numbers are identical, then re-use the authentication encrypted private key Card Reader random number of encryption and decryption/authentication ' unit 222 after, return to described data transmission module 21; Card Reader random number after described data transmission module 21 obtains deciphering by authentication PKI deciphering, with the Card Reader random number that obtains after the deciphering and inner original random number of preserving relatively, two random numbers are inequality, authentification failure then, refusal continues communication, and two random numbers are identical, then authentication success.Can improve the security of data transmission module 21 and security authentication module 22 by authentication, and can be used as hardware security identification between the two.
Described terminal 30, can initiate authentication, it can ask a safety certification random number to security authentication module 22, and generates a terminal random number, after utilizing terminal secret key with described safety certification random number and terminal random number encryption, send described security authentication module 22 to; The random number that described security authentication module 22 receives after encrypting by signal receiving unit 221, utilize the terminal public key deciphering of encryption and decryption/authentication ' unit 222, safety certification random number after obtaining deciphering, safety certification random number after the deciphering and inner original random number of preserving are compared, two random numbers are inequality, then authentification failure refuses to continue communication; Two random numbers are identical, authentication success then, utilize session to set up unit 223 and generate Session ID, and according to Session ID generation session key, use terminal public key encryption session identifier and session key to form encryption session information, after re-using the authentication encrypted private key terminal random number of encryption and decryption/authentication ' unit 222, described encryption session information and encryption terminal random number are returned to described terminal 30; Terminal random number after described terminal 30 obtains deciphering after by authentication PKI enabling decryption of encrypted terminal random number, terminal random number after the deciphering and inner original random number of preserving are compared, two random numbers are inequality, authentification failure then, refusal continues communication, and two random numbers are identical, authentication success, obtain Session ID and session key with the terminal secret key deciphering, thereby set up the session between data transmission module 21 and the terminal 30.Can improve data transmission module 21 and terminal 30 security of conversation by authentication.
Present embodiment authenticates by using asymmetric arithmetic, makes that authentication is more safe and reliable.
With reference to Fig. 3, third embodiment of the invention proposes a kind of card reader based on second embodiment, wherein, described security authentication module 22 also comprises the key generation unit, produce session key according to described Session ID, utilize described asymmetric arithmetic to encrypt and send described terminal 30, encryption session to.
Described key generation unit 224, when powering on, produce the root key of a random number as session key, and the session number is set to an initial value at random, when terminal 30 is applied for session at every turn, session number increases one automatically, and will increase session number after one as the Session ID of terminal 30, utilize the root key of session key that Session ID is disperseed to arrive the session key, decentralized algorithm is a symmetry algorithm, utilize the terminal public key of described encryption and decryption/authentication ' unit 222, described Session ID and session key are sent to described terminal 30.
Described encryption and decryption/authentication ' unit 222 comprises that also the data that send described card reader to terminal 30 encrypt and/or utilize session key to send the data decryption of card reader to terminal 30.
Described data transmission module 21 can also be after passing through with the authentication of described security authentication module 22, to the described session key of described security authentication module 22 applications; Described security authentication module 22 is session identifier and session key, sends to described data transmission module 21 after utilizing the Card Reader public key encryption.
Described data transmission module 21 will import described session key, if import successfully, will use described session key and described terminal 30 to carry out the ciphered data exchange; The data that will read from described add-on card 10 after described session key, send described terminal 30 to, and the data that transmit of receiving terminal 30, utilize described session key deciphering after, send add-on card 10 to and store; Get nowhere if import, then carry out encryption and decryption by described security authentication module 22.
Described terminal 30 after the Session ID that receives described encryption and session key and deciphering, also can use described session key that data are carried out encryption and decryption, carries out the ciphered data exchange with described data transmission module 21.
Because the session difference, Session ID will change, and cause session key to change, and the possibility that makes session key be decrypted reduces, and has increased safety of data transmission.
The described security authentication module 22 of present embodiment can be the terminal security access module (Purchase SecureAccess Module, PSAM).
The all right external radio-frequency modules of the described card reader of present embodiment etc. carry out wireless data exchange with described add-on card 10.
The described card reader of present embodiment by authentication and encryption, improves the reliability and the safety of data transmission of hardware.
With reference to Fig. 4, fourth embodiment of the invention proposes a kind of card reader safety certification system, and reading card device and the communication that is connected with it between terminal 30 of communication authenticate, and described system comprises:
Card reader 40 and terminal 30 send and receive and utilize identifying algorithm to encrypt the authentication signal that produces, and the authentication signal decrypted authentication of the encryption after will receiving; Described terminal 30 can be PC or other electronic equipments; Described authentication signal can be a random number that is produced by security authentication module 22.
Security authentication module 22 is connected communication with card reader 40 with terminal 30, receives card reader 40 and/or terminal 30 and utilizes identifying algorithm to encrypt the authentication signal that produces;
With described authentication signal decrypted authentication, utilize identifying algorithm to encrypt again to send card reader 40 to after the information that card reader 40 and/or terminal 30 send into and/or terminal 30 authenticates;
Behind authentication success, set up the session between card reader 40 and the terminal 30, and the generation session information sends described terminal 30 to.
Described session information comprises Session ID and session key etc.; Described session key can be according to generations such as described Session IDs.
Described Session ID can carry out unique identification to session.
The present embodiment data encryption algorithm can be a symmetry algorithm; Identifying algorithm can be an asymmetric arithmetic etc.; Described authentication signal can be a random number, and described random number is to be produced by the authenticator; Described authenticator can be card reader 40 and terminal 30 etc.
Owing to comprise PKI and private key in the asymmetric arithmetic, therefore, in the present embodiment, Card Reader private key and authentication PKI be set in the described card reader 40; Terminal secret key and authentication PKI are set in the described terminal 30; Authentication private key, Card Reader PKI and terminal public key are set in the described security authentication module 22.
Described card reader 40, can initiate authentication, it can ask a safety certification random number to security authentication module 22, and produces a Card Reader random number, after utilizing the Card Reader private key with described safety certification random number and the encryption of card reader machine number, send described security authentication module 22 to; The safety certification random number that described security authentication module 22 receives after encrypting is utilized the deciphering of Card Reader PKI, the safety certification random number after obtaining deciphering, and the original random number of preserving with inside relatively, two random numbers are inequality, and then authentification failure refuses to continue communication; Two random numbers are identical, authentication success then, re-use authentication encrypted private key Card Reader random number after, return to described card reader 40; Described card reader 40 authenticates by the deciphering of authentication PKI, confirms that the data that obtain after the deciphering are the Card Reader random number that card reader produces, then authentication success.Can improve card reader 40 and terminal 30 security of conversation by authentication, and can discern by reading card device 40.
Described terminal 30, can initiate authentication, it can ask a safety certification random number to security authentication module 22, and produces a terminal random number, after utilizing terminal secret key with described safety certification random number and terminal random number encryption, send described security authentication module 22 to; The authentication signal that described security authentication module 22 receives after encrypting utilizes the terminal public key deciphering, the safety certification random number after obtaining deciphering, and the original random number of preserving with inside is relatively, and two random numbers are inequality, authentification failure then, refusal continues communication; Two random numbers are identical, and then authentication success generates Session ID and session key, re-use authentication encrypted private key terminal random number, behind terminal public key encryption session identifier and session key, return to described terminal 30; Terminal random number after described terminal 30 obtains deciphering by the deciphering of authentication PKI relatively authenticates with inner original terminal random number of preserving, confirm that the terminal random number after the deciphering is the original terminal random number that generates when initiating authentication, authentication success then, obtain Session ID and session key with the terminal secret key deciphering, thereby set up the session between card reader 40 and the terminal 30.Can improve card reader 40 and terminal 30 security of conversation by authentication.
Described security authentication module 22 can also utilize described encryption and decryption/authentication ' unit 222 to generate Session ID, and with session root key (random number that generates when powering on) Session ID be disperseed to produce session key.The terminal public key that uses encryption and decryption/authentication ' unit 222 sends to described terminal 30 after to Session ID and session key.
Described card reader 40 can also be after passing through with the authentication of described security authentication module 22, to the described session key of described security authentication module 22 applications; Described security authentication module 22 is session identifier and session key, sends to described card reader 40 after utilizing the Card Reader public key encryption.
Described card reader 40 will import described session key, if import successfully, will use described session key and described terminal 30 to carry out the ciphered data exchange; The data that will read from described add-on card 10 after described session key, send described terminal 30 to, and the data that transmit of receiving terminal 30, utilize described session key deciphering after, send add-on card 10 to and store; Get nowhere if import, then transmit data encrypting and deciphering by described security authentication module 22.
Described terminal 30 after the Session ID that receives described encryption and session key and deciphering, also can use described session key that data are transmitted data encrypting and deciphering, carries out the ciphered data exchange with described card reader 40.
Because the session difference, Session ID will change, and cause session key to change, and the possibility that makes session key be decrypted reduces, and has increased safety of data transmission.
The described security authentication module 22 of present embodiment can be the terminal security access module.
The described card reader safety certification of present embodiment system by authentication and encryption, improves the reliability and the safety of data transmission of hardware.
With reference to Fig. 5, fifth embodiment of the invention proposes a kind of card reader safety certification method, and reading card device 40 and the communication that is connected with it between terminal 30 of communication authenticate, and comprise step:
S10, utilize identifying algorithm encrypting and authenticating signal to authenticate for card reader and/or terminal;
The authentication signal that S11, reception card reader 40 and/or terminal 30 utilize cryptographic algorithm to encrypt;
S12, with described authentication signal deciphering back authentication;
Behind S13, the authentication success, set up the session between card reader 40 and the terminal 30, and the generation session information sends described terminal 30 to.
Present embodiment, described terminal 30 can be PC or other electronic equipments; Described authentication signal can be a random number; Described Session ID can carry out unique identification to session; Described cryptographic algorithm can be an asymmetric arithmetic etc.Owing to comprise PKI and private key in the asymmetric arithmetic, therefore, in the present embodiment, be provided with Card Reader private key and Card Reader PKI, terminal secret key and terminal public key and authentication private key and authentication PKI; Card Reader private key and authentication PKI are set in the described card reader 40; Terminal secret key and authentication PKI are set in the described terminal 30.
As described in step S10, the session between card reader 40 and terminal 30 need authenticate earlier before setting up; In the present embodiment, authentication also can realize by security authentication module 22 is set, at first, by card reader 40 and/or terminal 30 to security authentication module 22 request authentication; Then, security authentication module 22 returns the safety certification random number and gives card reader 40 and/or terminal 30.
As described in step S11, card reader 40 and/or terminal 30 produce Card Reader random number and/or terminal random number, and safety certification random number and Card Reader random number and/or terminal random number encryption are formed the encrypting and authenticating signal, and send authentication signal to security authentication module 22 with Card Reader private key and/or terminal secret key;
As described in step S12, after security authentication module 22 receives the authentication signal of encryption, with card reader PKI and/or terminal public key decrypted authentication signal, the safety certification random number after obtaining deciphering, Card Reader random number and/or terminal random number.
Whether the safety certification random number after described security authentication module 22 is relatively deciphered is identical, inequality with inner original safety certification random number of preserving, and then authentification failure is identical, authentication success.
As described in step S13, if the authentication of terminal 30 requests, then security authentication module 22 produces session information, and send terminal 30 to terminal public key encryption session information, simultaneously, utilize authentication encrypted private key terminal random number to form authentication signal, send terminal 30 to and authenticate; If card reader 40 request authentication, then security authentication module 22 utilizes authentication encrypted private key Card Reader random numbers to form authentication signals, and sends card reader 40 to and authenticate.
After card reader 40 and/or terminal 30 receive authentication signal, Card Reader random number and/or terminal random number after obtaining deciphering with authentication PKI decrypted authentication signal earlier, and whether the random number after relatively deciphering is identical with the original random number of preservation, if it is inequality, authentification failure, then refusal continues communication; If identical, authentication success, session is set up; If terminal 30 then obtains session information with the terminal secret key deciphering.
Terminal 30 is when setting up session, can also produce a public private key pair at random, and PKI passed to security authentication module 22, security authentication module 22 is behind authentication success, the ephemeral terminations public key encryption session information that utilizes transmission to come in is returned to terminal 30, and terminal 30 utilizes the deciphering of ephemeral terminations private key to obtain session information again.
Described session information comprises Session ID and session key etc.; Described session key can be according to generations such as described Session IDs.
The described card reader safety certification method of present embodiment by the authentication before the session, has strengthened the security of communication, and can discern by reading card device 40, prevents that card reader 40 from being palmed off.
With reference to Fig. 6, sixth embodiment of the invention proposes a kind of card reader safety certification method based on the 5th embodiment, also comprises step:
S130, produce session key, utilize described identifying algorithm to encrypt and send described terminal, encryption session to according to described Session ID.
As described in step S130, security authentication module 22 generate when powering on a random number as session root key and a random number as the Session ID initial value;
Terminal 30 each application authentications, and on the basis of security authentication module 22 authentication terminals 30 successes, the Session ID initial value increases one, and will increase Session ID initial value after one, and use the session root key to disperse Session ID to obtain session key with symmetry algorithm as the Session ID of this session.
Described card reader 40 will use described session key and described terminal 30 to carry out the ciphered data exchange; The data that will read from described add-on card 10 after described session key, send described terminal 30 to, and the data that transmit of receiving terminal 30, utilize described session key deciphering after, send add-on card 10 to and store.
Described terminal 30 also can use described session key that data are carried out encryption and decryption, carries out the ciphered data exchange with described card reader 40.
Because the session difference, Session ID will change, and cause session key to change, and the possibility that makes session key be decrypted reduces, and has increased safety of data transmission.
The described card reader safety certification method of present embodiment by authentication and encryption, improves the reliability and the safety of data transmission of hardware.
With reference to Fig. 7, seventh embodiment of the invention proposes a kind of card reader safety certification device 50, is connected communication with card reader 40 and/or terminal 30, and described card reader safety certification device 50 comprises:
Signal receiving unit 221 receives the authentication signal that card reader 40 and/or terminal 30 utilize identifying algorithm to encrypt;
Encryption and decryption/authentication ' unit 222 with described authentication signal decrypted authentication, is utilized identifying algorithm to encrypt to send card reader 40 to after the information that card reader 40 and/or terminal 30 send into and/or terminal 30 authenticates again;
Unit 223 is set up in session, behind authentication success, sets up the session between card reader 40 and the terminal 30, and the generation session information sends described terminal 30 to.
Described session information comprises Session ID and session key etc.; Described session key can be according to generations such as described Session IDs.
Described encryption and decryption/authentication ' unit 222 comprises that also the data that send described card reader 40 to terminal 30 encrypt and/or utilize session key to send the data decryption of card reader 40 to terminal 30.
Present embodiment, described terminal 30 can be PC or other electronic equipments; Described authentication signal can be a random number that is produced by card reader safety certification device 50; Described Session ID can carry out unique identification to session; Described identifying algorithm can be an asymmetric arithmetic etc.Owing to comprise PKI and private key in the asymmetric arithmetic, therefore, in the present embodiment, Card Reader private key and authentication PKI be set in the described card reader 40; Terminal secret key and authentication PKI are set in the described terminal 30; Authentication private key, Card Reader PKI and terminal public key are set in described encryption and decryption/authentication ' unit 222.
Described card reader 40 can be initiated authentication, and it can be to described card reader safety certification device 50 requests one safety certification random number, and produces a Card Reader random number, sends after utilizing the Card Reader private key with described safety certification random number and Card Reader random number encryption; The authentication signal that described signal receiving unit 221 receives after encrypting, utilize the Card Reader PKI deciphering of encryption and decryption/authentication ' unit 222 and obtain deciphering after safety certification random number and Card Reader random number, and whether the safety certification random number after relatively deciphering is identical with inner original safety certification random number of preserving, if it is inequality, then authentification failure refuses to continue communication; If identical, authentication success then, re-use the authentication encrypted private key Card Reader random number of encryption and decryption/authentication ' unit 222 after, return to described card reader 40; Described card reader 40 authenticates by the deciphering of authentication PKI, confirms that deciphering back data are the Card Reader random numbers that generate when initiating authentication, and then authentication success sends authenticate-acknowledge to described signal receiving unit 221.Can improve card reader 40 and terminal 30 security of conversation by authentication, and can discern by reading card device 40.
Described terminal 30 can be initiated authentication, and it can be to described card reader safety certification device 50 requests one safety certification random number, and produces a terminal random number, sends after utilizing terminal secret key with described safety certification random number and terminal random number encryption; The authentication signal that described signal receiving unit 221 receives after encrypting, utilize safety certification random number and terminal random number after obtaining deciphering after the terminal public key deciphering of encryption and decryption/authentication ' unit 222, and whether the safety certification random number after relatively deciphering is identical with inner original random number of preserving, if it is inequality, then authentification failure refuses to continue communication; If it is identical, authentication success then, utilize session to set up the unit and generate Session ID and session key, form the encrypting and authenticating signal after re-using the authentication encrypted private key terminal random number of encryption and decryption/authentication ' unit 222, use terminal public key encryption session identifier and session key to form encryption session information, encrypting and authenticating signal and encryption session information are returned to described terminal 30; Described terminal 30 authenticates by the deciphering of authentication PKI, confirm that deciphering back data are the terminal random numbers that produce when initiating authentication, authentication success then, utilize terminal secret key enabling decryption of encrypted session information to obtain Session ID and session key again, thereby set up the session between card reader 40 and the terminal 30.Can improve card reader 40 and terminal 30 security of conversation by authentication.
With reference to Fig. 8, described card reader safety certification device 50 also comprises key generation unit 224, a random number that produces in the time of can utilizing security authentication module to power on as session root key and another one random number as the Session ID initial value, the Session ID initial value increases one during each session application, and will increase Session ID initial value after one as the Session ID of this session, disperse Session ID to obtain session key with the session root key, the terminal public key that uses encryption and decryption/authentication ' unit 222 sends to described terminal 30 after to Session ID and session key.
If described card reader 40 will import described session key success, will use described session key and described terminal 30 to carry out the ciphered data exchange; The data that will read from described add-on card 10 after described session key, send described terminal 30 to, and the data that transmit of receiving terminal 30, utilize described session key deciphering after, send add-on card 10 to and store; Get nowhere if import, then carry out data encrypting and deciphering by described encryption and decryption/authentication ' unit 222.
Described terminal 30 after the Session ID that receives described encryption and session key and deciphering, also can use described session key that data are carried out encryption and decryption, carries out the ciphered data exchange with described card reader 40.
Because the session difference, Session ID will change, and cause session key to change, and the possibility that makes session key be decrypted reduces, and has increased safety of data transmission.
The described card reader safety certification device 50 of present embodiment can be the terminal security access module.
The described card reader safety certification device 50 of present embodiment by authentication and encryption, improves the reliability and the safety of data transmission of hardware.
The above only is the preferred embodiments of the present invention; be not so limit claim of the present invention; every equivalent structure or equivalent flow process conversion that utilizes instructions of the present invention and accompanying drawing content to be done; or directly or indirectly be used in other relevant technical fields, all in like manner be included in the scope of patent protection of the present invention.

Claims (11)

1. a card reader is characterized in that, described card reader comprises:
Data transmission module carries out data transmission with terminal and/or add-on card; Data encryption algorithm and identifying algorithm are set, authenticate;
Security authentication module is connected communication with data transmission module with terminal, data encryption algorithm and identifying algorithm are set, and authenticates with data transmission module and/or terminal.
2. card reader according to claim 1 is characterized in that, described data transmission module comprises:
Send receiving element, send and receive the authentication signal that utilizes data encryption algorithm ciphered data signal and utilize identifying algorithm to encrypt;
The Card Reader authentication ' unit authenticates authentication signal decrypted authentication after receiving and generation authentication signal for security authentication module.
3. card reader according to claim 1 is characterized in that, described security authentication module comprises:
Signal receiving unit receives the authentication signal that data transmission module and/or terminal are utilized data encryption algorithm ciphered data signal and/or utilized identifying algorithm to encrypt;
Encryption and decryption/authentication ' unit with described authentication signal decrypted authentication, and can utilize identifying algorithm encrypting and authenticating signal to authenticate for data transmission module and/or terminal;
The unit is set up in session, behind authentication success, receives authenticate-acknowledge, sets up the session between data transmission module and the terminal, and the generation session information sends described terminal to.
4. card reader according to claim 3 is characterized in that:
Described session information comprises Session ID and session key.
5. card reader according to claim 4 is characterized in that:
Described security authentication module also comprises the key generation unit, produces session key, encryption session according to described Session ID.
6. card reader according to claim 5 is characterized in that:
Described encryption and decryption/authentication ' unit comprises that also the data that send described card reader to terminal encrypt and/or utilize session key to send the data decryption of card reader to terminal.
7. according to any described card reader in the claim 1 to 6, it is characterized in that:
Described data encryption algorithm is a symmetry algorithm, and described identifying algorithm is an asymmetric arithmetic.
8. a card reader safety certification system is characterized in that, the reading card device authenticates with the communication between terminals that is connected communication with it, and described system comprises:
Card reader and terminal, the authentication signal that transmission and reception utilize identifying algorithm to encrypt, and the authentication signal decrypted authentication after will receiving;
Security authentication module is connected communication with card reader with terminal, receive the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt; With described authentication signal decrypted authentication; And can utilize identifying algorithm encrypting and authenticating signal to authenticate for card reader and/or terminal;
Behind the authentication success, set up the session between card reader and the terminal, and the generation session information sends described terminal to.
9. a card reader safety certification method is characterized in that, the reading card device authenticates with the communication between terminals that is connected communication with it, comprises step:
Utilize identifying algorithm encrypting and authenticating signal to authenticate for card reader and/or terminal;
Receive the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt;
With described authentication signal deciphering back authentication;
Behind the authentication success, set up the session between card reader and the terminal, and the generation session information sends described terminal to.
10. card reader safety certification method according to claim 9 is characterized in that, behind the described authentication success, sets up the session between card reader and the terminal, and produce that session information sends described end step to also comprise step:
Produce session key, encryption session according to described Session ID.
11. a card reader safety certification device is characterized in that, is connected communication with card reader and/or terminal, described device comprises:
Signal receiving unit receives the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt;
Encryption and decryption/authentication ' unit with described authentication signal deciphering back authentication, and can utilize identifying algorithm encrypting and authenticating signal to authenticate for card reader and/or terminal;
The unit is set up in session, behind authentication success, sets up the session between card reader and the terminal, and the generation session information sends described terminal to.
CN2009101052322A 2009-01-22 2009-01-22 Card reader safety certification device and method Expired - Fee Related CN101789068B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009101052322A CN101789068B (en) 2009-01-22 2009-01-22 Card reader safety certification device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101052322A CN101789068B (en) 2009-01-22 2009-01-22 Card reader safety certification device and method

Publications (2)

Publication Number Publication Date
CN101789068A true CN101789068A (en) 2010-07-28
CN101789068B CN101789068B (en) 2012-11-07

Family

ID=42532274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101052322A Expired - Fee Related CN101789068B (en) 2009-01-22 2009-01-22 Card reader safety certification device and method

Country Status (1)

Country Link
CN (1) CN101789068B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102201070A (en) * 2011-04-15 2011-09-28 东莞广州中医药大学中医药数理工程研究院 Integrated card, card reader and combination of integrated card and card reader
CN102542130A (en) * 2010-12-09 2012-07-04 东莞广州中医药大学中医药数理工程研究院 Hierarchical authorization private personal health record card and card reading device
CN104573467A (en) * 2015-01-24 2015-04-29 浙江远望软件有限公司 File storage and access method allowing card reader to accept user's validations directly
CN104573591A (en) * 2015-01-05 2015-04-29 飞天诚信科技股份有限公司 Safe card reader and working method thereof
CN106022140A (en) * 2016-04-18 2016-10-12 李明 Method and system for reading identity card
CN106022141A (en) * 2016-04-18 2016-10-12 李明 Identity card reading method and identity card card-reading terminal
CN106845300A (en) * 2016-12-02 2017-06-13 北京握奇智能科技有限公司 A kind of secure readers and safe card reading method
CN107623914A (en) * 2017-08-21 2018-01-23 上海源岷投资管理有限公司 A kind of security certification system for rural biogas data collection station
CN108683674A (en) * 2018-05-22 2018-10-19 深圳中泰智丰物联网科技有限公司 Verification method, device, terminal and the computer readable storage medium of door lock communication

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1303197A (en) * 1999-11-02 2001-07-11 赵敏 Security data transmission system
CN2473675Y (en) * 2000-12-21 2002-01-23 孙吉平 Device for identifying IC intelligent card by common serial bus interface
CN1337803A (en) * 2001-07-03 2002-02-27 上海复旦微电子股份有限公司 Enciphering method and circuit for safe communication of IC card data
CN100345149C (en) * 2006-03-17 2007-10-24 清华大学 Enciphering authentication for radio-frequency recognition system
CN100405386C (en) * 2006-09-30 2008-07-23 华中科技大学 Safety identification method in radio frequency distinguishing system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102542130A (en) * 2010-12-09 2012-07-04 东莞广州中医药大学中医药数理工程研究院 Hierarchical authorization private personal health record card and card reading device
CN102542130B (en) * 2010-12-09 2017-09-08 东莞广州中医药大学中医药数理工程研究院 One kind can hierarchical authorization private personal health record card and card reading device
CN102201070A (en) * 2011-04-15 2011-09-28 东莞广州中医药大学中医药数理工程研究院 Integrated card, card reader and combination of integrated card and card reader
CN104573591A (en) * 2015-01-05 2015-04-29 飞天诚信科技股份有限公司 Safe card reader and working method thereof
CN104573591B (en) * 2015-01-05 2017-11-28 飞天诚信科技股份有限公司 A kind of secure readers and its method of work
CN104573467A (en) * 2015-01-24 2015-04-29 浙江远望软件有限公司 File storage and access method allowing card reader to accept user's validations directly
CN106022140B (en) * 2016-04-18 2019-02-15 李明 Identity card read method and system
CN106022140A (en) * 2016-04-18 2016-10-12 李明 Method and system for reading identity card
CN106022141A (en) * 2016-04-18 2016-10-12 李明 Identity card reading method and identity card card-reading terminal
CN106022141B (en) * 2016-04-18 2019-02-15 李明 A kind of identity card read method and identity card card-reading terminal
CN106845300A (en) * 2016-12-02 2017-06-13 北京握奇智能科技有限公司 A kind of secure readers and safe card reading method
CN107623914A (en) * 2017-08-21 2018-01-23 上海源岷投资管理有限公司 A kind of security certification system for rural biogas data collection station
CN108683674A (en) * 2018-05-22 2018-10-19 深圳中泰智丰物联网科技有限公司 Verification method, device, terminal and the computer readable storage medium of door lock communication

Also Published As

Publication number Publication date
CN101789068B (en) 2012-11-07

Similar Documents

Publication Publication Date Title
CN101789068B (en) Card reader safety certification device and method
CN107896147B (en) Method and system for negotiating temporary session key based on national cryptographic algorithm
KR20200138108A (en) Apparatus and method for authenticating
CN102394749B (en) Line protection method, system, information safety equipment and application equipment for data transmission
CN103532713B (en) Sensor authentication and shared key production method and system and sensor
KR101468626B1 (en) System for paying card of smart phone using key exchange with van server
CN108243181A (en) A kind of car networking terminal, data ciphering method and car networking server
CN104704769A (en) A wireless communication system
CN101483654A (en) Method and system for implementing authentication and data safe transmission
CN102026180A (en) M2M transmission control method, device and system
CN104821933A (en) Device and method certificate generation
CN101964805B (en) Method, equipment and system for safely sending and receiving data
CN112351037B (en) Information processing method and device for secure communication
CN103905388A (en) Authentication method, authentication device, smart card, and server
CN101789863B (en) Safe data information transmission method
CN110020524A (en) A kind of mutual authentication method based on smart card
CN114765534B (en) Private key distribution system and method based on national secret identification cryptographic algorithm
CN114520976A (en) Authentication method and device for user identity identification card and nonvolatile storage medium
CN101895881A (en) Method for realizing GBA secret key and pluggable equipment of terminal
CN102082669A (en) Security certification method and device
KR102219086B1 (en) HMAC-based source authentication and secret key sharing method and system for Unnamed Aerial vehicle systems
CN107888376B (en) NFC authentication system based on quantum communication network
US9876774B2 (en) Communication security system and method
CN202918498U (en) SIM card adapter, mobile terminal and digital signature authentication system
US8953804B2 (en) Method for establishing a secure communication channel

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121107

Termination date: 20220122