CN102148799A - Key downloading method and system - Google Patents
Key downloading method and system Download PDFInfo
- Publication number
- CN102148799A CN102148799A CN2010101065429A CN201010106542A CN102148799A CN 102148799 A CN102148799 A CN 102148799A CN 2010101065429 A CN2010101065429 A CN 2010101065429A CN 201010106542 A CN201010106542 A CN 201010106542A CN 102148799 A CN102148799 A CN 102148799A
- Authority
- CN
- China
- Prior art keywords
- key
- equipment
- download
- terminal
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a key downloading method, which comprises the steps as follows: a universal software interface corresponding to different types of terminal devices is established, wherein a software library comprises library files corresponding to different types of terminal devices; then a terminal device sends a key downloading request to a device providing key downloading through the universal software interface, and receives the key from the universal software interface after the downloading request is responded. The invention also provides a key downloading system, which comprises the universal software interface. The key downloading method and system rely on the compatibility of the universal software interface to enable different types of terminal devices to conveniently download the keys.
Description
Technical field
The present invention relates to the E-Payment technology, relate in particular to the key download technology in the E-Payment.
Background technology
Along with paying developing rapidly of industry by mails, such as bank card payment, consumption card payment, trading card payment and other E-Payment technology, pay by mails with its characteristics fast and easily by network, more and more be subjected to people's welcome.Pay half by mails and comprise the equipment such as terminal equipment, payment platform and key management that use for the consumer.The consumer imports consumption information (such as account number cipher etc.) to payment platform by terminal equipment, and in order to ensure the fail safe of consumption information, electronic fare payment system has generally all disposed key management system.
With the bank card paying system is example, and it generally comprises terminal equipment (such as point-of-sale terminal equipment (Point of Sale), code keypad (PINPAD) etc.), key management device systems, key storage media and online transaction system etc.
Wherein, terminal equipment has communication function, and it is accepted bank card information and finishes financial transaction and exchange for information about according to operating personnel's instruction.Usually, in the market, the payment occasion of authorizing such as hotel, the POS terminal upwards transmits by bank card paying system and has been provided with holder's personal identification code (Personal Identification Number, the magnetic track information of bank card PIN), and the PIN information that the holder is imported is sent to credit card issuer, the legitimacy of confession credit card issuer affirmation holder identity.For preventing the PIN leakage or being cracked, with protection holder's property safety, must carry out encipherment protection to PIN in the whole payment process, avoid it to occur with the plaintext form.For this reason, the POS terminal that can accept PIN input at present has been equipped with key management system.
As previously mentioned, present POS terminal all need be equipped with key management system, to guarantee maintaining secrecy and fail safe of PIN.The key management of POS terminal can be divided into two-stage: terminal master key and working key.Working key calls the hardware encipher machine by terminal management system and produces, and carries out encrypted transmission by terminal master key in the POS terminal when terminal management system is registered, with its download.In this process; terminal master key is if intercepted; then all the elements in the working key comprise that key even PIN that PIN encryption key and message discriminating MAC calculate have greatly and may be cracked, so can terminal master key secure download be one of key of bank card paying system safeguard protection to the POS terminal.At present, the download of terminal master key mainly realizes by following three kinds of modes:
Mode one is injected master key by the keyboard on the PINPAD;
Mode two is adorned master key under the dress software down by the key that each producer provides;
Mode three is adorned master key down by female POS.It can be subdivided into on-line mode and offline mode again: on-line mode refers to send to female POS by an administration PC ciphertext of a terminal master key; After female POS deciphers this terminal master key, the plaintext of terminal master key is sent to code keypad; Preserve key plain information by code keypad at last; Offline mode refers to by information such as dress great amount of terminals master key ciphertexts under administration PC is in female POS; In different code keypads, adorn terminal master key respectively down by female POS again.
Although can reach the purpose of download terminal master key with upper type because mode one is distributed in the process of code keypad at terminal master key, the essential appearance expressly or ciphertext, cause key reveal and the risk that is cracked bigger; In the mode two, because the following dress software objectionable intermingling that each producer provided, cause under this mode system can not compatible various terminal equipments, cause the system maintenance process complicated and relative higher, increased maintenance cost the requirement of attendant's quantity and technical quality; Mode three exist equally system can not compatible various terminal equipments, the situation of complicated operation, and the safety of terminal master key depends on the safety of transmission security key among female POS and the line security that key is downloaded.
Though more than be to be that example has been enumerated its place that haves much room for improvement with the bank card paying system, but current electronic fare payment system is in electronic key is downloaded, ubiquity the problems referred to above, so, the requirement to electronic payment safety improve day by day now, how to make that electronic fare payment system can compatible various terminal equipments in the key downloading process, so make key be easy to safeguard and also situation that maintenance cost is not high under secure download to terminal equipment, then be a problem that needs to be resolved hurrily.
Summary of the invention
In view of the above problems, the invention provides a kind of key method for down loading, make terminal master key loading terminal equipment easily and safely under the situation of the compatible various terminal equipments of electronic fare payment system.
Key method for down loading of the present invention comprises: set up the USI corresponding to different types of terminals equipment, this software interface comprises the library file corresponding to different types of terminals equipment; And this terminal equipment to the equipment transmission key download request that provides key to download, and after this download request obtains response, receives the key of being asked by calling this USI by this USI.
Preferably, the key method for down loading of the present invention key that further comprises verification and received.
Preferably, described key comprises terminal master key, and the key that verification received comprises: utilize the described terminal master key that has downloaded to described terminal equipment to decipher predefined master key check key; Result after the deciphering is encrypted; The byte of first number of the result after encrypting and the check value of master key check key are compared; And when comparative result is consistent, store described terminal master key.
Preferably, key method for down loading of the present invention when comparative result is consistent, identifies according to predefined master key and to store described terminal master key.
Preferably, key method for down loading of the present invention, to the deciphering after the result encrypt be with the deciphering after the result 8 byte 0x00 are encrypted.
Preferably, key method for down loading of the present invention, the byte of described first number is preceding 4 bytes of the result after encrypting.
Preferably, key method for down loading of the present invention wherein, described key further comprises working key, the key that verification received further comprises: utilize described terminal master key to decipher described working key; Result after the deciphering is encrypted; The byte of second number of the result after encrypting and the check value of working key are compared; And when comparative result is consistent, store described working key.
Preferably, key method for down loading of the present invention when comparative result is consistent, identifies according to predefined working key and to store this working key.
Preferably, key method for down loading of the present invention, to the deciphering after the result encrypt be with the deciphering after the result 8 byte 0x00 are encrypted.
Preferably, key method for down loading of the present invention, the byte of described second number is preceding 4 bytes of the result after encrypting.
The present invention also provides a kind of interface equipment, can for all kinds of terminal equipments by it convenient and safety 2 download to the device request key that provides key to download, and obtain key by means of this interface equipment.
Interface equipment of the present invention, described interface equipment comprises: input port and output port; Memory module is used to store the USI corresponding to different types of terminals equipment, and described USI further comprises the library file corresponding to different types of terminals equipment; And processing module, handle all kinds of terminal equipments calling to described USI, send the key download request by described output port to the equipment that provides key to download, and after receiving the key of being asked, further described key is sent to described terminal equipment by described output port by described input port.
The present invention also provides a kind of key download system, the equipment that described key download system comprises terminal equipment and provides key to download, described key download system further comprises for described terminal equipment and the described interface equipment that the intercommunication of the equipment that key downloads is provided, wherein, described interface equipment comprises: input port and output port, described input port receives from the described equipment of password download and the data of described terminal equipment of providing, and described output port is to described equipment and the described terminal equipment dateout that provides password to download; Memory module is used to store the USI corresponding to different types of terminals equipment, and described USI further comprises the library file corresponding to different types of terminals equipment; And processing module, handle all kinds of terminal equipments calling to described USI, send the key download request by described output port to the described equipment that provides key to download, and after receiving described key, further described key is sent to described terminal equipment by described output port by described input port.
Preferably, key download system of the present invention, described key comprises terminal master key, described terminal equipment comprises predefined master key check key, and described terminal equipment utilizes described terminal master key to decipher described terminal master key check key, and the result after the deciphering is encrypted, and the byte and the master key check value of first number of the result after will encrypting thereafter compare, and when comparative result is consistent, store described terminal master key.
Preferably, key download system of the present invention when comparative result is consistent, identifies according to predefined master key and to store described terminal master key.
Preferably, key download system of the present invention, to the deciphering after the result encrypt be with the deciphering after the result 8 byte 0x00 are encrypted.
Preferably, key method for down loading of the present invention, the byte of described first number is preceding 4 bytes of the result after encrypting.
Preferably, key download system of the present invention, described key also comprises working key, described terminal equipment comprises predefined working key check value, and described terminal equipment utilizes described terminal master key to decipher described working key, and the byte and the working key check value of the result of the result after the deciphering after encrypting and further will encrypting second number compared, and when the comparative result unanimity, store described working key.
Preferably, key download system of the present invention when comparative result is consistent, identifies according to predefined working key and to store working key.
Preferably, key download system of the present invention, to the deciphering after the result encrypt be with the deciphering after the result 8 byte 0x00 are encrypted.
Preferably, key download system of the present invention, the byte of described second number is preceding 4 bytes of the result after encrypting.
The present invention also provides a kind of cryptographic key distribution method, described method comprises: first order key distribution system is according to the sign distributed key of second level key distribution system, and second level key distribution system arrives terminal site key distribution system according to its sign distributed key of having jurisdiction over the terminal site, it is characterized in that, described terminal site key distribution system distributed key comprises step to terminal equipment: in the key distribution system of described terminal site, foundation is corresponding to the USI of different types of terminals equipment, and described software library comprises the library file corresponding to different types of terminals equipment; And described terminal equipment sends the key download request by calling described USI to the equipment that described terminal site key distribution system provides key to download, and after described download request obtains response, pass through described USI to described terminal equipment distributed key by the described equipment that provides key to download.
Preferably, cryptographic key distribution method of the present invention comprises that further verification is distributed to the key of described terminal equipment.
Preferably, cryptographic key distribution method of the present invention, described key comprises terminal master key, the key that verification is distributed to described terminal equipment comprises: utilize the described terminal master key that has been distributed to described terminal equipment to decipher predefined master key check key; Result after the deciphering is encrypted; The byte of first number of the result after encrypting and the check value of master key check key are compared; And when comparative result is consistent, store described terminal master key.
Preferably, cryptographic key distribution method of the present invention when comparative result is consistent, identifies according to predefined working key and to store this working key.
Preferably, cryptographic key distribution method of the present invention, to the deciphering after the result encrypt be with the deciphering after the result 8 byte 0x00 are encrypted.
Preferably, cryptographic key distribution method of the present invention, the byte of described second number is preceding 4 bytes of the result after encrypting.
Preferably, cryptographic key distribution method of the present invention, wherein, described key further comprises working key, the key of described terminal equipment that verification is distributed to further comprises: utilize described terminal master key to decipher described working key; Result after the deciphering is encrypted; The byte of second number of the result after encrypting and the check value of working key are compared; And when comparative result is consistent, store described working key.
Preferably, cryptographic key distribution method of the present invention when comparative result is consistent, identifies according to predefined working key and to store working key.
Preferably, cryptographic key distribution method of the present invention, to the deciphering after the result encrypt be with the deciphering after the result 8 byte 0x00 are encrypted.
Preferably, cryptographic key distribution method of the present invention, the byte of described second number is preceding 4 bytes of the result after encrypting.
The present invention also provides a kind of key distribution system, described key distribution system comprises first order key distribution system and second level key distribution system, described first order key distribution system is distributed to each second level key distribution system with key according to the sign of each second level key distribution system, and second level key distribution system arrives each terminal site key distribution system according to its sign distributed key of having jurisdiction over the terminal site, it is characterized in that, described terminal site key distribution system comprises cipher key storage device and key download system, the equipment that described key download system comprises terminal equipment and provides key to download, described key download system further comprises for described terminal equipment and the described interface equipment that the intercommunication of the equipment that key downloads is provided, wherein, described interface equipment comprises: input port and output port, described input port receives from the described equipment of password download and the data of described terminal equipment of providing, and described output port is to described equipment and the described terminal equipment dateout that provides password to download; Memory module is used to store the USI corresponding to different types of terminals equipment, and described USI further comprises the library file corresponding to different types of terminals equipment; And processing module, handle all kinds of terminal equipments calling to described USI, send the key download request by described output port to the described equipment that provides key to download, and after receiving described key, further described key is sent to described terminal equipment by described output port by described input port.
Preferably, key distribution system of the present invention, described key comprises terminal master key, described terminal equipment comprises predefined master key check key, and described terminal equipment utilizes described terminal master key to decipher described terminal master key check key, and the result after the deciphering is encrypted, and the byte and the master key check value of first number of the result after will encrypting thereafter compare, and when comparative result is consistent, store described terminal master key.
Preferably, key distribution system of the present invention when comparative result is consistent, identifies according to predefined master key and to store described terminal master key.
Preferably, key distribution system of the present invention, to the deciphering after the result encrypt be with the deciphering after the result 8 byte 0x00 are encrypted.
Preferably, key distribution system of the present invention, the byte of described first number is preceding 4 bytes of the result after encrypting.
Preferably, key distribution system of the present invention, described key also comprises working key, described terminal equipment comprises predefined working key check value, and described terminal equipment utilizes described terminal master key to decipher described working key, and the byte and the working key check value of the result of the result after the deciphering after encrypting and further will encrypting second number compared, and when the comparative result unanimity, store described working key.
Preferably, key distribution system of the present invention when comparative result is consistent, identifies according to predefined working key and to store working key.
Preferably, key distribution system of the present invention, to the deciphering after the result encrypt be with the deciphering after the result 8 byte 0x00 are encrypted.
Preferably, key distribution system of the present invention, the byte of described second number is preceding 4 bytes of the result after encrypting.
Use key download system provided by the present invention; Or carry out key method for down loading of the present invention, and use key distribution system provided by the present invention or carry out cryptographic key distribution method of the present invention, because the compatibility of USI, dissimilar terminal equipments can be visited equipment or the system that provides key to download easily by USI, and receives key by this interface; Furtherly, because the compatibility of USI has avoided inhomogeneous equipment need have the problem of different software interface, the system that efficiently solves is to the incompatible problem of inhomogeneity terminal equipment, and then solved the problem of system maintenance difficulty.And owing in the terminal master key downloading process, need not artificially to inject terminal key to terminal equipment, so effectively ensured the fail safe of terminal master key.
Description of drawings
Fig. 1 is the flow chart of key method for down loading of the present invention;
Fig. 2 is the refinement flow chart of step 102 shown in Figure 1;
Fig. 2 a is master key checking process figure;
Fig. 2 b is working key checking process figure;
Fig. 3 is the structural representation of equipment interface of the present invention;
Fig. 4 is a key download system structural representation of the present invention;
Fig. 5 is the flow chart of cryptographic key distribution method of the present invention; And
Fig. 6 is the structural representation of key distribution system of the present invention.
Embodiment
The method of the invention can be applied to need download the system of key such as traditional bank card paying system, consumption card payment system, trading card payment system and other.In brief, terminal equipment can pass through the USI set up by method of the present invention, easily from the device downloads key that key is provided.
Although hereinafter being applied in bank card paying system with the present invention is that example describes, it is exemplary description only, is not to be used to limit the present invention.Hereinafter, term " terminal equipment " refers to the equipment that needs download terminal master key and/or working key in the bank card paying system, for example can be POS terminal, code keypad, IC-card card reader and the miscellaneous equipment that is used for the storage terminal master key etc., what term " master key " was represented be " terminal master key ".
Fig. 1 is the flow chart of key method for down loading of the present invention.
As shown in the figure, in step 100, set up the USI that is adapted to different types of terminals equipment, this USI comprises the library file corresponding to different types of terminals equipment.In the application, under the communications protocol of the dissimilar terminal equipments situation different with communication format, provide software interface respectively at all kinds of terminal equipments, that is this USI has comprised the library file at different types of terminals equipment, all kinds of terminal equipments visits of confession; And this library file can dynamically update according to demand.
In step 102, all kinds of terminal equipments call this USI with the equipment that key can be provided to bank card paying system download or system-such as key management system-transmission key download request; Wherein, the equipment or the system that provide key to download then after receiving this request, have stored certainly in the hardware device of key and have obtained key, and issued this key, the key that terminal equipment then issues by this USI reception.Preferably, all adopt hexadecimal data by the input and output of this interface.
Fig. 2 is the refinement flow process of step 102 shown in Figure 1.As shown in the figure, in step 201, the terminal equipment of this USI to be visited carries out self check, to determine the validity of terminal equipment, prevent detection to the key interface data, and whether communicating by letter between reminding subscriber terminal equipment and the equipment that provides key to download be normal, and information such as whether this terminal equipment available; Wherein, the mode that the self check of terminal equipment can external trigger is carried out, such as by externally triggering the self check button that is arranged on the terminal equipment; Also can be that terminal equipment is received from the bank card paying system miscellaneous equipment such as the equipment that provides key to download or the triggering of system by USI; Need to prove that the triggering mode of above-described terminal equipment self check only is an example, but not in order to restriction the present invention.After self check is passed through, proceed to step 203 again, otherwise finish.
In step 203, terminal equipment sends the master key download request by to the calling of this USI to the equipment that provides key to download; After this request of device responds that provides key to download, master key is issued to terminal equipment by this interface, wherein, master key can be expressly or the form of ciphertext pass to this terminal equipment, if but what transmit between equipment that provides key to download and terminal equipment is master key expressly, then can in this USI, encrypt, and encrypt such as adopting the DES/3DES symmetric encipherment algorithm to this master key; Correspondingly, storage again after the ciphertext master key that is delivered to terminal equipment should be deciphered; In addition, example ground, the equipment that the key download is provided is after receiving the key download request, can will should request transmit to upper level equipment or system, by it this request is responded, and further in the hardware device of storage key, obtain key and be handed down to the equipment that this provides key to download, further send terminal to by it; Also can be that this equipment that provides key to download is directly obtained key and transmitted this key to terminal equipment from the hardware device of storage key, this depends on the configuration of the equipment that the key download is provided in the practical application.
In step 205, the master key that verification is downloaded, judge downloading whether success, checking procedure can be with reference to figure 2a and hereinafter to the associated description of Fig. 2 a.
In step 206,, then store this terminal master key according to predefined master key sign (KeyID) if download successfully.Preferably, can on the LCD of terminal equipment, show " downloading the key success ", to inform the user, such as on the display screen of code keypad or POS machine, showing.
In step 207, terminal equipment sends the working key download request by to the calling of this USI to the equipment that provides key to download; After this request of device responds that provides key to download, working key is issued to terminal equipment by this interface.Example ground, the equipment that the key download is provided is after receiving the working key download request, can directly handle this request, promptly in the hardware device of storing working key, obtain working key or call encryption equipment generation working key, issue working key to terminal equipment then; Also can respond to this request by it, and obtain working key and issue then should request transmitting to upper level equipment or system.Alternately, terminal equipment can send to the equipment that provides key to download with the download request to master key to the download request of working key.
In step 208, by downloading to master key on the terminal equipment to the deciphering of the working key downloaded, and the working key downloaded of verification, determining to download whether success, checking procedure can be with reference to figure 2b and hereinafter to the associated description of Fig. 2 b.
In step 209, if verification succeeds is then stored this working key according to predefined working key sign (WKeyID) in terminal equipment.Preferably, can further on the terminal equipment LCD, show " downloading the key success ", such as on the display screen of code keypad or POS machine, showing, to inform the user's download success.
Fig. 2 a is master key checking process figure.At first, in step 2051, utilize the master key that has downloaded to terminal equipment that predefined check key is decrypted, in the present embodiment, this check key is 8 bytes; Then,, the result after the deciphering (being the check key plaintext) is encrypted the 0x00 of 8 bytes in step 2052; Then, in step 2053, the first number byte of encrypted result and the check value of predefined check key are compared, in the present embodiment, first number is preceding 4 bytes of encrypted result, the comparative result unanimity, and then explanation is downloaded successfully.
Fig. 2 b is working key checking process figure.As shown, in step 2081, with the result after the deciphering, the plaintext of working key is just encrypted the 0x00 of 8 bytes; Then, in step 2081, the second number byte of encrypted result and the check value of predefined working key are compared, wherein, this second data byte is the result's that encrypts preceding 4 bytes, and the comparative result unanimity shows that then working key downloads successfully.
Fig. 3 is the structural representation of interface equipment of the present invention.As shown in the figure, interface equipment 34 comprises input port 340, output port 341, memory module 342 and processing module 343.Memory module 342 storages are corresponding to the USI of different types of terminals equipment, and this USI further comprises the library file corresponding to different types of terminals equipment; And this terminal equipment is the terminal equipment of bank card paying system, such as the POS machine, and code keypad and IC-card card reader etc.Processing module is handled all kinds of terminal equipments calling described USI, the equipment that provides key to download in described bank card paying system by described output port 341 sends the key download request, and after receiving described key, further described key is sent to described terminal equipment by described output port 341 by described input port 340.
Fig. 4 is a key download system structure chart of the present invention.As shown in the figure, key download system 3 of the present invention comprises terminal equipment 30, the equipment 32 of key download is provided and supplies described terminal equipment and the described interface equipment 34 that the devices communicating of key download is provided.Terminal equipment 30 receives user's input, and sends the user profile that is received to the superior system of bank card paying system, to verify its legitimacy; Terminal equipment request is simultaneously downloaded key and by downloading to key wherein, at least user's PIN input is encrypted.In the present embodiment, equipment 32 managing keys and the process key download request that provide key to download, it can be obtained key and send this key in the hardware device of storage key.Interface equipment 34 comprises the USI that is used to store corresponding to different types of terminals equipment, and described USI further comprises the memory module corresponding to the library file of different types of terminals equipment; Handle each terminal equipment to the visit of this USI and the processing module of the described key download request of further processing with being used to; Interface equipment 34 is arranged on terminal equipment 30 and provides between the equipment 32 of key download, and in the practical operation, interface equipment 34 can carry out transfer of data with serial line interface (RS-232) and terminal equipment 30; And the communication mode that interface equipment 34 can be followed ICP/IP protocol is communicated by letter with the equipment 32 that provides key to download.The key download request that the equipment 32 that provides key to download receives from terminal equipment 30 by interface equipment 34, and handle this request: the equipment 32 that provides key to download obtains key and it is issued to terminal equipment 30 by interface equipment 34 from the hardware device of storage key; The equipment 32 that perhaps provides key to download communicates that request to other key management equipment or the system in the bank card paying system, after the response key request, transmit keys by equipment 32 and the interface equipment 34 that provides key to download to terminal equipment 30 by this equipment or system again.In the practical application, interface equipment 34 provides equipment 32 to divide with the key download and is arranged, also can be arranged in the same device.
In interface equipment 34, at dissimilar terminal equipments, corresponding software interface is set, form USI thus, that is to say that this USI comprises the library file at different types of terminals equipment.
Terminal equipment 30 self checks, to determine the validity of terminal equipment, prevent detection to the key interface data, and reminding subscriber terminal equipment 30 and interface equipment 34 and/or provide between the equipment 32 that key downloads communicate by letter whether normal, and information such as whether this terminal equipment available.Wherein, the mode that the self check of terminal equipment 30 can external trigger is carried out, such as by externally triggering the self check button that is arranged on the terminal equipment; Also can be terminal equipment receives triggering from the equipment 32 that provides key to download by interface equipment 34, or the triggering of miscellaneous equipment or system in the bank card paying system; Need to prove that the triggering mode of above-described terminal equipment self check only is an example, but not in order to restriction the present invention.After self check was finished, the USI in the terminal equipment 30 calling interface equipment 34 sent the master key download request to the equipment 32 that provides key to download; Acquisition provides after the response of the equipment 32 that key downloads, and terminal equipment 30 receives master keys by interface equipment 34; If transmit master key, then in interface equipment 34, can encrypt master key expressly with the plaintext form, and encrypt such as adopting the DES/3DES symmetric encipherment algorithm, accordingly, the master key after the encryption is stored after can deciphering after being delivered to terminal equipment 30 again.
In terminal equipment 30, the master key that verification is downloaded is to determine whether download is successful.Particularly, at first, utilize the master key downloaded to terminal equipment 30 that check key pre-defined and that be stored in terminal equipment 30 is decrypted, in the present embodiment, this check key is 8 bytes; Result after then will deciphering (Ming Wen check key just) encrypts the 0x00 of 8 bytes; Then the first number byte of encrypted result and the check value of check key are compared, in the present embodiment, first number is preceding 4 bytes of encrypted result, if the comparative result unanimity then shows and downloads successfully.If download successfully, 30 on terminal equipment identifies (KeyID) according to predefined master key and stores this terminal master key.Preferably, can show " downloading the key success " on such as the LCD of code keypad at terminal equipment 30, to inform the user.
Terminal equipment 30 can further call USI by interface equipment 34, and downloading to key provides equipment 32 to send the working key download request; Can send under the situation of working key in equipment 32 these requests of processing and the affirmation that provide key to download, working key is downloaded to terminal equipment 30 by interface equipment 34; Example ground, the equipment 32 that the key download is provided is after receiving the working key download request, can directly in the hardware device of storing working key, obtain working key, perhaps directly call encryption equipment and produce working key, issue working key to terminal equipment then; Also can ask to transmit, by it this request be responded, and after obtaining response, working key is sent to terminal equipment 30 to upper level equipment or system.Alternately, the request of 30 pairs of working keys of terminal equipment can send with the request to master key.
In terminal equipment 30, by the working key deciphering of the master key downloaded to being downloaded, and the working key downloaded of verification, to determine whether download is successful, specifically, the result after terminal equipment 30 will be deciphered, the plaintext of working key is just encrypted the 0x00 of 8 bytes; Then, the second number byte of encrypted result and the check value of predefined working key are compared, wherein, this second number byte is preceding 4 bytes of encrypted result, if the comparative result unanimity shows that then working key downloads successfully.When downloading successfully, terminal equipment 30 identifies (WKeyID) according to predefined working key and stores this working key.Preferably, can show " downloading the key success " on such as the LCD of code keypad at terminal equipment, to inform the user.
Fig. 5 is the flow chart of cryptographic key distribution method of the present invention.As shown in the figure, in step 401, first order key distribution system is according to the sign distributed key of second level key distribution system; Wherein, first order key distribution system can be the head office's key distribution system in the bank card paying system, and second level key distribution system can be the branch's key distribution system in the bank card paying system.Root key is wherein injected in head office's key distribution system acquisition, such as transmission root key and transaction root key, wherein transmits root key and is used for protecting the transaction root key; According to minute every trade number, disperse root key key distribution system then to each branch, wherein, each minute every trade number related with the sign of second level key distribution system, perhaps with capable number sign as second level key distribution system.
In step 402, second level key distribution system is handled the root key that is received, produce terminal master key by the transaction root key, and terminal master key protected etc., second level key distribution system and according to its terminal network point identification of having jurisdiction over to each terminal site distributed key to terminal site key distribution system; Wherein, the key of being distributed comprises terminal master key at least, and second level key distribution system can be branch's key distribution system.
In step 403, terminal site key distribution system according to key method for down loading shown in Figure 1 to each terminal equipment distributed key, need to prove, corresponding cipher key storage device be handled and be stored to each terminal site key distribution system can to the key from second level key distribution system that is received, this cipher key storage device can be an independent storage device, also can be the memory device of serving as in the key distribution system of terminal site in the computer equipment of other processing capacity.In addition, terminal site key distribution system comprises key download system 3 above shown in Figure 4, is under the situation of an independent storage device in cipher key storage device, and key download system 3 addressable these storage devices are so that from reading of data wherein; In cipher key storage device is to serve as in the key distribution system of terminal site under the situation of the memory device in the computer equipment of other processing capacity, key download system 3 communicates to connect with this computer equipment, so that the memory device in this computer equipment is carried out read operation.Because key method for down loading of the present invention is described in detail in conjunction with Fig. 1 and Fig. 2 hereinbefore, just repeats no more.
In cryptographic key distribution method of the present invention, owing to set up the USI that is adapted to different types of terminals equipment, that is to say to have set up and possess compatible USI, so various kinds of equipment can be visited the equipment that provides key to download easily by this USI, and avoided all will setting up the problem of a software interface at each kind equipment, in addition, for bank card paying system, can manage different types of terminals equipment easily by upgrading the included library file of this USI system that makes.
Fig. 6 is the structure chart of key distribution system of the present invention.This key distribution system comprises first order key distribution system 50, second level key distribution system 51 and terminal site key distribution system 52.First order key distribution system 50 is head office's key distribution system of bank card paying system, and second level key distribution system 50 can be branch's key distribution system.Head office's key distribution system obtains injection root key wherein, and transmission root key and transaction root key such as obtaining to inject by IC-card wherein wherein transmit root key and be used for protecting transaction root key etc.; Head office's key distribution system is handled this root key and according to minute every trade number, is disperseed root key key distribution system to each branch; Wherein, each minute every trade number related with the sign of second level key distribution system, perhaps with row number sign as second level key distribution system.Second level key distribution system i.e. branch's key distribution system, and the root key from first order key distribution system that is received is handled, and produces terminal master key according to the transaction root key, and it is protected etc.; And further according to the sign of terminal site, to terminal site key distribution system 52, the key of being distributed comprises terminal master key etc. at least with key distribution.
Terminal site key distribution system 52 stores the key that is received into corresponding cipher key storage device 520, cipher key storage device 520 can be an independent storage device, also can be the memory device of serving as in the terminal site key distribution system 52 in the computer equipment of other processing capacity.In addition, terminal site key distribution system 52 comprises key download system 3 above shown in Figure 4; When cipher key storage device was an independent storage device, key download system 3 addressable these storage devices were so that from reading of data wherein; When cipher key storage device is the memory device of serving as in the terminal site key distribution system 52 in the computer equipment of other processing capacity, key download system 3 communicates to connect with this computer equipment, so that the memory device in this computer equipment is carried out read operation.
Owing to above key download system 3 shown in Figure 4 is described in detail, just its detailed description is omitted here.Briefly, in key download system 3, terminal equipment 30 sends the key download request and the key that is sent by the equipment 32 that provides key to download is provided by the USI in the calling interface equipment 34.USI by means of interface equipment 34 in the key download system 3, the terminal equipment of each type of all types of different manufacturers in other words all can be by calling the equipment that this USI has access to easily provides key to download, and receive the key of distribution by this USI.
As fully visible, carry out key method for down loading of the present invention, different types of terminals equipment is by calling this USI, the device request that can provide key to download easily in bank card paying system is downloaded key, and because terminal equipment is to reach the function of downloading key by calling USI, so when having strengthened time carried convenient degree, the insecurity of also having avoided artificial installation master key to be brought.
Should be noted that at last above embodiment is only in order to technical scheme of the present invention to be described but not limit it.Although the present invention is had been described in detail with reference to above-mentioned embodiment; those of ordinary skill in the art is to be understood that; still can make amendment or the part technical characterictic is equal to replacement the specific embodiment of the present invention; and under the spirit that does not break away from technical scheme of the present invention, it all should be encompassed in the middle of the technical scheme scope that the present invention asks for protection.
Claims (19)
1. a key method for down loading is characterized in that, described key method for down loading comprises:
Foundation is corresponding to the USI of different types of terminals equipment, and described software interface comprises the library file corresponding to different types of terminals equipment; And
Described terminal equipment sends the key download request by calling described USI to the equipment that provides key to download, and after described download request obtains response, receives the key of being asked by described USI.
2. key method for down loading according to claim 1 is characterized in that, the key that described method further comprises verification and received.
3. key method for down loading according to claim 2 is characterized in that described key comprises terminal master key, and the key that verification received comprises:
Utilize the described terminal master key that has downloaded to described terminal equipment to decipher predefined master key check key;
Result after the deciphering is encrypted;
The byte of first number of the result after encrypting and the check value of described master key check key are compared; And
When comparative result is consistent, store described terminal master key.
4. key method for down loading according to claim 3 is characterized in that, when comparative result is consistent, identifies according to predefined master key and to store described terminal master key.
5. according to claim 3 or 4 described key method for down loading, it is characterized in that, to the deciphering after the result encrypt be with the deciphering after the result 8 byte 0x00 are encrypted.
6. key method for down loading according to claim 5 is characterized in that, the byte of described first number is preceding 4 bytes of the result after encrypting.
7. key method for down loading according to claim 3 is characterized in that described key further comprises working key, and the key that verification received further comprises:
Utilize described terminal master key to decipher described working key;
Result after the deciphering is encrypted;
The byte of second number of the result after encrypting and the check value of working key are compared; And
When comparative result is consistent, store described working key.
8. key method for down loading according to claim 7 is characterized in that, when comparative result is consistent, identifies according to predefined working key and to store described working key.
9. according to claim 7 or 8 described key method for down loading, it is characterized in that, to the deciphering after the result encrypt be with the deciphering after the result 8 byte 0x00 are encrypted.
10. key method for down loading according to claim 9 is characterized in that, the byte of described second number is preceding 4 bytes of the result after encrypting.
11. an interface equipment is characterized in that, described interface equipment comprises:
Input port and output port;
Memory module is used to store the USI corresponding to different types of terminals equipment, and described USI further comprises the library file corresponding to different types of terminals equipment; And
Processing module, handle all kinds of terminal equipments calling to described USI, send the key download request by described output port to the equipment that provides key to download, and after receiving the key of being asked, further described key is sent to described terminal equipment by described output port by described input port.
12. key download system, the equipment that described key download system comprises terminal equipment and provides key to download, it is characterized in that, described key download system further comprises for described terminal equipment and the described interface equipment that the intercommunication of the equipment that key downloads is provided, wherein, described interface equipment comprises:
Input port and output port, described input port receive from the described equipment of password download and the data of described terminal equipment of providing, and described output port is to described equipment and the described terminal equipment dateout that provides password to download;
Memory module is used to store the USI corresponding to different types of terminals equipment, and described USI further comprises the library file corresponding to different types of terminals equipment; And
Processing module, handle all kinds of terminal equipments calling to described USI, send the key download request by described output port to the described equipment that provides key to download, and after receiving the key of being asked, further described key is sent to described terminal equipment by described output port by described input port.
13. key download system according to claim 12, it is characterized in that, described key comprises terminal master key, described terminal equipment comprises predefined master key check key, and described terminal equipment utilizes described terminal master key to decipher described terminal master key check key, and the result after the deciphering is encrypted, and the byte and the master key check value of first number of the result after will encrypting thereafter compare, and when comparative result is consistent, store described terminal master key.
14. key download system according to claim 13, it is characterized in that, described key also comprises working key, described terminal equipment comprises predefined working key check value, and described terminal equipment utilizes described terminal master key to decipher described working key, and the byte and the working key check value of the result of the result after the deciphering after encrypting and further will encrypting second number compared, and when the comparative result unanimity, store described working key.
15. a cryptographic key distribution method, described method comprises:
First order key distribution system is according to the sign distributed key of second level key distribution system, and second level key distribution system arrives terminal site key distribution system according to its sign distributed key of having jurisdiction over the terminal site, it is characterized in that described terminal site key distribution system distributed key comprises to terminal equipment:
In the key distribution system of described terminal site, set up USI corresponding to different types of terminals equipment, described software library comprises the library file corresponding to different types of terminals equipment; And
Described terminal equipment sends the key download request by calling described USI to the equipment that described terminal site key distribution system provides key to download, and after described download request obtains response, pass through described USI to described terminal equipment distributed key by the described equipment that provides key to download.
16. cryptographic key distribution method according to claim 15 is characterized in that, described method comprises that further verification is distributed to the key of described terminal equipment.
17. cryptographic key distribution method according to claim 16 is characterized in that, described key comprises terminal master key, and the key that verification is distributed to described terminal equipment comprises:
Utilize the described terminal master key that has been distributed to described terminal equipment to decipher predefined master key check key;
Result after the deciphering is encrypted;
The byte of first number of the result after encrypting and the check value of described master key check key are compared; And
When comparative result is consistent, store described terminal master key.
18. cryptographic key distribution method according to claim 17 is characterized in that, described key further comprises working key, and the key of described terminal equipment that verification is distributed to further comprises:
Utilize described terminal master key to decipher described working key;
Result after the deciphering is encrypted;
The byte of second number of the result after encrypting and the check value of working key are compared; And
When comparative result is consistent, store described working key.
19. key distribution system, described key distribution system comprises first order key distribution system and second level key distribution system, described first order key distribution system is distributed to each second level key distribution system with key according to the sign of each second level key distribution system, and second level key distribution system arrives each terminal site key distribution system according to its sign distributed key of having jurisdiction over the terminal site, it is characterized in that described terminal site key distribution system comprises cipher key storage device and according to the described key download system of one of claim 12-14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010106542.9A CN102148799B (en) | 2010-02-05 | 2010-02-05 | Key downloading method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010106542.9A CN102148799B (en) | 2010-02-05 | 2010-02-05 | Key downloading method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102148799A true CN102148799A (en) | 2011-08-10 |
| CN102148799B CN102148799B (en) | 2014-10-22 |
Family
ID=44422803
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010106542.9A Active CN102148799B (en) | 2010-02-05 | 2010-02-05 | Key downloading method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102148799B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103035083A (en) * | 2012-11-29 | 2013-04-10 | 深圳市新国都技术股份有限公司 | Intelligent card transaction function implement method |
| CN103714638A (en) * | 2013-03-15 | 2014-04-09 | 福建联迪商用设备有限公司 | Method and system for quickly locating terminal master key downloading failure |
| CN106097608A (en) * | 2016-06-06 | 2016-11-09 | 福建联迪商用设备有限公司 | Remote cipher key method for down loading and system, acquirer and target POS terminal |
| CN102957541B (en) * | 2012-11-21 | 2016-11-16 | 浪潮集团有限公司 | A kind of cipher encrypting method based on SAAS |
| CN107104795A (en) * | 2017-04-25 | 2017-08-29 | 上海汇尔通信息技术有限公司 | Method for implanting, framework and the system of RSA key pair and certificate |
| WO2020042822A1 (en) * | 2018-08-31 | 2020-03-05 | 阿里巴巴集团控股有限公司 | Cryptographic operation method, method for creating work key, and cryptographic service platform and device |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1967551A (en) * | 2005-11-17 | 2007-05-23 | 北京兆维电子(集团)有限责任公司 | System for realizing data security protecting |
-
2010
- 2010-02-05 CN CN201010106542.9A patent/CN102148799B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1967551A (en) * | 2005-11-17 | 2007-05-23 | 北京兆维电子(集团)有限责任公司 | System for realizing data security protecting |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102957541B (en) * | 2012-11-21 | 2016-11-16 | 浪潮集团有限公司 | A kind of cipher encrypting method based on SAAS |
| CN103035083A (en) * | 2012-11-29 | 2013-04-10 | 深圳市新国都技术股份有限公司 | Intelligent card transaction function implement method |
| CN103716153B (en) * | 2013-03-15 | 2017-08-01 | 福建联迪商用设备有限公司 | Terminal master key TMK safety downloading method and systems |
| CN103716154A (en) * | 2013-03-15 | 2014-04-09 | 福建联迪商用设备有限公司 | Security downloading method and system of TMK |
| CN103731260A (en) * | 2013-03-15 | 2014-04-16 | 福建联迪商用设备有限公司 | Method and system for safe downloading of TMK |
| WO2014139406A1 (en) * | 2013-03-15 | 2014-09-18 | 福建联迪商用设备有限公司 | Method and system for safely downloading terminal master key (tmr) |
| CN103714638B (en) * | 2013-03-15 | 2015-09-30 | 福建联迪商用设备有限公司 | A kind of method and system of quick position terminal master key failed download |
| CN103731260B (en) * | 2013-03-15 | 2016-09-28 | 福建联迪商用设备有限公司 | A kind of terminal master key TMK safety downloading method and system |
| CN103714638A (en) * | 2013-03-15 | 2014-04-09 | 福建联迪商用设备有限公司 | Method and system for quickly locating terminal master key downloading failure |
| CN103716153A (en) * | 2013-03-15 | 2014-04-09 | 福建联迪商用设备有限公司 | Terminal master key safety downloading method and system |
| CN103731259B (en) * | 2013-03-15 | 2017-08-01 | 福建联迪商用设备有限公司 | A kind of terminal master key TMK safety downloading method and systems |
| CN103716154B (en) * | 2013-03-15 | 2017-08-01 | 福建联迪商用设备有限公司 | A kind of terminal master key TMK safety downloading method and systems |
| CN106097608A (en) * | 2016-06-06 | 2016-11-09 | 福建联迪商用设备有限公司 | Remote cipher key method for down loading and system, acquirer and target POS terminal |
| CN106097608B (en) * | 2016-06-06 | 2018-07-27 | 福建联迪商用设备有限公司 | Remote cipher key method for down loading and system, acquirer and target POS terminal |
| CN107104795A (en) * | 2017-04-25 | 2017-08-29 | 上海汇尔通信息技术有限公司 | Method for implanting, framework and the system of RSA key pair and certificate |
| WO2020042822A1 (en) * | 2018-08-31 | 2020-03-05 | 阿里巴巴集团控股有限公司 | Cryptographic operation method, method for creating work key, and cryptographic service platform and device |
| US11128447B2 (en) | 2018-08-31 | 2021-09-21 | Advanced New Technologies Co., Ltd. | Cryptographic operation method, working key creation method, cryptographic service platform, and cryptographic service device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102148799B (en) | 2014-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US4731842A (en) | Security module for an electronic funds transfer system | |
| US8302173B2 (en) | Providing a user device with a set of access codes | |
| US11080961B2 (en) | Contactless card personal identification system | |
| CN103731259B (en) | A kind of terminal master key TMK safety downloading method and systems | |
| CN105684346B (en) | Ensure the method for air communication safety between mobile application and gateway | |
| CA2256881C (en) | An automatic safe public communication system | |
| CN112823335A (en) | System and method for password authentication of contactless cards | |
| CN112789643A (en) | System and method for password authentication of contactless cards | |
| CN112889046A (en) | System and method for password authentication of contactless cards | |
| CN102148799B (en) | Key downloading method and system | |
| US20100049658A1 (en) | Secure electronic transaction system | |
| CN113168631A (en) | System and method for password authentication of contactless cards | |
| US12081582B2 (en) | Systems and methods for signaling an attack on contactless cards | |
| JPS60136440A (en) | Method of altering session cryptographic key | |
| CA2642914A1 (en) | Secure electronic transaction system | |
| KR20130123986A (en) | System for issuing an otp generator and method thereof | |
| WO2007100202A1 (en) | Authentication system for online financial transactions and user terminal for authentication of online financial transactions | |
| CN102137396A (en) | Terminal, card and method and system for checking machine and card | |
| US20240064004A1 (en) | Parallel secret salt generation and authentication for encrypted communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |