CN101916476A - Mobile data transmission method based on combination of SD (Secure Digital) encrypted card and short-distance wireless communication technology - Google Patents

Mobile data transmission method based on combination of SD (Secure Digital) encrypted card and short-distance wireless communication technology Download PDF

Info

Publication number
CN101916476A
CN101916476A CN 201010226932 CN201010226932A CN101916476A CN 101916476 A CN101916476 A CN 101916476A CN 201010226932 CN201010226932 CN 201010226932 CN 201010226932 A CN201010226932 A CN 201010226932A CN 101916476 A CN101916476 A CN 101916476A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
step
authentication
mobile terminal
bank
server
Prior art date
Application number
CN 201010226932
Other languages
Chinese (zh)
Inventor
冯卫东
张佳文
Original Assignee
江苏银邦信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention discloses a mobile data transmission method based on combination of SD (Secure Digital) encrypted card and a short-distance wireless communication technology, belonging to the field of communication. The method comprises the steps of: 1, acquiring consumption amount information; 2, checking whether the expense exceeds a micropayment limit, if so, skipping to a step 3, and if not, skipping to a step 4; 3, logging in a mobile terminal bank, and skipping to a step 5; 4, checking whether the micropayment remaining balance is sufficient or not, if so, skipping to a step 6; and if not, skipping to the step 3; and 5, carrying out business process by the mobile terminal bank, or step 6, carrying out micropayment and then completing the payment. The invention can effectively solve capitals floating on various cards so as to ensure that not only a certain interest income can be obtained on a bank card, but also the consumers are facilitated. Thus, a bank can cooperate with a mobile terminal operator for disintermediation so that the capital of the bank directly enters end consumption, a consumption information stream directly enters information system of the bank and information processing becomes more efficient.

Description

一种基于SD加密卡与近距离无线通信技术相结合的移动 SD card and a mobile short-range wireless communication encryption technology based on a combination of

数据传输方法 The data transmission method

技术领域 FIELD

[0001] 本发明涉及近距离无线通信技术与智能卡加密技术,特别是二者相结合实现无线终端系统数据传输的方法,用于实现移动安全支付。 [0001] The present invention relates to short-range wireless communication technology with encryption technology smart card, especially a combination of both wireless data transmission terminal system, a method for implementing mobile payment security.

背景技术 Background technique

[0002] 旧的移动支付模式包含移动终端话费支付(实现方式有短信、WAP、二维码、 RF-SIM等)和“移动终端+银行”支付。 [0002] The old mobile payment mode mobile terminal comprising payment calls (SMS implementations have, WAP, two-dimensional code, RF-SIM, etc.) and the "mobile terminal + bank" payment. 前者是小额支付,后者是大额支付。 The former is a micro-payment, which is a large-value payment. 小额支付受到移动终端话费账户的制约,违背了消费者“自由消费”这一天性,所以将其作为过渡,逐步走向“移动终端+银行”模式。 Micro-payment mobile terminal is restricted credit account, contrary to consumers' freedom of consumption "this nature, so it as a transition, gradually" mobile terminal + bank "model. 而目前的“移动终端+银行”模式没有任何可信的安全保障。 The current "mobile terminal + bank" model does not have any credible security guarantees. 旧的支付模式面临以下问题:加密问题和即时性问题是移动终端支付普及的主要障碍,虽然WAP功能的移动终端支付时,能够采用移动网络的加密技术,相对而言,并不能很有效的保证安全。 The old payment model face the following problems: problems and encryption immediate problem is a major obstacle to the popularity of mobile payment terminals, although terminal WAP-enabled mobile payment, can use encryption technology mobile networks, relatively speaking, not very effective guarantee Safety. 如果引入短信确认实现移动终端支付的双重确认方式,又会因为短信的中继问题,有可能造成短信不能及时到达,影响支付的流程;身份识别的缺乏是限制移动支付应用的第二大原因。 If the introduction of SMS confirmation to achieve the dual mode mobile terminal to confirm payment, it will issue because the relay text messages, may cause Message text can not arrive in time, affect the flow of payments; identification of the lack of restrictions is the second leading cause of mobile payment applications. 当移动终端仅仅当作通话工具时,密码保护并不是很重要。 When the mobile terminal as just call tool, password protection is not very important. 但作为支付工具时,移动信息化提高了移动终端等手持终端的重要程度,设备丢失、密码被攻破、病毒发作等问题都会造成重大损失;信用体系的缺失是限制移动信息化应用的第三大原因。 But as payment, mobile information technology to improve the importance of hand-held terminals such as mobile terminals, the device is lost, the password is compromised, a virus attack and other issues will result in significant losses; lack of credit system is to limit the movement of the third-largest information technology applications the reason. 在移动终端支付中,一些小额支付可以捆绑在移动终端话费中,但移动终端话费透支、恶意拖欠十分常见,信用意识以及体系的不完善,也制约了移动信息化的普及、推广。 In the mobile payment terminal, some micro-payment can be bundled in a mobile terminal in calls, but mobile terminal overdraft charges, malicious default is very common, awareness and imperfect credit system, also restricted the movement of information technology popularization promotion.

[0003] 移动终端受限于体积的限制,外部接口无法和计算机比拟,在网上支付方面还停留在使用动态密码或者下载软密钥等措施,其安全性无法与计算机+U盾的安全性相比拟, 这也是制约移动终端支付发展的重要原因。 [0003] its security can not shield security + U phase and mobile computer terminal is limited by the size constraints, the external interface and the computer can not be compared, in terms of online payment still in use dynamic passwords or downloading soft key measures, match, this is an important reason for restricting the development of mobile payment terminal. 要想保证移动终端银行的安全性,数字证书的存储方式尤为重要。 To ensure the security of mobile banking terminals, digital certificate storage is particularly important. SD加密卡是最安全的存储方式,能够提供基于智能卡的强身份认证。 SD card encryption is the most secure storage, it can provide strong authentication based on smart card. 解决了移动支付安全性。 Solve the mobile payment security. 移动手持终端设备通常都具有SD存储卡接口,SD加密卡的模样跟普通的SD卡一样,也具有普通SD卡的存储功能。 The appearance of mobile handheld devices usually have an SD memory card interface, SD card encryption with the ordinary SD cards, also has a memory function normal SD card. 不同的是SD加密卡内置智能卡芯片, 还具有一定的存储空间,可以存储用户的私钥以及数字证书。 The difference is that SD card encryption built-in smart card chip, also has some storage space, you can store the user's private key and digital certificate. 客户端证书被存储于SD加密卡中,用于进行身份验证和数字签名。 The client certificate is stored on the SD card encryption for authentication and digital signatures.

[0004] 存储于SD加密卡中的证书不能被导出或复制,且使用SD加密卡时需要输入SD加密卡的保护密码。 [0004] certificates stored on an encrypted SD card can not be exported or copied, you need to enter a password to protect encrypted SD card when using SD and encryption card. 使用该证书需要物理上获得其存储介质SD加密卡,且需要知道SD加密卡的保护密码,这就是双因子认证机制。 Use the certificate required to obtain its storage media SD card encryption physically, and need to know the password protected SD card encryption, which is two-factor authentication mechanism.

发明内容 SUMMARY

[0005] 本发明的主要目的在于提供一种基于SD加密卡(MiniSD、Mirco SD、标准SD)与近距离无线通信技术相结合的新颖的移动数据传输方法,用以实现移动安全支付,大额支付以移动终端银行为依托,建立包含小额支付及大额支付的完整的支付体系。 [0005] The main object of the present invention is to provide a novel method for mobile data transmission based on the encryption SD card (MiniSD, Mirco SD, standard SD) combined with a short-range wireless communication technology for secure payment for mobile, large the payment terminal to the mobile banking as the basis, establish a complete payment system include micro-payment and large payments.

[0006] 本发明的方法流程是: [0006] A process flow of the present invention are:

4[0007] 步骤1,获取消费金额信息; 4 [0007] Step 1, to obtain the amount of consumer information;

[0008] 步骤2,检查是否超过小额支付额度,若超过,则转到步骤3 ;若不超过,则转到到步骤4 ; [0008] Step 2, to check whether the payment amount exceeds small, if it exceeds, then go to step 3; if exceeded, then go to step 4;

[0009] 步骤3,登陆移动终端银行,后到步骤5 ; [0009] Step 3, the mobile terminal landing bank, after the step 5;

[0010] 步骤4,检查小额支付余额是否足够,若足够,转到步骤6 ;不够,转到步骤3 ; [0010] Step 4, check whether the balance of micro-payment enough, if sufficient, go to step 6; not enough, go to step 3;

[0011] 步骤5,移动终端银行的业务处理,后至步骤7 ; [0011] Step 5, the mobile banking service processing terminal, then to step 7;

[0012] 步骤6,小额支付,后至步骤7 ; [0012] Step 6, micro-payment, to the step 7;

[0013] 步骤7,支付完毕。 [0013] Step 7, the payment is completed.

[0014] 小额支付由具有近距离无线通信功能(RF-SIM、SIMpass, NFC)的移动终端(笔记本、智能手机、掌上电脑)来完成实时直接支付,不必登录移动终端银行。 [0014] micro-payment by the mobile terminal (laptop, smart phone, PDA) with a short-range wireless communication function (RF-SIM, SIMpass, NFC) to complete real-time payments directly, without having to log mobile terminal bank. 对于超过小额支付能力以外的大额支付,采用“RFID移动终端+银行+SD加密卡”的移动终端银行模式。 For more than a small capacity to pay than large payments, the use of "RFID mobile terminal + banks + SD card encryption," the bank mode mobile terminal. 一人,一卡,一Key进行系统绑定,系统根据支付额度决定支付方式,并且小额支付的电子钱包余额不足时,可以及时进行移动终端银行充值,做到日常生活支付的基本覆盖。 A man, a card, a Key Binding system, the system determines payment according to the payment amount, and when Wallet Balance has insufficient micro-payment, the bank prepaid mobile terminals can be timely, so basic coverage paid daily life.

[0015] 当移动终端有业务需求要访问银行资源时,具体步骤如下: [0015] When the mobile terminal needs to have access to the bank service resources, the following steps:

[0016] 向银行VPN网关发出连接请求,VPN网关在收到请求后,与移动终端建立加密通道,移动终端将自己的证书信息发送给VPN网关; [0016] sent a connection request to the bank VPN gateway, the VPN gateway after receiving the request, establish an encrypted channel with the mobile terminal, the mobile terminal sends its own certificate information to the VPN gateway;

[0017] VPN网关在收到移动终端证书后,通过证书服务器对用户证书信息进行确认;如果认证通过,VPN网关便为该移动终端分配一个内网IP,此时VPN连接建立成功;安全管理服务器在收到登入用户信息以后,会通过用户移动终端号查询出用户所分配的安全策略, 然后将该安全策略应用到内网防火墙上;当客户向银行某业务发起请求时,内网防火墙将检查其合法性。 [0017] VPN gateway mobile terminal after receiving the certificate, the certificate server via the user certificate information; If the authentication, VPN gateway will assign an internal network IP for the mobile terminal, then the VPN connection is established successfully; Security Server after receiving the user login information, queries the user via a mobile terminal number assigned to a user security policy, then the security policy to the network firewall; when a client initiates a request to the bank for a business intranet firewall will check its legitimacy.

[0018] 本方法做到了通信网络的全覆盖。 [0018] The present methods do full coverage of the communication network. 支持移动,电信,联通的通信运营商的网络。 Support mobile communication operator's network, Telecom, China Unicom. 接入网络的方式支持GPRS、WIFI、3G、4G网络及红外,蓝牙的同步方式。 Access network mode supports synchronous mode GPRS, WIFI, 3G, 4G network and infrared, Bluetooth. 整个移动支付价值链包括移动网络运营商(移动、电信、联通等)、支付服务提供商(支付平台、银行等)、内容服务提供商、设备提供商(终端厂商、卡供应商、芯片提供商等)、系统集成商、商家和终端用户。 The entire mobile payment value chain, including mobile network operators (Mobile, China Telecom, China Unicom, etc.), payment service providers (payment platform, banks, etc.), content service providers, equipment providers (terminal manufacturers, card vendors, chip providers etc.), system integrators, distributors and end users.

[0019] 本发明可以有效的解决掉浮游在各种卡上面的资金,使之在银行卡上不仅能够得到一定的利息收入,而且更加方便消费者。 [0019] The present invention can effectively get rid of floating funds in a variety of card above, so that in the bank card is not only able to get some interest, but also more convenient for consumers. 这样让银行与移动终端运营商合作,去中介化, 使银行的资金直接进入端消费,消费的信息流直接进入银行的消息系统,使之处理信息更有效率。 So let banks and mobile terminal operators, disintermediation, the bank's capital directly into end consumer, consumer information flow directly into the bank's messaging system to make it more efficient processing of information.

[0020] 本方法是基于智能卡的安全应用,可做到:基于智能卡的强身份认证;整合OTP功能,实现OTP登录、及VPN登录;移动终端到银行的通信过程无法复制;基于PKI体系。 [0020] The present method is based on secure smart card applications, you can do: based strong authentication smart card; integration of OTP function to achieve OTP login and VPN login; mobile terminal to the bank of the communication process can not be copied; based on PKI system.

[0021] 本发明主要用于构建一个完整的支付平台,让用户对移动终端银行管理的同时, 还能享受银行转账、证券交易、外汇买卖等金融服务。 At the same time [0021] The present invention is mainly used to build a complete payment platform, allowing users to mobile terminal bank management, but also to enjoy the bank transfer, securities trading, foreign exchange and other financial services.

附图说明: BRIEF DESCRIPTION OF:

[0022] 图1,本发明步骤流程图。 [0022] FIG. 1, a flowchart of steps of the present invention.

[0023] 图2,本发明完整实施例流程图。 [0023] FIG. 2, the present invention is embodiment a complete flowchart.

[0024] 图3,本发明SSL认证过程流程图。 [0024] FIG 3, SSL authentication process flowchart of the present invention. 具体实施方式: detailed description:

[0025] 本方法基于SD加密卡与近距离无线通信技术。 [0025] The present method is based on the encryption SD card short range wireless communication technology. 基于RF-SIM、SIMpaSS、NFC等近距离无线通信技术,要求移动终端和银行卡进行绑定实现非接触式移动支付,只需要将移动终端靠近具有RFID读卡器POS机即可完成小额支付及大额支付用户信息的自主推送以便网银后端生成交易流水线。 Based RF-SIM, SIMpaSS, NFC and other short-range wireless communication technology, the mobile terminal requires the bank card and bind the non-contact-type mobile payments, just to close the mobile terminal having an RFID reader to complete the POS machine micropayment and independent push large payments online banking user information in order to generate the back-end transaction pipeline. 近距离无线通信技术结合终端设备用于为用户提供身份识别应用和服务。 Short-range wireless communication technologies to provide the user terminal identity and service applications.

[0026] 本方法的一个具体实施例如图2所示步骤是这样的: [0026] A specific example of the method of the present embodiment shown in FIG. 2 is a step of:

[0027] 1,终端设备靠近POS机,获取用户帐户信息。 [0027] 1, close to the terminal apparatus POS, obtaining user account information.

[0028] 2,POS机判断消息根据金额大小判断消费类型。 [0028] 2, POS machine determines the message type is determined according to size of the amount of consumption.

[0029] 若是小额支付消费,直接从电子钱包支付。 [0029] If the consumer micro-payment, payment directly from the electronic wallet.

[0030] 若是大额支付消费,POS机停止块操作并将消费人信息及消费信息传递给后端服务器。 [0030] If the large-value payment consumption, POS machine passes the stop block operation Consumer information and consumer information to back-end servers.

[0031] 3,P0S提示移动终端银行支付、同时后端服务器推送短信至用户,附带交易的安全URL。 [0031] 3, P0S mobile terminal prompt payment bank, while the back-end server push messages to users, with secure URL transactions.

[0032] 4,用户进入安全页面确定消费信息并输入SD加密卡PIN码进行合法性验证。 [0032] 4, the user enters the security page to determine consumer information and input SD card PIN encryption legality verification.

[0033] 5,SD加密卡对交易信息进行数字签名。 [0033] 5, SD card encryption to digitally sign the transaction information.

[0034] 6,网银后端系统对签名信息进行验证 [0034] 6, the rear end of the online banking system to verify the signature information

[0035] 7,交易完成。 [0035] 7, the transaction is completed.

[0036] 本方法使用SD加密卡为传输的移动数据提供加密,将数据加密使得只有预定的收件人才能理解通过网络传输的数据。 [0036] The present method for the transmission of an SD card encryption mobile data provide encryption to encrypt data so that only the intended recipient can be understood that data transmitted over the network. SD加密卡和服务端存有第三方权威机构签署的数字证书,在网络中连接的双方能够互相认证对方的身份。 SD card encryption and digital certificate server there third-party authority to sign, the two sides are connected in a network to authenticate each other's identity. 使用SD加密卡的移动终端作为SSL 客户机。 SD card encryption using a mobile terminal as an SSL client. 在双向SSL身份认证中,SSL客户机应用程序验证SSL服务器应用程序的身份,然后服务器应用程序验证SSL客户机应用程序的身份。 In the two-way SSL authentication, SSL client application to verify the identity of SSL server applications, and server applications to authenticate SSL client application.

[0037] 依靠智能移动终端操作系统中的VPN客户端来同VPN网关进行连接,利用SSL的加密技术和CA认证技术来保障互联网通信的安全。 [0037] rely on smart mobile terminal operating system VPN client to connect with the VPN gateway, use SSL encryption technology and CA authentication technology to protect the security of Internet communications.

[0038] 如图3,SD加密卡实现SSL VPN+动态口令认证过程: [0038] FIG 3, SD card for encryption SSL VPN + dynamic password authentication process:

[0039] (I)SD加密卡作为密钥Key,动态口令牌。 [0039] (I) SD card as the encryption key Key, Token.

[0040] (2)统一CA认证服务器作为AAA授权服务器。 [0040] (2) CA unified authentication server as an AAA authorization server.

[0041] (3)OTP Server作为动态口令认证服务器。 [0041] (3) OTP Server as a dynamic password authentication server.

[0042] 认证请求过程是: [0042] authentication request process:

[0043] (1)用户通过SD加密卡PIN码校验,请求SSL双向认证。 [0043] (1) the user through the encryption SD card PIN verification, mutual authentication SSL request.

[0044] (2)双方交换证书,用户验证服务端的身份后把认证请求发送给SSL VPN设备。 [0044] (2) the identity of the parties exchange certificates, user authentication server the authentication request to the SSL VPN device.

[0045] (3) SSL VPN设备本身不做授权工作,因此SSL VPN设备把认证请求通过Tacacs协议转发给统一CA认证服务器。 [0045] (3) SSL VPN device itself is not authorized to work, so the SSL VPN device authentication request is forwarded to the authentication server through a unified CA Tacacs agreement.

[0046] (4)因为统一CA认证服务器并不具备动态口令认证方式,于是把口令认证通过Radius协议转发到OTP Server作身份认证。 [0046] (4) because the CA authentication server does not have a unified dynamic password authentication, then the password authentication forwarded to the OTP Server for authentication via Radius protocol.

[0047] 认证响应过程是这样: [0047] The authentication response procedure is:

[0048] (1)经过OTP Server验证口令后同样通过Radius返回该用户是否合法用户给统 [0048] (1) After the same password OTP Server via Radius verified whether the user returns to the legitimate user system

6一CA认证服务器。 6 a CA authentication server.

[0049] (2)统一CA认证服务器取得该用户合法性后判断是发送请求失败还是授权该用户进去并赋予该用户权限的结果给SSL VPN0 [0049] (2) CA unified authentication server to obtain the user to determine the legality of sending the request fails or the user is authorized to go and give the results to the user rights SSL VPN0

[0050] (3) SSL VPN得到CA认证服务器返回结果并发送返回结果给的用户认证请求。 [0050] (3) SSL VPN server returns the results to give a CA certificate and returns the result transmitted to the user authentication request.

[0051] 本发明的大额支付安全性保证实现如下: [0051] Large payment guarantee the security of the present invention is achieved as follows:

[0052] 移动手持终端设备通常都具有SD存储卡接口,SD加密卡的模样跟普通的SD卡一样,也具有普通SD卡的存储功能。 Appearance [0052] The mobile handset devices usually have an SD memory card interface, SD card encrypted with the ordinary SD cards, memory function is also normal SD card. 不同的是SD加密卡内置智能卡芯片,还具有一定的存储空间,可以存储用户的私钥以及数字证书。 The difference is that SD card encryption built-in smart card chip, also has some storage space, you can store the user's private key and digital certificate. 客户端证书被存储于SD加密卡中,用于进行身份验证和数字签名。 The client certificate is stored on the SD card encryption for authentication and digital signatures.

[0053] 存储于SD加密卡中的证书不能被导出或复制,且使用SD加密卡时需要输入SD加密卡的保护密码。 [0053] certificates stored on an encrypted SD card can not be exported or copied, you need to enter a password to protect encrypted SD card when using SD and encryption card. 使用该证书需要物理上获得其存储介质SD加密卡,且需要知道SD加密卡的保护密码,这就是双因子认证机制。 Use the certificate required to obtain its storage media SD card encryption physically, and need to know the password protected SD card encryption, which is two-factor authentication mechanism.

[0054] 本方法中SD加密卡通过将OTP种子密钥封装在SD加密卡的智能芯片中,确保种子密钥的安全性和不可复制性;通过SD加密卡内置的3DES/AES/SHA-1算法,可以进行硬件OTP运算。 [0054] The present process by the SD card OTP encryption seed key encryption encapsulated in smart chip SD card, and to ensure the safety of the seed key can not be copied; encrypted SD card built by 3DES / AES / SHA-1 algorithms, hardware OTP operations. 这样SD加密卡将PKI技术同OTP技术结合,实现多个种子密钥、在线生成种子密钥、OTP在线管理等功能。 Such SD card encryption technology combines OTP with PKI technology, achieve more seed key, generated online seed key, OTP online management.

[0055] SD加密卡安全机制分析: [0055] SD card encryption security analysis:

[0056] 硬件PIN码保护。 [0056] hardware PIN protection. 需要同时取得用户的SD加密卡硬件以及用户的PIN码,才可以登录系统。 We need to obtain the user's SD card encryption hardware and the user's PIN code before they can log into the system. 即使用户的PIN码被泄漏,只要用户持有的SD加密卡不被盗取,合法用户的身份就不会被仿冒;如果用户的SD加密卡遗失,拾到者由于不知道用户PIN码,也无法仿冒合法用户的身份。 Even if the user's PIN code was leaked, as long as the user holds the encrypted SD card is not stolen, the identity of legitimate users will not be fake; if the user's encrypted SD card is lost, the finder because they do not know your PIN, also can not fake the identity of legitimate users.

[0057] 安全的存储介质。 [0057] secure storage medium. SD加密卡的密钥存储于安全的介质之中,外部用户无法直接读取,对密钥文件的读写和修改都必须由SD加密卡内的程序调用。 SD card encryption keys are stored in a safe media, external users can not directly read, to write and modify the key file must be called by the program within the SD card encryption. 从SD加密卡接口的外面, 没有任何一条命令能够对密钥区的内容进行读出、修改、更新和删除。 From the outside the encrypted SD card interface, a command can be no content key areas read, modify, update, and delete.

[0058] 公钥密码体制。 [0058] public key cryptography. 公钥密码体制和数字证书从密码学的角度上保证了SD加密卡的安全性,在SD加密卡初始化的时候,先将密码算法程序烧制在ROM中,然后通过产生公私密钥对的程序生成一对公私密钥,公私密钥产生后,公钥可以导出到SD加密卡外,而私钥则存储于密钥区,不允许外部访问。 Public key cryptography and digital certificates from the point of view of cryptography to ensure the safety of the SD card encryption, encryption when SD card initialization, the first cryptographic algorithms firing program in the ROM, and then by creating public-private key pair program generate a pair of private-public key, the private-public key generation, public key encryption can be exported to external SD card, while the private key is stored in the key area, external access is not allowed. 进行数字签名时以及非对称解密运算时,有私钥参与的密码运算只在芯片内部即可完成,全过程中私钥可以不出SD加密卡介质,以此来保证以SD加密卡为存储介质的数字证书认证在安全上无懈可击。 When digital signatures, and when asymmetric decryption operation, there is a private key cryptographic operations involved only in the chip to complete the whole process of the private key encryption can not see SD card media, in order to guarantee an encrypted SD card as the storage medium the digital certificate authentication impeccable safety.

[0059] 硬件实现加密算法。 [0059] hardware encryption algorithm. SD加密卡内置CPU或智能卡芯片,可以实现数据摘要、数据加解密和签名的各种算法,加解密运算在SD加密卡内进行,保证了用户密钥不会出现在计算机内存中。 SD card encryption built-in CPU or smart card chip, can achieve data summaries, data encryption and decryption algorithms and signatures, encryption and decryption operations carried out in the SD card encryption, to ensure that the user key does not appear in the computer's memory.

7 7

Claims (9)

  1. 一种基于SD加密卡与近距离无线通信技术相结合的移动数据传输方法,其特征是:步骤如下:步骤1,获取消费金额信息;步骤2,检查是否超过小额支付额度,若超过,则转到步骤3;若不超过,则转到到步骤4;步骤3,登陆移动终端银行,后到步骤5;步骤4,检查小额支付余额是否足够,若足够,转到步骤6;不够,转到步骤3;步骤5,移动终端银行的业务处理,后至步骤7;步骤6,小额支付,后至步骤7;步骤7,支付完毕。 A mobile data transmission method SD card encryption technology and short-range wireless communication based on the combination, characterized in that: the following steps: Step 1, acquires spent sum information; Step 2, to check whether the payment amount exceeds small, if the total exceeds go to step 3; if not more than, go to step 4; step 3, the mobile terminal landing bank, and then to step 5; step 4, check whether the balance of micro-payment enough, if sufficient, go to step 6; not enough, go to step 3; step 5, the mobile terminal banking service processing, then to step 7; step 6, micro-payment, to the step 7; step 7, the payment is completed.
  2. 2.根据权利要求1所述的移动数据传输方法,其特征是:进一步详细步骤是这样的: 1,终端设备靠近POS机,获取用户帐户信息;2,POS机判断消息根据金额大小判断消费类型; 若是小额支付消费,直接从电子钱包支付;若是大额支付消费,POS机停止块操作并将消费人信息及消费信息传递给后端服务器;3,POS提示移动终端银行支付、同时后端服务器推送短信至用户,附带交易的安全URL ;4,用户进入安全页面确定消费信息并输入SD加密卡PIN码进行合法性验证; 5,SD加密卡对交易信息进行数字签名; 6,网银后端系统对签名信息进行验证; 7,交易完成。 2. Move the data transmission method according to claim 1, characterized in that: step is a further detail: 1, close to the terminal apparatus POS, obtaining user account information; 2, the POS message is determined according to the size of the amount of consumption type determination ; micro-payment if the consumer paid through electronic wallet; if large-value payment consumption, POS machine stops operating block and consumer transmission of information and consumer information to back-end server; 3, POS terminal prompts mobile banking payments, while the back-end server push messages to users, with secure URL transactions; 4, the user enters the security page to determine consumer information and input SD card PIN encryption legality verification; 5, SD card encryption to digitally sign the transaction information; 6, online banking back-end the signature verification system information; 7, the transaction is completed.
  3. 3.根据权利要求1或2所述的移动数据传输方法,其特征是所述的小额支付由具有近距离无线通信功能(RF-SIM、SIMpass、NFC)的移动终端来完成实时直接支付。 3. Move the data transmission method according to claim 1 or 2, wherein said micro-payment by a mobile terminal having a short-range wireless communication function (RF-SIM, SIMpass, NFC) to perform real-time direct payment.
  4. 4.根据权利要求1或2所述的移动数据传输方法,其特征是所述步骤5,具体是登陆移动终端银行的大额支付。 The mobile data transmission method of claim 1 or claim 2, wherein said step 5, the specific mobile terminal landing is large payment bank.
  5. 5.根据权利要求4所述的移动数据传输方法,其特征是所述的大额支付,采用“RFID移动终端+银行+SD加密卡”的移动终端银行方法。 The mobile data transmission method as claimed in claim 4, wherein said large payments, using "RFID mobile terminal Bank + + the SD card encryption" method of a mobile terminal bank.
  6. 6.根据权利要求1所述的移动数据传输方法,其特征是所述步骤5,具体是登陆移动终端银行对小额支付余额进行充值。 The mobile data transmission method according to claim 1, wherein said step 5, the mobile terminal landing in particular for small payment bank balance recharge.
  7. 7.根据权利要求1所述的移动数据传输方法,其特征是所述步骤3访问银行资源时,具体步骤如下:向银行VPN网关发出连接请求,VPN网关在收到请求后,与移动终端建立加密通道,移动终端将自己的证书信息发送给VPN网关;VPN网关在收到移动终端证书后,通过证书服务器对用户证书信息进行确认;如果认证通过,VPN网关便为该移动终端分配一个内网IP,此时VPN连接建立成功;安全管理服务器在收到登入用户信息以后,会通过用户移动终端号查询出用户所分配的安全策略,然后将该安全策略应用到内网防火墙上;当客户向银行某业务发起请求时,内网防火墙将检查其合法性。 The mobile data transmission method according to claim 1, wherein said step of access to the bank resources 3, the following steps: a connection request to the bank VPN gateway, the VPN gateway after receiving the request, the mobile terminal to establish encrypted channel, the mobile terminal sends its own certificate information to the VPN gateway; VPN gateway in the mobile terminal after receiving the certificate, the user certificate information for confirmation of the certificate by the server; If the authentication, the VPN gateway for the mobile terminal will be assigned a network IP, VPN connection is established at this time; security management server after receiving the user login information, queries the user via the mobile terminal number assigned to a user security policy, and then on the security policy is applied to the internal network firewall; when the customer when the bank launched a service request, the network firewall will check its legitimacy.
  8. 8.根据权利要求1或2或7任一条所述的移动数据传输方法,其特征是:使用SD加密卡的移动终端作为SSL客户机,在双向SSL身份认证中,SSL客户机应用程序验证SSL服务器应用程序的身份,然后服务器应用程序验证SSL客户机应用程序的身份。 The mobile data transmission method 1 or 2 or according to any one of claims 7, wherein: the encrypted SD card using the mobile terminal as an SSL client, two-way authentication in SSL, SSL client authentication SSL application the identity of the server application, and server applications to authenticate SSL client application.
  9. 9.根据权利要求8所述的移动数据传输方法,其特征是:SD加密卡实现SSL VPN+动态口令认证过程:(1)SD加密卡作为密钥Key,动态口令牌;(2)统一 CA认证服务器作为AAA授权服务器;(3) OTP Server作为动态口令认证服务器;认证请求过程:(1)用户通过SD加密卡PIN码校验,请求SSL双向认证;(2)双方交换证书,用户验证服务端的身份后把认证请求发送给SSL VPN设备;(3) SSL VPN设备本身不做授权工作,因此SSL VPN设备把认证请求通过Tacacs协议转发给统一CA认证服务器;(4)因为统一 CA认证服务器并不具备动态口令认证方式,于是把口令认证通过Radius 协议转发到OTP Server作身份认证;认证响应过程:(1)经过OTP Server验证口令后同样通过Radius返回该用户是否合法用户给统一CA 认证服务器;(2)统一 CA认证服务器取得该用户合法性后判断是发送请求失败还是授权该用户进去并赋予该用 9. The mobile data transmission method according to claim 8, wherein: SD card for encryption SSL VPN + dynamic password authentication process: (1) SD card as the encryption key Key, Token; (2) Uniform CA certification server as an AAA authorization server; (3) OTP server as the dynamic password authentication server; authentication request process: (1) user SD encryption card PIN verification request SSL mutual authentication; (2) the parties exchange certificates, user authentication service side after the identity authentication request to the SSL VPN equipment; (3) SSL VPN device itself is not authorized to work, so the SSL VPN device authentication request is forwarded to the authentication server through a unified CA Tacacs agreement; (4) because the authentication server is not unified CA with dynamic password authentication, then the password authentication forwarding through the Radius protocol to the OTP server for authentication; authentication response process: (1) through OTP server authentication password for the same return that the user is a legitimate user to unify CA authentication server through Radius; ( after 2) CA unified authentication server to obtain the user to determine the legality of sending the request fails or the user is authorized to go and confer with the 户权限的结果给SSL VPN ;(3) SSL VPN得到CA认证服务器返回结果并发送返回结果给的用户认证请求。 Results of user rights to a SSL VPN; (3) SSL VPN server returns the results to give a CA certificate and returns the result transmitted to the user authentication request.
CN 201010226932 2010-02-11 2010-07-05 Mobile data transmission method based on combination of SD (Secure Digital) encrypted card and short-distance wireless communication technology CN101916476A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201010111729.8 2010-02-11
CN201010111729 2010-02-11
CN 201010226932 CN101916476A (en) 2010-02-11 2010-07-05 Mobile data transmission method based on combination of SD (Secure Digital) encrypted card and short-distance wireless communication technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010226932 CN101916476A (en) 2010-02-11 2010-07-05 Mobile data transmission method based on combination of SD (Secure Digital) encrypted card and short-distance wireless communication technology

Publications (1)

Publication Number Publication Date
CN101916476A true true CN101916476A (en) 2010-12-15

Family

ID=43323976

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010226932 CN101916476A (en) 2010-02-11 2010-07-05 Mobile data transmission method based on combination of SD (Secure Digital) encrypted card and short-distance wireless communication technology

Country Status (1)

Country Link
CN (1) CN101916476A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102156897A (en) * 2011-03-30 2011-08-17 惠州Tcl移动通信有限公司 Secure digital card and method for realizing near field communication function on same
CN102184377A (en) * 2011-04-26 2011-09-14 杭州五魁首信息技术有限公司 Identity identification device and identity identification method based on radio frequency identification technology
CN102546571A (en) * 2010-12-31 2012-07-04 国民技术股份有限公司 Identity authentication system and method
CN102611551A (en) * 2011-01-20 2012-07-25 深圳市文鼎创数据科技有限公司 Physical authentication method, physical authentication device, and dynamic password token
CN103366271A (en) * 2013-06-20 2013-10-23 拉卡拉支付有限公司 Data processing system, device and method
CN103457729A (en) * 2012-05-31 2013-12-18 阿里巴巴集团控股有限公司 Safety equipment, service terminal and encryption method
CN105099691A (en) * 2014-05-23 2015-11-25 李亮 Method achieving computer Internet banking authentication by utilization of mobile phone

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546571B (en) 2010-12-31 2014-10-15 国民技术股份有限公司 An identity authentication system and authentication method
CN102546571A (en) * 2010-12-31 2012-07-04 国民技术股份有限公司 Identity authentication system and method
CN102611551A (en) * 2011-01-20 2012-07-25 深圳市文鼎创数据科技有限公司 Physical authentication method, physical authentication device, and dynamic password token
CN102156897A (en) * 2011-03-30 2011-08-17 惠州Tcl移动通信有限公司 Secure digital card and method for realizing near field communication function on same
WO2012130130A1 (en) * 2011-03-30 2012-10-04 惠州Tcl移动通信有限公司 Security digital card and method for implementing near field communication on security digital card
CN102184377A (en) * 2011-04-26 2011-09-14 杭州五魁首信息技术有限公司 Identity identification device and identity identification method based on radio frequency identification technology
CN103457729A (en) * 2012-05-31 2013-12-18 阿里巴巴集团控股有限公司 Safety equipment, service terminal and encryption method
CN103366271A (en) * 2013-06-20 2013-10-23 拉卡拉支付有限公司 Data processing system, device and method
CN105099691A (en) * 2014-05-23 2015-11-25 李亮 Method achieving computer Internet banking authentication by utilization of mobile phone

Similar Documents

Publication Publication Date Title
US8539569B2 (en) Systems and methods for facilitating user authentication over a network
Schwiderski-Grosche et al. Secure mobile commerce
US6915272B1 (en) System and method of secure payment and delivery of goods and services
US20130226813A1 (en) Cyberspace Identification Trust Authority (CITA) System and Method
US7861077B1 (en) Secure authentication and transaction system and method
US7784684B2 (en) Wireless computer wallet for physical point of sale (POS) transactions
US20090307142A1 (en) Trusted service manager (tsm) architectures and methods
US20070118745A1 (en) Multi-factor authentication using a smartcard
US20150140960A1 (en) Automated Account Provisioning
US20110103586A1 (en) System, Method and Device To Authenticate Relationships By Electronic Means
US20090070263A1 (en) Peer to peer fund transfer
US20030055738A1 (en) Method and system for effecting an electronic transaction
US20040143730A1 (en) Universal secure messaging for remote security tokens
US20080235513A1 (en) Three Party Authentication
EP2098985A2 (en) Secure financial reader architecture
WO2012167941A1 (en) Method to validate a transaction between a user and a service provider
US20070130462A1 (en) Asynchronous encryption for secured electronic communications
CN101373528A (en) Electronic payment system, device and method based on position authentication
CN101853453A (en) System and method for realizing mobile payment
US20090222383A1 (en) Secure Financial Reader Architecture
CN101034449A (en) Method, system and mobile terminal for implementing electronic payment
CN101394615A (en) Mobile payment terminal and payment method based on PKI technique
JP2004247799A (en) Information system for access controlling using public key certificate
CN101483654A (en) Method and system for implementing authentication and data safe transmission
Tiwari et al. A multi-factor security protocol for wireless payment-secure web authentication using mobile devices

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C12 Rejection of a patent application after its publication