CN101789068B - Card reader safety certification device and method - Google Patents

Card reader safety certification device and method Download PDF

Info

Publication number
CN101789068B
CN101789068B CN2009101052322A CN200910105232A CN101789068B CN 101789068 B CN101789068 B CN 101789068B CN 2009101052322 A CN2009101052322 A CN 2009101052322A CN 200910105232 A CN200910105232 A CN 200910105232A CN 101789068 B CN101789068 B CN 101789068B
Authority
CN
China
Prior art keywords
authentication
terminal
card reader
session
signal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009101052322A
Other languages
Chinese (zh)
Other versions
CN101789068A (en
Inventor
蔡丽金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Jingfeng Huida Science & Technology Co Ltd
Original Assignee
Shenzhen Jingfeng Huida Science & Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Jingfeng Huida Science & Technology Co Ltd filed Critical Shenzhen Jingfeng Huida Science & Technology Co Ltd
Priority to CN2009101052322A priority Critical patent/CN101789068B/en
Publication of CN101789068A publication Critical patent/CN101789068A/en
Application granted granted Critical
Publication of CN101789068B publication Critical patent/CN101789068B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a card reader and card reader safety certification method, device and system belonging to the field of data safety. The card reader comprises a data transmission module and a safety certification module, wherein the data transmission module carries out data transmission with a terminal and/or an external card and sets a data encryption algorithm and a certification algorithm for certification; and the safety certification module is connected and communicated with the data transmission module and the terminal and sets the data encryption algorithm and the certification algorithm for certification with the data transmission module and/or the terminal. The card reader safety certification method, device and system enhance the safety of communication and the reliability of the card reader through the certification before a conversation and enhance the confidentiality of data through the encryption during the conversation.

Description

Card reader safety certification device and method
Technical field
The present invention relates to the data security field, specially refer to card reader, card reader safety certification method, Apparatus and system.
Background technology
Card reader is the equipment that can carry out exchanges data with smart card, storage card or other types card.Said card reader is connected to PC through USB or other serial ports, can and PC between carry out exchanges data, but receive and send the data communication agreement that data all need be followed said card reader.
Card reader is a data transmission communication module; It is responsible that (for example PC or other electronic equipments) receive data through certain data communication protocol format from the terminal; And, be transmitted to said card after the reorganization data with the data communication protocol format that these data can receive according to the card that is connected with card reader; Otherwise, receive the data communication protocol format that can receive according to terminal device after the data from card, return to the terminal after reorganizing data.
Present card reader has the deficiency of following aspect: between terminal and the card reader, do not pass through encryption according to the data of data communication protocol transmission, make data easily by intercepting; Terminal and card reader are carried out before the exchanges data, need not to carry out any authentication each other, can not guarantee the security of exchanges data.
Summary of the invention
One of the object of the invention has promoted the reliability and the safety of data transmission of card reader for a kind of card reader, card reader safety certification method, Apparatus and system are provided.
The present invention proposes a kind of card reader, and said card reader comprises:
Data transmission module carries out data transmission with terminal and/or add-on card; DEA and identifying algorithm are set, carry out authentication;
Security authentication module is connected communication with data transmission module with the terminal, DEA and identifying algorithm are set, and carries out authentication with data transmission module and/or terminal.
Preferably, said data transmission module comprises:
Send receiving element, send and receive the authentication signal that utilizes DEA ciphered data signal and utilize identifying algorithm to encrypt;
The Card Reader authentication ' unit supplies the security authentication module authentication with authentication signal decrypted authentication after receiving and generation authentication signal.
Preferably, said security authentication module comprises:
Signal receiving unit receives the authentication signal that data transmission module and/or terminal utilize DEA ciphered data signal and/or utilize identifying algorithm to encrypt;
Encryption and decryption/authentication ' unit, with said authentication signal decrypted authentication, and identifying algorithm encrypting and authenticating signal capable of using supplies data transmission module and/or terminal to carry out authentication;
The unit is set up in session, behind authentication success, receives authenticate-acknowledge, sets up the session between data transmission module and the terminal, and the generation session information sends said terminal to.
Preferably, said session information comprises Session ID and session key.
Preferably, said security authentication module also comprises the key generation unit, produces session key, encryption session according to said Session ID.
Preferably, said encryption and decryption/authentication ' unit comprises that also the data that send said card reader to terminal encrypt and/or utilize session key to send the data decryption of card reader at the terminal.
The present invention also proposes a kind of card reader safety certification system, and the reading card device carries out authentication with the communication between terminals that is connected communication with it, and said system comprises:
Card reader and terminal, the authentication signal that transmission and reception utilize identifying algorithm to encrypt, and the authentication signal decrypted authentication after will receiving;
Security authentication module is connected communication with card reader with the terminal, receive the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt; With said authentication signal decrypted authentication; And identifying algorithm encrypting and authenticating signal capable of using supplies card reader and/or terminal to carry out authentication;
Behind the authentication success, set up the session between card reader and the terminal, and the generation session information sends said terminal to.
The present invention also proposes a kind of card reader safety certification method, and the reading card device carries out authentication with the communication between terminals that is connected communication with it, comprises step:
Utilize identifying algorithm encrypting and authenticating signal to supply card reader and/or terminal to carry out authentication;
Receive the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt;
With said authentication signal deciphering back authentication;
Behind the authentication success, set up the session between card reader and the terminal, and the generation session information sends said terminal to.
Preferably, behind the said authentication success, set up the session between card reader and the terminal, and produce the step that session information sends said terminal to and also comprise step:
Produce session key, encryption session according to said Session ID.
The present invention also proposes a kind of card reader safety certification device, is connected communication with card reader and/or terminal, and said device comprises:
Signal receiving unit receives the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt;
Encryption and decryption/authentication ' unit, with said authentication signal deciphering back authentication, and identifying algorithm encrypting and authenticating signal capable of using supplies card reader and/or terminal to carry out authentication;
The unit is set up in session, behind authentication success, sets up the session between card reader and the terminal, and the generation session information sends said terminal to.
Card reader according to the invention, card reader safety certification method, Apparatus and system through the authentication before the session, have strengthened the security of communication and the reliability of card reader; Through the encryption in the session, strengthen the confidentiality of data.
Description of drawings
Fig. 1 is the structural representation of first embodiment of the invention card reader;
Fig. 2 is the structural representation of second embodiment of the invention card reader;
Fig. 3 is the structural representation of third embodiment of the invention card reader;
Fig. 4 is the structural representation of fourth embodiment of the invention card reader safety certification system;
Fig. 5 is the workflow synoptic diagram of fifth embodiment of the invention card reader safety certification method;
Fig. 6 is the workflow synoptic diagram of sixth embodiment of the invention card reader safety certification method;
Fig. 7 is the structural representation of seventh embodiment of the invention card reader safety certification device;
Fig. 8 is another structural representation of seventh embodiment of the invention card reader safety certification device.
The realization of the object of the invention, functional characteristics and advantage will combine embodiment, further specify with reference to accompanying drawing.
Embodiment
The present invention provides a kind of card reader, card reader safety certification method, Apparatus and system, card reader and with terminal that card reader is connected between, foundation need be through the session communication of authentication, and encryption session communication, protected data; And authentication need be carried out in card reader inside, guarantees that card reader can be by not counterfeit.
With reference to Fig. 1, first embodiment of the invention proposes a kind of card reader, and it comprises data transmission module 21 and security authentication module 22.
Said data transmission module 21 carries out data transmission with terminal 30 and/or add-on card 10; DEA and identifying algorithm are set, carry out data encryption and authentication; Said terminal 30 can be PC or other electronic equipments; Said add-on card 10 can be the card that smart card, storage card or other types can be carried out exchanges data.
Said security authentication module 22 is connected communication with data transmission module 21 with terminal 30, and DEA and identifying algorithm are set, and carries out authentication with data transmission module 21 and/or terminal 30.
Said data transmission module 21 and terminal 30 in the time of need carrying out session, can be initiated authentication, after data being utilized identifying algorithm encrypt, send said security authentication module 22 to; Utilize identifying algorithm deciphering back authentication through said security authentication module 22, and form authentication signal after the information of utilizing identifying algorithm encrypted data transmission module 21 or terminal 30 to send into, return to said data transmission module 21 or terminal 30 respectively; Said data transmission module 21 carries out authentication with terminal 30 through deciphering, confirms that deciphering back data are to encrypt the data of sending, then authentication success when initiating authentication.
Present embodiment through the authentication before the session, has strengthened the security of communication; Simultaneously, the said data transmission module 21 of card reader and the authentication between the said security authentication module 22 make the said data transmission module 21 and said security authentication module 22 of card reader can not be strengthened the reliability of card reader by counterfeit.
With reference to Fig. 2, second embodiment of the invention proposes a kind of card reader based on first embodiment, and it comprises data transmission module 21 and security authentication module 22.
Said data transmission module 21 comprises transmission receiving element 211 and Card Reader authentication ' unit 212, and said transmission receiving element 211 sends and receives and utilizes identifying algorithm to encrypt the authentication signal of generation; Said Card Reader authentication ' unit 212 is with authentication signal deciphering and the authentication after receiving.
Said security authentication module 22 comprises that signal receiving unit 221, encryption and decryption/authentication ' unit 222 and session set up unit 223; Said authentication signal receiving element 221 receives data transmission module 21 and/or terminal 30 and utilizes identifying algorithm to encrypt the authentication signal that produces; Said encryption and decryption/authentication ' unit 222 with said authentication signal deciphering back authentication, sends data transmission module 21 to after the information of utilizing identifying algorithm encrypted data transmission module 21 or terminal 30 to send into again and/or authentication is carried out at terminal 30; Unit 223 is set up in said session, behind authentication success, sets up the session between data transmission module 21 and the terminal 30, and the generation session information sends said terminal 30 to.
Said session information comprises Session ID and session key etc.; Said session key can be according to generations such as said Session IDs.
Said Session ID can carry out unique identification to session.
The present embodiment DEA can be a symmetry algorithm; Identifying algorithm can be an asymmetric arithmetic etc.; Said authentication signal can be a random number, and said random number is to be produced by the authenticator; Said authenticator can be data transmission module 21 and terminal 30 and security authentication module 22 etc.
Owing to comprise PKI and private key in the asymmetric arithmetic, therefore, in the present embodiment, Card Reader private key and authentication PKI be set in the said data transmission module 21; Terminal secret key and authentication PKI are set in the said terminal 30; In the said security authentication module 22 authentication private key, Card Reader PKI and terminal public key are set.
Said data transmission module 21; Can initiate authentication; It can be to security authentication module 22 requests one safety certification random number; And self generate a Card Reader random number, the Card Reader private key that utilizes Card Reader authentication ' unit 212 with said safety certification random number and card reader random number encryption after, use and send receiving element 211 and send said security authentication module 22 to; The random number that said security authentication module 22 receives after encrypting through signal receiving unit 221; After utilizing the Card Reader PKI deciphering of encryption and decryption/authentication ' unit 222; Safety certification random number that obtains after the deciphering and security authentication module 22 inner original random number of preserving are compared; Two random number then authentification failures inequality, refusal continues communication; Two random numbers are identical, then re-use the authentication encrypted private key Card Reader random number of encryption and decryption/authentication ' unit 222 after, return to said data transmission module 21; Said data transmission module 21 is deciphered the Card Reader random number after obtaining deciphering through the authentication PKI, and Card Reader random number that obtains after the deciphering and inner original random number of preserving are compared, and two random numbers are inequality; Authentification failure then; Refusal continues communication, and two random numbers are identical, then authentication success.Can improve the security of data transmission module 21 and security authentication module 22 through authentication, and can be used as hardware security identification between the two.
Said terminal 30; Can initiate authentication, it can ask a safety certification random number to security authentication module 22, and generates a terminal random number; After utilizing terminal secret key with said safety certification random number and terminal random number encryption, send said security authentication module 22 to; The random number that said security authentication module 22 receives after encrypting through signal receiving unit 221; Utilize the terminal public key deciphering of encryption and decryption/authentication ' unit 222; Safety certification random number after obtaining deciphering compares safety certification random number after the deciphering and inner original random number of preserving, and two random numbers are inequality; Then authentification failure refuses to continue communication; Two random numbers are identical; Authentication success then; Utilize session to set up unit 223 and generate Session ID, and generate session key, use terminal public key encryption session identifier and session key to form encryption session information according to Session ID; After re-using the authentication encrypted private key terminal random number of encryption and decryption/authentication ' unit 222, said encryption session information and encryption terminal random number are returned to said terminal 30; Terminal random number after said terminal 30 obtains deciphering after through authentication PKI enabling decryption of encrypted terminal random number, with the terminal random number after the deciphering and inner original random number of preserving relatively, two random numbers are inequality; Authentification failure then; Refusal continues communication, and two random numbers are identical, authentication success; Obtain Session ID and session key with the terminal secret key deciphering, thereby set up the session between data transmission module 21 and the terminal 30.Can improve data transmission module 21 and terminal 30 security of conversation through authentication.
Present embodiment carries out authentication through using asymmetric arithmetic, makes authentication more safe and reliable.
With reference to Fig. 3, third embodiment of the invention proposes a kind of card reader based on second embodiment, wherein; Said security authentication module 22 also comprises the key generation unit; Produce session key according to said Session ID, utilize said asymmetric arithmetic to encrypt and send said terminal 30, encryption session to.
Said key generation unit 224; When powering on, produce the root key of a random number, and the session number is set to an initial value at random, during the each application session in terminal 30 as session key; Session number increases one automatically; And will increase session number after one as the Session ID at terminal 30, and utilize the root key of session key that Session ID is disperseed to arrive the session key, decentralized algorithm is a symmetry algorithm; Utilize the terminal public key of said encryption and decryption/authentication ' unit 222, said Session ID and session key are sent to said terminal 30.
Said encryption and decryption/authentication ' unit 222 comprises that also the data that send said card reader to terminal 30 encrypt and/or utilize session key to send the data decryption of card reader at terminal 30.
Said data transmission module 21 can also be after passing through with the authentication of said security authentication module 22, to the said session key of said security authentication module 22 applications; Said security authentication module 22 is session identifier and session key, sends to said data transmission module 21 after utilizing the Card Reader public key encryption.
Said data transmission module 21 will import said session key, if import successfully, will use said session key and said terminal 30 to carry out the ciphered data exchange; The data that will from said add-on card 10, read after said session key, send said terminal 30 to, and the data that transmit of receiving terminal 30, utilize said session key deciphering after, send add-on card 10 to and store; Get nowhere if import, then carry out encryption and decryption through said security authentication module 22.
Said terminal 30 after the Session ID that receives said encryption and session key and deciphering, also can use said session key that data are carried out encryption and decryption, carries out the ciphered data exchange with said data transmission module 21.
Because session is different, Session ID will change, and cause session key to change, and the possibility that makes session key be decrypted reduces, and has increased safety of data transmission.
The said security authentication module 22 of present embodiment can be the terminal security access module (Purchase SecureAccess Module, PSAM).
The all right external radio-frequency modules of the said card reader of present embodiment etc. carry out wireless data exchange with said add-on card 10.
The said card reader of present embodiment through authentication and encryption, improves the reliability and the safety of data transmission of hardware.
With reference to Fig. 4, fourth embodiment of the invention proposes a kind of card reader safety certification system, and authentication is carried out in reading card device and the communication that is connected with it between terminal 30 of communication, and said system comprises:
Card reader 40 and terminal 30 are sent and are received and utilize identifying algorithm to encrypt the authentication signal that produces, and the authentication signal decrypted authentication of the encryption after will receiving; Said terminal 30 can be PC or other electronic equipments; Said authentication signal can be a random number that is produced by security authentication module 22.
Security authentication module 22 is connected communication with card reader 40 with terminal 30, receives card reader 40 and/or terminal 30 and utilizes identifying algorithm to encrypt the authentication signal that produces;
With said authentication signal decrypted authentication, utilize identifying algorithm to encrypt again to send card reader 40 to after the information of card reader 40 and/or terminal 30 sending into and/or authentication is carried out at terminal 30;
Behind authentication success, set up the session between card reader 40 and the terminal 30, and the generation session information sends said terminal 30 to.
Said session information comprises Session ID and session key etc.; Said session key can be according to generations such as said Session IDs.
Said Session ID can carry out unique identification to session.
The present embodiment DEA can be a symmetry algorithm; Identifying algorithm can be an asymmetric arithmetic etc.; Said authentication signal can be a random number, and said random number is to be produced by the authenticator; Said authenticator can be card reader 40 and terminal 30 etc.
Owing to comprise PKI and private key in the asymmetric arithmetic, therefore, in the present embodiment, Card Reader private key and authentication PKI be set in the said card reader 40; Terminal secret key and authentication PKI are set in the said terminal 30; In the said security authentication module 22 authentication private key, Card Reader PKI and terminal public key are set.
Said card reader 40; Can initiate authentication, it can ask a safety certification random number to security authentication module 22, and produces a Card Reader random number; After utilizing the Card Reader private key with said safety certification random number and the encryption of card reader machine number, send said security authentication module 22 to; The safety certification random number that said security authentication module 22 receives after encrypting is utilized the deciphering of Card Reader PKI, the safety certification random number after obtaining deciphering; And the original random number of preserving with inside relatively; Two random numbers are inequality, and then authentification failure refuses to continue communication; Two random numbers are identical, authentication success then, re-use authentication encrypted private key Card Reader random number after, return to said card reader 40; Said card reader 40 confirms that through authentication PKI deciphering carrying out authentication the data that obtain after the deciphering are the Card Reader random number that card reader produces, then authentication success.Can improve card reader 40 and terminal 30 security of conversation through authentication, and can discern by reading card device 40.
Said terminal 30; Can initiate authentication, it can ask a safety certification random number to security authentication module 22, and produces a terminal random number; After utilizing terminal secret key with said safety certification random number and terminal random number encryption, send said security authentication module 22 to; The authentication signal that said security authentication module 22 receives after encrypting utilizes the terminal public key deciphering, the safety certification random number after obtaining deciphering, and the original random number of preserving with inside is relatively, and two random numbers are inequality, authentification failure then, refusal continues communication; Two random numbers are identical, and then authentication success generates Session ID and session key, re-uses authentication encrypted private key terminal random number, behind terminal public key encryption session identifier and session key, returns to said terminal 30; Terminal random number after said terminal 30 obtains deciphering through the deciphering of authentication PKI is relatively carried out authentication with inner original terminal random number of preserving; Confirm that the terminal random number after the deciphering is the original terminal random number that generates when initiating authentication; Authentication success then; Obtain Session ID and session key with the terminal secret key deciphering, thereby set up the session between card reader 40 and the terminal 30.Can improve card reader 40 and terminal 30 security of conversation through authentication.
Said security authentication module 22 can also utilize said encryption and decryption/authentication ' unit 222 to generate Session ID, and with session root key (random number that generates when powering on) Session ID disperseed to produce session key.The terminal public key that uses encryption and decryption/authentication ' unit 222 sends to said terminal 30 after to Session ID and session key.
Said card reader 40 can also be after passing through with the authentication of said security authentication module 22, to the said session key of said security authentication module 22 applications; Said security authentication module 22 is session identifier and session key, sends to said card reader 40 after utilizing the Card Reader public key encryption.
Said card reader 40 will import said session key, if import successfully, will use said session key and said terminal 30 to carry out the ciphered data exchange; The data that will from said add-on card 10, read after said session key, send said terminal 30 to, and the data that transmit of receiving terminal 30, utilize said session key deciphering after, send add-on card 10 to and store; Get nowhere if import, then transmit data encrypting and deciphering through said security authentication module 22.
Said terminal 30 after the Session ID that receives said encryption and session key and deciphering, also can use said session key that data are transmitted data encrypting and deciphering, carries out the ciphered data exchange with said card reader 40.
Because session is different, Session ID will change, and cause session key to change, and the possibility that makes session key be decrypted reduces, and has increased safety of data transmission.
The said security authentication module 22 of present embodiment can be the terminal security access module.
The said card reader safety certification of present embodiment system through authentication and encryption, improves the reliability and the safety of data transmission of hardware.
With reference to Fig. 5, fifth embodiment of the invention proposes a kind of card reader safety certification method, and authentication is carried out in reading card device 40 and the communication that is connected with it between terminal 30 of communication, comprises step:
S10, utilize identifying algorithm encrypting and authenticating signal to supply card reader and/or terminal to carry out authentication;
The authentication signal that S11, reception card reader 40 and/or terminal 30 utilize AES to encrypt;
S12, with said authentication signal deciphering back authentication;
Behind S13, the authentication success, set up the session between card reader 40 and the terminal 30, and the generation session information sends said terminal 30 to.
Present embodiment, said terminal 30 can be PC or other electronic equipments; Said authentication signal can be a random number; Said Session ID can carry out unique identification to session; Said AES can be an asymmetric arithmetic etc.Owing to comprise PKI and private key in the asymmetric arithmetic, therefore, in the present embodiment, be provided with Card Reader private key and Card Reader PKI, terminal secret key and terminal public key and authentication private key and authentication PKI; Card Reader private key and authentication PKI are set in the said card reader 40; Terminal secret key and authentication PKI are set in the said terminal 30.
S10 is said like step, and the session between card reader 40 and terminal 30 need be carried out authentication earlier before setting up; In the present embodiment, authentication also can realize through security authentication module 22 is set, at first, by card reader 40 and/or terminal 30 to security authentication module 22 request authentication; Then, security authentication module 22 returns the safety certification random number and gives card reader 40 and/or terminal 30.
S11 is said like step; Card reader 40 and/or terminal 30 produce Card Reader random number and/or terminal random number; And safety certification random number and Card Reader random number and/or terminal random number encryption are formed the encrypting and authenticating signal, and send authentication signal to security authentication module 22 with Card Reader private key and/or terminal secret key;
S12 is said like step, after security authentication module 22 receives the authentication signal of encryption, with card reader PKI and/or terminal public key decrypted authentication signal, the safety certification random number after obtaining deciphering, Card Reader random number and/or terminal random number.
Whether the safety certification random number after said security authentication module 22 is relatively deciphered is identical, inequality with inner original safety certification random number of preserving, and then authentification failure is identical, authentication success.
S13 is said like step, if the authentication of terminal 30 requests, then security authentication module 22 produces session information; And send terminal 30 to terminal public key encryption session information; Simultaneously, utilize authentication encrypted private key terminal random number to form authentication signal, send terminal 30 to and carry out authentication; If card reader 40 request authentication, then security authentication module 22 utilizes authentication encrypted private key Card Reader random number to form authentication signal, and sends card reader 40 to and carry out authentication.
After card reader 40 and/or terminal 30 receive authentication signal; Card Reader random number and/or terminal random number after obtaining deciphering with authentication PKI decrypted authentication signal earlier; And whether the random number after relatively deciphering is identical with the original random number of preservation; If inequality, authentification failure, then refusal continues communication; If identical, authentication success, session is set up; If terminal 30 then obtains session information with the terminal secret key deciphering.
Terminal 30 is when setting up session; Can also produce a public private key pair at random; And PKI passed to security authentication module 22; Security authentication module 22 is behind authentication success, and the ephemeral terminations public key encryption session information that utilizes transmission to come in is passed back to terminal 30, and terminal 30 utilizes the deciphering of ephemeral terminations private key to obtain session information again.
Said session information comprises Session ID and session key etc.; Said session key can be according to generations such as said Session IDs.
The said card reader safety certification method of present embodiment through the authentication before the session, has strengthened the security of communication, and can discern by reading card device 40, prevents that card reader 40 from being palmed off.
With reference to Fig. 6, sixth embodiment of the invention proposes a kind of card reader safety certification method based on the 5th embodiment, also comprises step:
S130, produce session key, utilize said identifying algorithm to encrypt and send said terminal, encryption session to according to said Session ID.
S130 is said like step, security authentication module 22 generate when powering on a random number as session root key and a random number as the Session ID initial value;
Terminal 30 each application authentications; And on the successful basis, security authentication module 22 authentication terminals 30; The Session ID initial value increases one; And will increase Session ID initial value after one, and use the session root key to disperse Session ID to obtain session key with symmetry algorithm as the Session ID of this session.
Said card reader 40 will use said session key and said terminal 30 to carry out the ciphered data exchange; The data that will from said add-on card 10, read after said session key, send said terminal 30 to, and the data that transmit of receiving terminal 30, utilize said session key deciphering after, send add-on card 10 to and store.
Said terminal 30 also can use said session key that data are carried out encryption and decryption, carries out the ciphered data exchange with said card reader 40.
Because session is different, Session ID will change, and cause session key to change, and the possibility that makes session key be decrypted reduces, and has increased safety of data transmission.
The said card reader safety certification method of present embodiment through authentication and encryption, improves the reliability and the safety of data transmission of hardware.
With reference to Fig. 7, seventh embodiment of the invention proposes a kind of card reader safety certification device 50, is connected communication with card reader 40 and/or terminal 30, and said card reader safety certification device 50 comprises:
Signal receiving unit 221 receives the authentication signal that card reader 40 and/or terminal 30 utilize identifying algorithm to encrypt;
Encryption and decryption/authentication ' unit 222 with said authentication signal decrypted authentication, is utilized identifying algorithm to encrypt to send card reader 40 to after the information of card reader 40 and/or terminal 30 sending into and/or authentication is carried out at terminal 30 again;
Unit 223 is set up in session, behind authentication success, sets up the session between card reader 40 and the terminal 30, and the generation session information sends said terminal 30 to.
Said session information comprises Session ID and session key etc.; Said session key can be according to generations such as said Session IDs.
Said encryption and decryption/authentication ' unit 222 comprises that also the data that send said card reader 40 to terminal 30 encrypt and/or utilize session key to send the data decryption of card reader 40 at terminal 30.
Present embodiment, said terminal 30 can be PC or other electronic equipments; Said authentication signal can be a random number that is produced by card reader safety certification device 50; Said Session ID can carry out unique identification to session; Said identifying algorithm can be an asymmetric arithmetic etc.Owing to comprise PKI and private key in the asymmetric arithmetic, therefore, in the present embodiment, Card Reader private key and authentication PKI be set in the said card reader 40; Terminal secret key and authentication PKI are set in the said terminal 30; In said encryption and decryption/authentication ' unit 222 authentication private key, Card Reader PKI and terminal public key are set.
Said card reader 40 can be initiated authentication, and it can be to said card reader safety certification device 50 requests one safety certification random number, and produces a Card Reader random number, sends after utilizing the Card Reader private key with said safety certification random number and Card Reader random number encryption; The authentication signal that said signal receiving unit 221 receives after encrypting; Utilize the Card Reader PKI deciphering of encryption and decryption/authentication ' unit 222 and obtain deciphering after safety certification random number and Card Reader random number; And whether the safety certification random number after relatively deciphering is identical with inner original safety certification random number of preserving; If inequality, then authentification failure refuses to continue communication; If identical, authentication success then, re-use the authentication encrypted private key Card Reader random number of encryption and decryption/authentication ' unit 222 after, return to said card reader 40; Said card reader 40 confirms that through authentication PKI deciphering carrying out authentication deciphering back data are the Card Reader random numbers that generate when initiating authentication, and then authentication success sends authenticate-acknowledge to said signal receiving unit 221.Can improve card reader 40 and terminal 30 security of conversation through authentication, and can discern by reading card device 40.
Authentication can be initiated in said terminal 30, and it can be to said card reader safety certification device 50 requests one safety certification random number, and produces a terminal random number, sends after utilizing terminal secret key with said safety certification random number and terminal random number encryption; The authentication signal that said signal receiving unit 221 receives after encrypting; Utilize safety certification random number and terminal random number after obtaining deciphering after the terminal public key deciphering of encryption and decryption/authentication ' unit 222; And whether the safety certification random number after relatively deciphering is identical with inner original random number of preserving; If inequality, then authentification failure refuses to continue communication; If it is identical; Authentication success then; Utilize session to set up the unit and generate Session ID and session key; Form the encrypting and authenticating signal after re-using the authentication encrypted private key terminal random number of encryption and decryption/authentication ' unit 222, use terminal public key encryption session identifier and session key formation encryption session information, encrypting and authenticating signal and encryption session information are returned to said terminal 30; Said terminal 30 is through authentication PKI deciphering carrying out authentication; Confirm that deciphering back data are the terminal random numbers that produce when initiating authentication; Authentication success then; Utilize terminal secret key enabling decryption of encrypted session information to obtain Session ID and session key again, thereby set up the session between card reader 40 and the terminal 30.Can improve card reader 40 and terminal 30 security of conversation through authentication.
With reference to Fig. 8; Said card reader safety certification device 50 also comprises key generation unit 224; A random number that produces in the time of can utilizing security authentication module to power on as session root key and another one random number as the Session ID initial value; The Session ID initial value increases one during each session application; And will increase Session ID initial value after one as the Session ID of this session, and disperse Session ID to obtain session key with the session root key, the terminal public key that uses encryption and decryption/authentication ' unit 222 sends to said terminal 30 after to Session ID and session key.
If said card reader 40 will import said session key success, will use said session key and said terminal 30 to carry out the ciphered data exchange; The data that will from said add-on card 10, read after said session key, send said terminal 30 to, and the data that transmit of receiving terminal 30, utilize said session key deciphering after, send add-on card 10 to and store; Get nowhere if import, then carry out data encrypting and deciphering through said encryption and decryption/authentication ' unit 222.
Said terminal 30 after the Session ID that receives said encryption and session key and deciphering, also can use said session key that data are carried out encryption and decryption, carries out the ciphered data exchange with said card reader 40.
Because session is different, Session ID will change, and cause session key to change, and the possibility that makes session key be decrypted reduces, and has increased safety of data transmission.
The said card reader safety certification device 50 of present embodiment can be the terminal security access module.
The said card reader safety certification device 50 of present embodiment through authentication and encryption, improves the reliability and the safety of data transmission of hardware.
The above is merely the preferred embodiments of the present invention; Be not so limit claim of the present invention; Every equivalent structure or equivalent flow process conversion that utilizes instructions of the present invention and accompanying drawing content to be done; Or directly or indirectly be used in other relevant technical fields, all in like manner be included in the scope of patent protection of the present invention.

Claims (9)

1. a card reader is characterized in that, said card reader comprises:
Data transmission module carries out data transmission with terminal and/or add-on card; DEA and identifying algorithm are set, carry out authentication;
Said data transmission module comprises:
Send receiving element, send and receive the authentication signal that utilizes DEA ciphered data signal and utilize identifying algorithm to encrypt;
The Card Reader authentication ' unit supplies the security authentication module authentication with authentication signal decrypted authentication after receiving and generation authentication signal;
Security authentication module is connected communication with data transmission module with the terminal, DEA and identifying algorithm are set, and carries out authentication with data transmission module and/or terminal;
Said security authentication module comprises:
Signal receiving unit receives the authentication signal that data transmission module and/or terminal utilize DEA ciphered data signal and/or utilize identifying algorithm to encrypt;
Encryption and decryption/authentication ' unit, with said authentication signal decrypted authentication, and identifying algorithm encrypting and authenticating signal capable of using supplies data transmission module and/or terminal to carry out authentication;
The unit is set up in session, behind authentication success, receives authenticate-acknowledge, sets up the session between data transmission module and the terminal, and the generation session information sends said terminal to.
2. card reader according to claim 1 is characterized in that:
Said session information comprises Session ID and session key.
3. card reader according to claim 2 is characterized in that:
Said security authentication module also comprises the key generation unit, produces session key, encryption session according to said Session ID.
4. card reader according to claim 3 is characterized in that:
Said encryption and decryption/authentication ' unit comprises that also the data that send said card reader to terminal encrypt and/or utilize session key to send the data decryption of card reader at the terminal.
5. according to any described card reader in the claim 1 to 4, it is characterized in that:
Said DEA is a symmetry algorithm, and said identifying algorithm is an asymmetric arithmetic.
6. a card reader safety certification system is characterized in that, the reading card device carries out authentication with the communication between terminals that is connected communication with it, and said system comprises:
Card reader and terminal, the authentication signal that transmission and reception utilize identifying algorithm to encrypt, and the authentication signal decrypted authentication after will receiving;
Security authentication module is connected communication with card reader with the terminal, receive the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt; With said authentication signal decrypted authentication; And identifying algorithm encrypting and authenticating signal capable of using supplies card reader and/or terminal to carry out authentication;
Behind the authentication success, set up the session between card reader and the terminal, and the generation session information sends said terminal to.
7. a card reader safety certification method is characterized in that, the reading card device carries out authentication with the communication between terminals that is connected communication with it, comprises step:
Utilize identifying algorithm encrypting and authenticating signal to supply card reader and/or terminal to carry out authentication;
Receive the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt;
With said authentication signal deciphering back authentication;
Behind the authentication success, set up the session between card reader and the terminal, and the generation session information sends said terminal to.
8. card reader safety certification method according to claim 7 is characterized in that, behind the said authentication success, sets up the session between card reader and the terminal, and produce that session information sends said end step to also comprise step:
Produce session key, encryption session according to said Session ID.
9. a card reader safety certification device is characterized in that, is connected communication with card reader and/or terminal, and said device comprises:
Signal receiving unit receives the authentication signal that card reader and/or terminal utilize identifying algorithm to encrypt;
Encryption and decryption/authentication ' unit, with said authentication signal deciphering back authentication, and identifying algorithm encrypting and authenticating signal capable of using supplies card reader and/or terminal to carry out authentication;
The unit is set up in session, behind authentication success, sets up the session between card reader and the terminal, and the generation session information sends said terminal to.
CN2009101052322A 2009-01-22 2009-01-22 Card reader safety certification device and method Expired - Fee Related CN101789068B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009101052322A CN101789068B (en) 2009-01-22 2009-01-22 Card reader safety certification device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101052322A CN101789068B (en) 2009-01-22 2009-01-22 Card reader safety certification device and method

Publications (2)

Publication Number Publication Date
CN101789068A CN101789068A (en) 2010-07-28
CN101789068B true CN101789068B (en) 2012-11-07

Family

ID=42532274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101052322A Expired - Fee Related CN101789068B (en) 2009-01-22 2009-01-22 Card reader safety certification device and method

Country Status (1)

Country Link
CN (1) CN101789068B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102542130B (en) * 2010-12-09 2017-09-08 东莞广州中医药大学中医药数理工程研究院 One kind can hierarchical authorization private personal health record card and card reading device
CN102201070B (en) * 2011-04-15 2012-10-03 东莞广州中医药大学中医药数理工程研究院 Integrated card, card reader and combination of integrated card and card reader
CN104573591B (en) * 2015-01-05 2017-11-28 飞天诚信科技股份有限公司 A kind of secure readers and its method of work
CN104573467B (en) * 2015-01-24 2015-12-30 浙江远望软件有限公司 A kind of file storage and inquire method directly being accepted user's confirmation by card reader
CN106022141B (en) * 2016-04-18 2019-02-15 李明 A kind of identity card read method and identity card card-reading terminal
CN106022140B (en) * 2016-04-18 2019-02-15 李明 Identity card read method and system
CN106845300A (en) * 2016-12-02 2017-06-13 北京握奇智能科技有限公司 A kind of secure readers and safe card reading method
CN107623914A (en) * 2017-08-21 2018-01-23 上海源岷投资管理有限公司 A kind of security certification system for rural biogas data collection station
CN108683674A (en) * 2018-05-22 2018-10-19 深圳中泰智丰物联网科技有限公司 Verification method, device, terminal and the computer readable storage medium of door lock communication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1303197A (en) * 1999-11-02 2001-07-11 赵敏 Security data transmission system
CN2473675Y (en) * 2000-12-21 2002-01-23 孙吉平 Device for identifying IC intelligent card by common serial bus interface
CN1337803A (en) * 2001-07-03 2002-02-27 上海复旦微电子股份有限公司 Enciphering method and circuit for safe communication of IC card data
CN1818923A (en) * 2006-03-17 2006-08-16 清华大学 Enciphering authentication for radio-frequency recognition system
CN1932835A (en) * 2006-09-30 2007-03-21 华中科技大学 Safety identification method in radio frequency distinguishing system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1303197A (en) * 1999-11-02 2001-07-11 赵敏 Security data transmission system
CN2473675Y (en) * 2000-12-21 2002-01-23 孙吉平 Device for identifying IC intelligent card by common serial bus interface
CN1337803A (en) * 2001-07-03 2002-02-27 上海复旦微电子股份有限公司 Enciphering method and circuit for safe communication of IC card data
CN1818923A (en) * 2006-03-17 2006-08-16 清华大学 Enciphering authentication for radio-frequency recognition system
CN1932835A (en) * 2006-09-30 2007-03-21 华中科技大学 Safety identification method in radio frequency distinguishing system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JP特开2009-3703A 2009.01.08

Also Published As

Publication number Publication date
CN101789068A (en) 2010-07-28

Similar Documents

Publication Publication Date Title
CN101789068B (en) Card reader safety certification device and method
CN102017578B (en) Network helper for authentication between a token and verifiers
KR100652125B1 (en) Mutual authentication method for managing and authenticating between service provider, terminal and user identify module at one time and terminal, and the system thereof
CN107896147B (en) Method and system for negotiating temporary session key based on national cryptographic algorithm
CN102394749B (en) Line protection method, system, information safety equipment and application equipment for data transmission
CN108243181A (en) A kind of car networking terminal, data ciphering method and car networking server
KR101468626B1 (en) System for paying card of smart phone using key exchange with van server
CN104704769A (en) A wireless communication system
CA2518032A1 (en) Methods and software program product for mutual authentication in a communications network
CN102026180A (en) M2M transmission control method, device and system
CN101964805B (en) Method, equipment and system for safely sending and receiving data
CN112351037B (en) Information processing method and device for secure communication
CN103905388A (en) Authentication method, authentication device, smart card, and server
CN101789863B (en) Safe data information transmission method
CN101895881A (en) Method for realizing GBA secret key and pluggable equipment of terminal
CN114765534A (en) Private key distribution system based on national password identification cryptographic algorithm
CN102082669A (en) Security certification method and device
KR102219086B1 (en) HMAC-based source authentication and secret key sharing method and system for Unnamed Aerial vehicle systems
CN110611679A (en) Data transmission method, device, equipment and system
CN107888376B (en) NFC authentication system based on quantum communication network
CN104883260B (en) Certificate information processing and verification method, processing terminal and authentication server
US9876774B2 (en) Communication security system and method
CN108965266B (en) User-to-User identity authentication system and method based on group key pool and Kerberos
CN101340439A (en) Identity authenticating method, system and mobile terminal
US8953804B2 (en) Method for establishing a secure communication channel

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121107

Termination date: 20220122