CN101866411A - Security certification and encryption method and system of multi-application noncontact-type CPU card - Google Patents

Security certification and encryption method and system of multi-application noncontact-type CPU card Download PDF

Info

Publication number
CN101866411A
CN101866411A CN200910106671A CN200910106671A CN101866411A CN 101866411 A CN101866411 A CN 101866411A CN 200910106671 A CN200910106671 A CN 200910106671A CN 200910106671 A CN200910106671 A CN 200910106671A CN 101866411 A CN101866411 A CN 101866411A
Authority
CN
China
Prior art keywords
identity information
subscriber identity
cpu card
information
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910106671A
Other languages
Chinese (zh)
Other versions
CN101866411B (en
Inventor
邓欣
张燕
刘汉扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen SZGX Information Technology Co Ltd
Original Assignee
Shenzhen SZGX Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen SZGX Information Technology Co Ltd filed Critical Shenzhen SZGX Information Technology Co Ltd
Priority to CN2009101066715A priority Critical patent/CN101866411B/en
Publication of CN101866411A publication Critical patent/CN101866411A/en
Application granted granted Critical
Publication of CN101866411B publication Critical patent/CN101866411B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides security certification and encryption method and system of a multi-application noncontact-type CPU card according with the ISO 14443 standard. The security certification encryption system comprises a CPU card, a card-reading device and a control device, wherein the CPU card is used for the radio frequency transmission of encrypted user ID information, the card-reading device is used for receiving and decrypting the encrypted user ID information to acquire and transmit original user ID information, and the control device is used for receiving the original user ID information and executing corresponding operation according to a right thereof. Because a front-end information reading module and a back-end information decryption module can be remotely communicated, the back-end information decryption module and the control device can be arranged in hidden positions to only transmit the encrypted user ID information in the link so that the difficulty of illegally acquiring the user ID information is upgraded. The CPU card is provided with a COS (Cooperative Office System) system for implanting an encryption algorithm and overlaying a random number so that the encrypted user ID information generated by encryption every time is also random correspondingly.

Description

Contactless CPU card many application safeties authentication encryption method and system
Technical field
The present invention relates to the CPU card, in particular to contactless CPU card many application safeties authentication encryption method and system.
Background technology
The IC-card (Integrated Card integrated circuit card) that occurs on the market divides from device technology at present, can be divided into non-encrypted storage card, encrypt storage card and CPU card.Non-encrypted card does not have security, can rewrite the data in the card arbitrarily.On the basis of common memory card, add the logical encrypt circuit and encrypt storage card, become the logical encrypt storage card.The logical encrypt storage card needed the verification password just can carry out write operation owing to adopt the cipher control logic to control visit and rewriting to EEPROM before using, thus be safe for chip itself, but on using, be unsafe.Existing all-purpose card product is based on the Mifare 1 that Philips company produces mostly and develops, and in the more than ten years in the past, they are always in occupation of dominant advantage.But recently, national government department proposes to have safety issue based on all products of Mifare 1 card, and particularly in consumer field, its encryption system is illegally cracked by the offender easily, thereby causes the public's property to be occupied by malice.It mainly has following insecurity factor:
1, password is plaintext transmission on the line, is easily intercepted;
2, for the merchant of system, password and cryptographic algorithm all are transparent.
3, whether logic encryption card is can't authentication application legal.
For example, suppose that the someone has forged ATM, we can't know its legitimacy.When inserting credit card, in the time of input PIN, the password of credit card been has just has been intercepted and captured.INTENET shopping online for another example, if use logic encryption card, the shopper can't determine the legitimacy of Online Store equally.The unsafe factor that uses just because of logic encryption card has promoted the development of CPU card.
The CPU card can be accomplished to the people, to card, to the three parts's of system legitimacy authentication.The CPU jig has three kinds of authentication methods: the authentication of card holder's legitimacy, i.e. PIN verification; The authentication of card legitimacy, i.e. internal authentication; System's legitimacy authentication, i.e. external authentication.A SAM (the Secure Access Module) secure access module in addition general and the CPU card is used, they are embedded in the reader device mostly, realize bidirectional identity authentication with the outer CPU card, do the security that has improved original card system greatly like this.But in the system that has, access control system for example, usually reader device and control device are the split designs, still may be intercepted and captured in the process that arrives control device by the subscriber data or the key information of the transmission of SAM secure access module, therefore still have certain safety issue.
Summary of the invention
The present invention solves subscriber data or the easy shortcoming of intercepting and capturing of key information when the CPU card is used in the prior art, has proposed a kind of contactless many application safeties of CPU card authenticated encryption system that the authentification of message module is placed the close control device in rear end.
Technical scheme of the present invention is: a kind of contactless many application safeties of CPU card authenticated encryption system is provided, described system comprises that the CPU card of the subscriber identity information that radio frequency send to be encrypted, the subscriber identity information that receives described encryption are decrypted and obtains the original user identity information and with the reader device of its transmission and receive described original user identity information and carry out the control device of corresponding operating according to its authority, wherein said reader device also comprises: radio frequency receives the front-end information read module of the subscriber identity information of described encryption; With connected in series on described front-end information read module with long-range reception and decipher the backend information deciphering module of the subscriber identity information of described encryption.
Because front-end information read module and backend information deciphering module can carry out telecommunication, therefore, the backend information deciphering module can together be located at hidden position with control device, in the light current well, what transmit in this telecommunication link all is information encrypted, thereby has increased the difficulty of illegally obtaining subscriber identity information.
According to one embodiment of present invention, described CPU card comprises: file storage unit, cryptographic algorithm unit, random number generation unit, Transmit Receive Unit and the central controlled processing unit of carrying out following operation by control bus coordinative file storage unit, cryptographic algorithm unit, random number generation unit, Transmit Receive Unit:
Carry out system authentication mutually with described backend information deciphering module, if the described subscriber identity information in the described file storage unit is then obtained in the system authentication success, if get nowhere then end operation;
Adopt first cryptographic algorithm that the random number x that described subscriber identity information and described random number generation unit produce is carried out computing by described cryptographic algorithm unit, obtain the subscriber identity information of described encryption;
Described Transmit Receive Unit sends the subscriber identity information and the described random number x of described encryption.
According to one embodiment of present invention, described system also comprise with the radio communication of described CPU card and with the card-issuing device of system software serial communication, subscriber identity information and access key that the described system software of described card-issuing device serial received sends write described access key and described subscriber identity information in the file storage unit of described CPU card with secure file type and basic document type respectively by RF-wise.
Guarantee the security of this subscriber identity information by the security access mechanism of CPU card itself, utilize described subscriber identity information is obtained in the authentication of described access key.If the external read card device is legal usually, this access key and corresponding cryptographic algorithm then in this external read card device, must have been stored.In the present invention, the visit of CPU card is met the ISO14443 standard, and aspect safety certification, meet the ISO7816 standard.
According to one embodiment of present invention, described front-end information read module comprises Transmit Receive Unit, serial Transmit-Receive Unit, storage unit and coordinates the described Transmit Receive Unit of control, serial Transmit-Receive Unit, storage unit work to finish the central controlled processing unit of following operation by control bus:
Radio frequency receives the subscriber identity information and the described random number of the described encryption of described CPU card; And
Serial sends the subscriber identity information and the described random number of described encryption.
According to one embodiment of present invention, described backend information deciphering module comprises serial Transmit-Receive Unit, secure access unit, Wei root output unit and coordinates the described serial Transmit-Receive Unit of control, secure access unit, the work of Wei root output unit to finish the central controlled processing unit of following operation by control bus:
The subscriber identity information and the random number x of the described encryption of serial received are sent to described secure access unit;
Adopt the logic opposite that the subscriber identity information of described encryption and random number x are carried out computing by described secure access unit and obtain described original subscriber identity information with described first cryptographic algorithm; And
Abide by Wei root agreement described original subscriber identity information is sent to described control device.
The present invention also provides a kind of contactless many application safeties of CPU card authentication encryption method for solving prior art problems, said method comprising the steps of:
S101CPU card and backend information deciphering module carry out system authentication, if authentication success then obtain in advance the subscriber identity information and the execution in step S102 of storage, if unsuccessful, execution in step S106 end operation then;
The described CPU card of S102 adopts first cryptographic algorithm that described subscriber identity information and random number x are carried out computing, and the subscriber identity information that obtains encrypting sends the subscriber identity information and the described random number x of described encryption then with RF-wise;
S103 front-end information read module receives the subscriber identity information and the described random number x of described encryption, and sends with serial mode;
S104 backend information deciphering module receives subscriber identity information, the random number x of described encryption and adopts the logic opposite with described first cryptographic algorithm to carry out computing and obtains subscriber identity information;
S105 backend information deciphering module is abideed by Wei root agreement described subscriber identity information is sent to described control device;
S106 finishes this operation.
Preferably, in step S101, described system authentication is further comprising the steps of:
Secure access unit in the described backend information deciphering module of S101a carries out computing with its access key stored in advance and random number y with second cryptographic algorithm, obtains message authentication code MAC1, and sends described random number y;
Described random number y is received in the described CPU clamping of S101b, and carries out computing with the access key that is stored in the secure file with described second cryptographic algorithm, obtains another message authentication code MAC2, sends described another message authentication code MAC2;
The described backend information deciphering module of S101c receives described another message authentication code MAC2, whether identical by wherein secure access unit more described another message authentication code MAC2 with described message authentication code MAC1, if it is identical, the system authentication success, then carry out described step S102, if inequality, system authentication is unsuccessful, end operation.
According to a method embodiment of the present invention, preferably, described method also comprises initialization hair fastener step:
Described subscriber identity information and access key that S201 serial received user sends by system software;
S202 deposits described subscriber identity information in by the radio communication mode in the basic document of file storage unit of described CPU card, and described access key is stored in the secure file.
Preferably, but described subscriber identity information also attachment device sequence number and CPU card sequence number, and after described system authentication step success, described CPU card and described backend information deciphering module transmit sequence number separately mutually.
According to a method embodiment of the present invention, when execution in step S103, the serial of front-end information read module sends the subscriber identity information and the random number of encrypting and adopts the RS-485 agreement.In the present invention, the visit of CPU card is met the ISO14443 standard, and aspect safety certification, meet the ISO7816 standard.
As shown from the above technical solution, reader device of the present invention adopts the mode of backend information deciphering module and front-end information read module split design, and backend information deciphering module and control device be arranged on hidden place (in the light current well) nearby, adopt the RS-485 agreement to carry out telecommunication between backend information deciphering module and the front-end information read module, on the radio frequency communication link of this communication link and CPU card and front-end information read module, all transmit the subscriber identity information of the encryption of the random number that superposeed.In addition, CPU card and rear end deciphering module carry out system authentication, prevent that the equipment that is not native system from carrying out the Card Reader operation, or prevent to use the CPU card that is not native system.In the information encryption process, additional CPU card sequence number and device sequence number can strengthen the security of the subscriber identity information of encryption.Therefore, this system can guarantee the high safety of subscriber identity information.
Description of drawings
Fig. 1 is the structured flowchart of the design of reader device split according to an embodiment of the invention;
Fig. 2 is the inner structure synoptic diagram of CPU card according to an embodiment of the invention;
Fig. 3 is the inner structure synoptic diagram of rear end deciphering module according to an embodiment of the invention;
Fig. 4 is the file storage type figure of CPU card according to an embodiment of the invention;
Fig. 5 is the structured flowchart of card-issuing device according to an embodiment of the invention;
Fig. 6 is the inner structure synoptic diagram of front-end information read module according to an embodiment of the invention;
Fig. 7 is the process flow diagram according to the subscriber identity information encrypted transmission in the embodiments of the invention CPU card;
Fig. 8 is the system authentication process flow diagram that obtains the subscriber identity information in the CPU card according to embodiments of the invention.
Embodiment
As shown in Figure 1, wherein shown a kind of contactless many application safeties of CPU card authenticated encryption system, it comprises CPU card 11, reader device 12 and control device 13, reader device 12 comprises front-end information read module 14 and backend information deciphering module 15, front-end information read module 14 is used for the subscriber identity information that radio frequency receives the encryption of CPU card 11, wherein, CPU card 11 radio frequencies send the subscriber identity information of encrypting, front-end information read module 14 in the reader device 12 receives the subscriber identity information of this encryption, and send to backend information deciphering module 15 with serial communication mode, decipher this subscriber identity information by it, and sending to control device 13 in Wei root mode, the subscriber identity information of control device 13 receiving and decipherings is also carried out corresponding operating according to its authority.In the present embodiment, front-end information read module 14 adopts the RS-485 serial communication mode with communicating by letter of rear end deciphering module, and communication distance can reach 1200 meters.But the invention is not restricted to this, as long as satisfy the telecommunication condition.In the present embodiment, control device 13 is access controllers, and it judges according to the subscriber identity information of deciphering whether the user has the discrepancy authority, and carries out the operation of unblanking with locking.
As shown in Figure 2, the inner structure that has wherein shown CPU card 11, comprise: file storage unit 32, cryptographic algorithm unit 33, random number generation unit 34 and Transmit Receive Unit 35, file storage unit 32, cryptographic algorithm unit 33, random number generation unit 34 and Transmit Receive Unit 35 are connected on the central controlled processing unit 31 by control bus, come above-mentioned each parts are controlled by loading COS (Chip Operation System chip operating system) system:
Carry out system authentication mutually with backend information deciphering module 15, if the subscriber identity information in the file storage unit 32 is then obtained in the system authentication success, if get nowhere then end operation;
Adopt first cryptographic algorithm that the random number x that subscriber identity information and random number generation unit 34 produce is carried out computing, the subscriber identity information that obtains encrypting by cryptographic algorithm unit 33;
Transmit Receive Unit 35 sends subscriber identity information and the random number x that encrypts to reader device 12.
Because CPU card 11 carries the COS system, can implant cryptographic algorithm, and the random number that superposes, making the subscriber identity information of at every turn encrypting the encryption that generates corresponding also is at random.Therefore, on radio frequency link, be difficult to obtain subscriber identity information.
In the present embodiment, first cryptographic algorithm can be 3DES algorithm or RSA Algorithm, but the invention is not restricted to this.
CPU card 11 is to have operating system with the maximum difference of General Logic encrypted card, and information is deposited according to file layout.
CPU card 11 is as the carrier of information, must canned data in card, such as the identity information of depositing the user (comprises name, age, work unit, post, phone etc.) on CPU card 11.Present CPU card generally all is only to support three layers of catalogue file at most, and the external card that has is only supported two-layer catalogue file.In addition, the CPU card also has following difference with the regular file operation: the type of the file that statement was earlier created when the CPU card was created a file and the space size of creating file; The CPU card cannot be deleted after having created a file.(test can make an exception hair fastener the time, but that deletion is MF (Master File), promptly deletes All Files and catalogue in the card); CPU Cavan part type has only seldom several, does not have the suffix name; The CPU card is created file, written document must be undertaken by the mode that sends the APDU message to card, and the byte number of at every turn writing can not surpass 256 bytes.
Introduce the file structure of CPU card below in detail:
The file type of CPU card has two kinds
1, MF (Master File master file): root directory is the root of card file system, is equivalent to the root directory of DOS, and every card has and have only a MF file.The establishment mode of the MF of difference card manufacturer is different.Mainly contain dual mode: in the card personalization process, create by the card issuer; Create when perhaps manufacturer provides card, the card issuer can not create again.
2, DF (Dedicated File purpose file): DF is equivalent to the sub-directory of DOS.
DDF and ADF: we are referred to as DDF to the DF that comprises subprime directory, do not comprise the ADF that is referred to as of subprime directory.
In the CPU card, defined three kinds of basic document (EF, Elementary File) type
One, transparent file: basic document have been stored the data and the management information of various application, and it is present under MF and the DF.File data is to carry out access by the byte address in the continuous space.Sequence number as the CPU card
Two, basic document: data are to deposit hereof in the mode of record.
Three, secure file, this class file be and security-related file, thus just strict especially to the access control of file, can only write file, file is unreadable.Document memory is placed with key and the password that closes card safety.For example, in the present invention, stored access key in this document.And subscriber identity information of the present invention is stored in the basic document.
As shown in Figure 3, the structural drawing that has shown file storage unit in the CPU card according to an embodiment of the invention.
As shown in Figure 4, rear end deciphering module 15 comprises serial Transmit-Receive Unit 42, secure access unit 43, storage unit 44, Wei root output unit 45 and coordinates control serial Transmit-Receive Unit 42, secure access unit 43, storage unit 44,45 work of Wei root output unit to finish the central controlled processing unit 41 of following operation by control bus:
Carry out system authentication with CPU card 11 earlier, authentication is passed through, the subscriber identity information in the then addressable CPU card;
The subscriber identity information and the random number x of the described encryption of serial received are sent to described secure access unit 43;
Adopt the logic opposite that the subscriber identity information of described encryption and random number x are carried out computing by described secure access unit 43 and obtain described original subscriber identity information with described first cryptographic algorithm;
And
Abide by Wei root agreement subscriber identity information is sent to control device 13.
Control device 13 is carried out corresponding operating according to the authority of subscriber identity information.
CPU card 11 need utilize card-issuing device that each user's identity information and access key are write in CPU card 11 and the reader device 12 by system software by the customer administrator at first to the user there time.As shown in Figure 5, the structured flowchart that has wherein shown card-issuing device 22.Card-issuing device 22 and 11 radio communications of CPU card, and with system software 25 serial communications.Subscriber identity information and access key that the described system software 25 of card-issuing device 22 serial received sends write access key and subscriber identity information in the file storage unit 32 of CPU card 11 with secure file type and basic document type respectively by RF-wise.When system initialization, the access key that writes in the CPU card 11 should also will write in the backend information deciphering module 15 in the reader device 12 of this card, to be used for system authentication.The present invention is applicable to writing of any way.
Here, system software 25 can adopt the RS-232 agreement with the serial communication of card-issuing device, but the invention is not restricted to this.
As shown in Figure 6, the inner structure synoptic diagram that has wherein shown front-end information read module 14.Front-end information read module 14 comprises Transmit Receive Unit 54, serial Transmit-Receive Unit 52, storage unit 53 and coordinates the described Transmit Receive Unit 54 of control, serial Transmit-Receive Unit 52, storage unit 53 work to finish the central controlled processing unit 51 of following operation by control bus:
Radio frequency receives the subscriber identity information and the random number of the encryption of CPU card 11; And
Serial sends the subscriber identity information and the random number of encrypting.
Because CPU card of the present invention is the card that meets the ISO14443 standard, and security access mechanism meets the ISO7816 standard.Therefore, in carrying out the system authentication process, need reader device 12 and CPU card both sides co-ordination.
Backend information deciphering module 15 obtains message authentication code MAC1 by cryptographic algorithm to the computing of the access key of storage and the random number y of random number generation unit in advance in the secure access unit 43, and sends this random number y.In the CPU card, also make identical operations, promptly, adopting identical cryptographic algorithm that the random number y of the access key deposited in the secure file and reception is carried out computing obtains another MAC2 and sends, relatively whether MAC1 is identical with MAC2 in backend information deciphering module card then, if it is identical, authentication is passed through, and thinks that then card is legal, can obtain the subscriber identity information of storing in the CPU card; If different, authentication is not passed through, and finishes accessing operation.
As shown in Figure 7, the process flow diagram that has wherein shown the subscriber identity information that is used for authenticating the CPU card according to the present invention.This flow process may further comprise the steps:
S101 CPU card 11 carries out system authentication with backend information deciphering module 15, if authentication success then obtain in the CPU card subscriber identity information and the execution in step S102 of storage in advance, if unsuccessful, execution in step S106 end operation then;
S102 CPU card 11 adopts first cryptographic algorithm that subscriber identity information and random number x are carried out computing, and the subscriber identity information that obtains encrypting sends subscriber identity information and the random number x that encrypts with RF-wise then;
S103 front-end information read module 14 receives subscriber identity information and the random number x that encrypts, and sends with serial mode;
S104 backend information deciphering module 15 receives subscriber identity information, the random number x that encrypts and adopts the logic opposite with first cryptographic algorithm to carry out computing and obtains subscriber identity information;
S105 backend information deciphering module 15 is abideed by Wei root agreement subscriber identity information is sent to control device 13;
S106 finishes this operation.
As shown in Figure 8, system authentication is further comprising the steps of:
Secure access unit 43 in the S101a backend information deciphering module 15 carries out computing with its access key stored in advance and random number y with second cryptographic algorithm, obtains message authentication code MAC1, and sends described random number y;
S101b CPU card 11 receives random number y, and carries out computing with the access key that is stored in the secure file with second cryptographic algorithm, obtains another message authentication code MAC2, sends another message authentication code MAC2;
S101c backend information deciphering module 15 receives another message authentication code MAC2, relatively whether another message authentication code MAC2 are identical with message authentication code MAC1 by wherein secure access unit 43, if it is identical, the system authentication success, execution in step S102, if inequality, system authentication is unsuccessful, end operation.
According to a method embodiment of the present invention, preferably, described method also comprises initialization hair fastener step:
Subscriber identity information and access key that S201 serial received user sends by system software 25;
S202 deposits subscriber identity information in by the radio communication mode in the basic document of file storage unit 32 of CPU card 11, and access key is stored in the secure file.
Preferably, but also attachment device sequence number and CPU card sequence number during the encrypting user identity information, and after the success of system authentication step, CPU card 11 and backend information deciphering module 15 transmit sequence numbers separately mutually.When the encrypting user identity information, except that adopting random number x, subscriber identity information, at affix device sequence number and CPU card sequence number, the subscriber identity information that makes encryption obtain is safer, is difficult for cracking.
According to a method embodiment of the present invention, when execution in step S103,14 serials of front-end information read module send the subscriber identity information and the random number of encrypting and adopt the RS-485 agreement.In the present invention, the visit of CPU card is met the ISO14443 standard, and aspect safety certification, meet the ISO7816 standard.
The system that the method according to this invention is implemented can be applicable to variously have in the discrepancy access control system that high safety requires, and it can accomplish therefore have very high security to the merchant of system, to card and to the safety encipher authentication of equipment three aspects.
The invention is not restricted to above-mentioned specific embodiment, do not deviating under the spirit and scope of the present invention situation, can revise arbitrarily and be out of shape it.The embodiment of these modifications and distortion still falls within protection scope of the present invention, and therefore, the present invention only is limited to the appended claims.

Claims (10)

1. contactless many application safeties of CPU card authenticated encryption system is characterized in that, comprising:
Send the CPU card (11) of the subscriber identity information of encrypting by RF-wise;
Be used to receive the subscriber identity information of described encryption and be decrypted the reader device (12) that obtains the original user identity information, and
Receive described original user identity information that described reader device (12) sends and carry out the control device (13) of corresponding operating according to its authority, wherein said reader device (12) also comprises:
Receive by RF-wise described encryption subscriber identity information front-end information read module (14) and connected in seriesly go up with long-range reception and decipher the backend information deciphering module (15) of the subscriber identity information of described encryption at described front-end information read module (14).
2. contactless many application safeties of CPU card authenticated encryption system as claimed in claim 1, it is characterized in that, described system also comprise with the radio communication of described CPU card and with the card-issuing device (22) of system software (25) serial communication, subscriber identity information and access key that the described system software of described card-issuing device (22) serial received (25) sends write described access key and described subscriber identity information in the file storage unit (32) of described CPU card (11) with secure file type and basic document type respectively by RF-wise.
3. contactless many application safeties of CPU card authenticated encryption system as claimed in claim 2, it is characterized in that described CPU card comprises: file storage unit (32), cryptographic algorithm unit (33), random number generation unit (34), Transmit Receive Unit (35) and the central controlled processing unit (31) of carrying out following operation by control bus coordinative file storage unit (32), cryptographic algorithm unit (33), random number generation unit (34), Transmit Receive Unit (35):
Carry out system authentication mutually with described backend information deciphering module (15), if the described subscriber identity information in the described file storage unit (32) is then obtained in the system authentication success, if get nowhere then end operation;
Adopt first cryptographic algorithm that the random number x that described subscriber identity information and described random number generation unit (34) produce is carried out computing by described cryptographic algorithm unit (33), obtain the subscriber identity information of described encryption;
Described Transmit Receive Unit (35) sends the subscriber identity information and the described random number x of described encryption.
4. contactless many application safeties of CPU card authenticated encryption system as claimed in claim 3, it is characterized in that, described front-end information read module (14) comprise Transmit Receive Unit (54), serial Transmit-Receive Unit (52) and by control bus coordinate control described Transmit Receive Unit (54), serial Transmit-Receive Unit (52) is worked to finish the central controlled processing unit (51) of following operation:
Radio frequency receives the subscriber identity information and the described random number x of the described encryption of described CPU card (11); And
Serial sends the subscriber identity information and the described random number x of described encryption.
5. contactless many application safeties of CPU card authenticated encryption system as claimed in claim 4, it is characterized in that described backend information deciphering module (15) comprises serial Transmit-Receive Unit (42), secure access unit (43), Wei root output unit (45) and coordinates control described serial Transmit-Receive Unit (42), secure access unit (43), Wei root output unit (45) by control bus and work to finish the central controlled processing unit (41) of following operation:
The subscriber identity information and the random number x of the described encryption of serial received are sent to described secure access unit (43);
Adopt the logic opposite that the subscriber identity information of described encryption and random number x are carried out computing by described secure access unit (43) and obtain described original subscriber identity information with described first cryptographic algorithm; And
Abide by Wei root agreement described original subscriber identity information is sent to described control device (13).
6. contactless many application safeties of CPU card authentication encryption method is characterized in that, said method comprising the steps of:
S101 CPU card (11) and backend information deciphering module (15) carry out system authentication, if authentication success then obtain the subscriber identity information and the execution in step S102 of storage in advance, if unsuccessful, execution in step S106 end operation then;
The described CPU card of S102 (11) adopts first cryptographic algorithm that described subscriber identity information and random number x are carried out computing, and the subscriber identity information that obtains encrypting sends the subscriber identity information and the described random number x of described encryption then with RF-wise;
S103 front-end information read module (14) receives the subscriber identity information and the described random number x of described encryption, and sends with serial mode;
S104 backend information deciphering module (15) receives subscriber identity information, the random number x of described encryption and adopts the logic opposite with described first cryptographic algorithm to carry out computing and obtains subscriber identity information;
S105 backend information deciphering module (15) is abideed by Wei root agreement described subscriber identity information is sent to described control device (13);
S106 finishes this operation.
7. contactless many application safeties of CPU card authentication encryption method as claimed in claim 6 is characterized in that in step S101, described system authentication is further comprising the steps of:
Secure access unit (43) in the described backend information deciphering module of S101a (15) carries out computing with its access key stored in advance and random number y with second cryptographic algorithm, obtains message authentication code MAC1, and sends described random number y;
Described random number y is received in the described CPU clamping of S101b, and carries out computing with the access key that is stored in the secure file with described second cryptographic algorithm, obtains another message authentication code MAC2, sends described another message authentication code MAC2;
The described backend information deciphering module of S101c (15) receives described another message authentication code MAC2, whether identical by wherein secure access unit (43) more described another message authentication code MAC2 with described message authentication code MAC1, if it is identical, the system authentication success, then carry out described step S102, if inequality, system authentication is unsuccessful, end operation.
8. contactless many application safeties of CPU card authentication encryption method as claimed in claim 6 is characterized in that before step S101, described method also comprises initialization hair fastener step:
Described subscriber identity information and access key that S201 serial received user sends by system software (25);
S202 deposits described subscriber identity information in by the radio communication mode in the basic document of file storage unit (32) of described CPU card (11), and described access key is stored in the secure file.
9. as each described contactless many application safeties of CPU card authentication encryption method among the claim 6-8, it is characterized in that, but described subscriber identity information is attachment device sequence number and CPU card sequence number also, after described system authentication step success, described CPU card (11) and the mutual sequence number that transmits separately of described backend information deciphering module (15).
10. contactless many application safeties of CPU card authentication encryption method as claimed in claim 8, it is characterized in that, when execution in step S103, subscriber identity information and described random number that described front-end information read module (14) serial sends described encryption adopt the RS-485 agreement.
CN2009101066715A 2009-04-16 2009-04-16 Security certification and encryption method and system of multi-application noncontact-type CPU card Expired - Fee Related CN101866411B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009101066715A CN101866411B (en) 2009-04-16 2009-04-16 Security certification and encryption method and system of multi-application noncontact-type CPU card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101066715A CN101866411B (en) 2009-04-16 2009-04-16 Security certification and encryption method and system of multi-application noncontact-type CPU card

Publications (2)

Publication Number Publication Date
CN101866411A true CN101866411A (en) 2010-10-20
CN101866411B CN101866411B (en) 2012-07-25

Family

ID=42958133

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101066715A Expired - Fee Related CN101866411B (en) 2009-04-16 2009-04-16 Security certification and encryption method and system of multi-application noncontact-type CPU card

Country Status (1)

Country Link
CN (1) CN101866411B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102346862A (en) * 2011-09-20 2012-02-08 飞天诚信科技股份有限公司 Authentication method and device of contactless card
CN103606223A (en) * 2013-11-15 2014-02-26 深圳市捷顺科技实业股份有限公司 Card authentication method and device
CN103971149A (en) * 2013-01-24 2014-08-06 国民技术股份有限公司 Smart card device and authentication method of smart card device
CN104732614A (en) * 2013-12-18 2015-06-24 同方锐安科技有限公司 Access device for encrypting wiegand protocol signal and encryption and decryption method thereof
CN107465655A (en) * 2016-06-03 2017-12-12 质子世界国际公司 Pass through the card certification of contactless reading
CN108075887A (en) * 2016-11-15 2018-05-25 北京维森科技有限公司 For method, cloud platform, user equipment and the system of CPU card encryption certification
CN111582422A (en) * 2020-04-10 2020-08-25 全景智联(武汉)科技有限公司 CPU card anti-copy encryption method
CN114167804A (en) * 2021-11-10 2022-03-11 汤臣智能科技(深圳)有限公司 Authentication method and system for PLC encryption program

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102346862A (en) * 2011-09-20 2012-02-08 飞天诚信科技股份有限公司 Authentication method and device of contactless card
CN102346862B (en) * 2011-09-20 2014-02-05 飞天诚信科技股份有限公司 Authentication method and device of contactless card
CN103971149A (en) * 2013-01-24 2014-08-06 国民技术股份有限公司 Smart card device and authentication method of smart card device
CN103606223A (en) * 2013-11-15 2014-02-26 深圳市捷顺科技实业股份有限公司 Card authentication method and device
CN104732614A (en) * 2013-12-18 2015-06-24 同方锐安科技有限公司 Access device for encrypting wiegand protocol signal and encryption and decryption method thereof
CN107465655A (en) * 2016-06-03 2017-12-12 质子世界国际公司 Pass through the card certification of contactless reading
CN107465655B (en) * 2016-06-03 2020-08-28 质子世界国际公司 Authentication method and contactless communication circuit
CN108075887A (en) * 2016-11-15 2018-05-25 北京维森科技有限公司 For method, cloud platform, user equipment and the system of CPU card encryption certification
CN111582422A (en) * 2020-04-10 2020-08-25 全景智联(武汉)科技有限公司 CPU card anti-copy encryption method
CN114167804A (en) * 2021-11-10 2022-03-11 汤臣智能科技(深圳)有限公司 Authentication method and system for PLC encryption program

Also Published As

Publication number Publication date
CN101866411B (en) 2012-07-25

Similar Documents

Publication Publication Date Title
US6230267B1 (en) IC card transportation key set
CN101322424B (en) Method for issuer and chip specific diversification
US6385723B1 (en) Key transformation unit for an IC card
JP5050066B2 (en) Portable electronic billing / authentication device and method
US7707408B2 (en) Key transformation unit for a tamper resistant module
CN100533459C (en) Data safety reading method and safety storage apparatus thereof
CN101866411B (en) Security certification and encryption method and system of multi-application noncontact-type CPU card
CN101339597B (en) Method, system and equipment for upgrading read-write machine firmware
CN101329786B (en) Method and system for acquiring bank card magnetic track information or payment application for mobile terminal
WO2013155562A1 (en) Nfc card lock
CN106527673A (en) Method and apparatus for binding wearable device, and electronic payment method and apparatus
CN103812649B (en) Method and system for safety access control of machine-card interface, and handset terminal
CN101162535B (en) Method and system for realizing magnetic stripe card trading by IC card
US20140289129A1 (en) Method for secure contactless communication of a smart card and a point of sale terminal
CN103714295A (en) Financial integrated circuit card personalized data detecting method and system
CN201742425U (en) Non-contact type CPU card multi-application security authentication and encryption system
CN101330675B (en) Mobile payment terminal equipment
US11562346B2 (en) Contactless card with multiple rotating security keys
CN101571926A (en) Safe read-write device for IC cards and method for using same
CN105321069A (en) Method and device for realizing remote payment
CN101883357A (en) Method, device and system for mutual authentication between terminal and intelligent card
CN108418677A (en) Cipher key backup, restoration methods and device
CA3239475A1 (en) Key recovery based on contactless card authentication
CN103699853A (en) Smart SD (secure digital memory card) and control system and control method thereof
CN103514540A (en) USBKEY business realization method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee
CP02 Change in the address of a patent holder

Address after: 518052 Nanshan District, Shenzhen, Yuquanlu Road, No. 116, Yi Ming building, building No. 6, building No., No. 602

Patentee after: Shenzhen SZGX Information Technology Co., Ltd.

Address before: 518052 Guangdong city of Shenzhen province Nanshan District Yuquanlu Road Yizhe building 6 floor

Patentee before: Shenzhen SZGX Information Technology Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120725

Termination date: 20160416