CN102542645B - A kind of entrance guard authentication method and Verification System - Google Patents
A kind of entrance guard authentication method and Verification System Download PDFInfo
- Publication number
- CN102542645B CN102542645B CN201210010295.1A CN201210010295A CN102542645B CN 102542645 B CN102542645 B CN 102542645B CN 201210010295 A CN201210010295 A CN 201210010295A CN 102542645 B CN102542645 B CN 102542645B
- Authority
- CN
- China
- Prior art keywords
- key
- card reader
- sub
- card
- access card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
- Lock And Its Accessories (AREA)
Abstract
The embodiment of the invention discloses a kind of entrance guard authentication method, comprising: card reader judges sub-key that in its private cipher key and access card, described card reader is specified whether authentication success; Wherein, the sub-key that at least two have common female key is stored in described access card; If authentication success, then described card reader obtains its data message of asking described access card to return; The data message of described acquisition is sent to access control terminal by described card reader, and receive data message described in described access control terminal authentication correct after the message be proved to be successful that returns.The embodiment of the invention also discloses a kind of entrance guard authentication system.Adopt the present invention, achieve the mutual certification of access card and multiple card reader, and then the nuclear power personnel achieving use access card are capable at the all-purpose card of each nuclear power plant area of same nuclear power enterprise subordinate.
Description
Technical field
The present invention relates to gate inhibition's technical field, particularly relate to a kind of entrance guard authentication method and Verification System of nuclear power gate inhibition field.
Background technology
The nuclear power energy is the mainstay of global energy development.Along with the development of the nuclear power energy, its security also becomes the problem that in evolution, emphasis will be considered.
At present, the method that nuclear power door access control system adopts is: for each nuclear power plant area of same enterprise subordinate sets up oneself independently gate control system, the authorization key of a nuclear power plant area is only had in the access card of nuclear power personnel, when supposing that a nuclear power user needs the new nuclear power plant area beyond nuclear power plant area belonging to it to pass through, need first the authorization key of the original nuclear power plant area stored in its access card to be removed, again by the authorization key of new nuclear power plant area write access card, nuclear power personnel can realize passing through the gate inhibition of current new nuclear power plant area.Further, after nuclear power personnel leave this new nuclear power plant area, also need to remove the authorization key in its access card.
Along with the continuous expansion of nuclear power plant area scale, nuclear power personnel often need between each nuclear power plant area of same enterprise subordinate current, correspondingly need the authority that the gate inhibition having multiple nuclear power plant area passes through.But current nuclear power door access control system is the actual demand that cannot meet nuclear power personnel.
Summary of the invention
Embodiment of the present invention technical matters to be solved is, provides a kind of authentication mode and Verification System of access card, can realize nuclear power personnel capable at the all-purpose card of each nuclear power plant area of same nuclear power enterprise subordinate.
In order to solve the problems of the technologies described above, embodiments provide a kind of entrance guard authentication method, comprising:
Card reader judges sub-key that in its private cipher key and access card, described card reader is specified whether authentication success; Wherein, the sub-key that at least two have common female key is stored in described access card;
If authentication success, then described card reader obtains its data message of asking described access card to return;
The data message of described acquisition is sent to access control terminal by described card reader, and receive data message described in described access control terminal authentication correct after the message be proved to be successful that returns.
Correspondingly, the embodiment of the present invention additionally provides a kind of entrance guard authentication system, comprising:
Card reader, for judging sub-key that in its private cipher key stored and described access card, described card reader is specified whether authentication success; And when authentication success, obtain the data message that it asks described access card to return; Wherein, the sub-key that at least two have common female key is stored in described access card;
Access card, for returning data message that described card reader request returns to described card reader;
Access control terminal, for receiving the data message of the described acquisition that described card reader is sent, and is verifying that the message returning after described data message correctly and be proved to be successful is to described card reader.
Implement the embodiment of the present invention, there is following beneficial effect:
Sub-key that in its private cipher key and access card, described card reader is specified whether authentication success is judged by card reader, the sub-key that at least two have common female key is stored in described access card, obtain its data message of asking described access card to return when authentication success and this data message is sent to access control terminal, and receive data message described in described access control terminal authentication correct after the design of the message be proved to be successful that returns, due to store in described access card at least two sub-keys having common female key because access card stores multiple sub-key having common female key, therefore, the card reader that this access card can manage with multiple key management system carries out certification, thus achieve the mutual certification of access card and multiple card reader.When access card is respectively with multiple card reader authentication success, then the plurality of card reader all can obtain the data message of this access card, and by this data information transfer to access control terminal.Access control terminal when verifying that the data message of this acquisition is legal, is then opened the door, and so then achieves and uses the nuclear power personnel of access card capable at the all-purpose card of each nuclear power plant area of same nuclear power enterprise subordinate.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of the first embodiment of a kind of entrance guard authentication method provided by the invention;
Fig. 2 is the schematic flow sheet of the embodiment of step S12 in the embodiment shown in Fig. 1 of the present invention;
Fig. 3 is the schematic flow sheet of the embodiment of the private cipher key generation method of a kind of card reader provided by the invention;
Fig. 4 is the schematic flow sheet of the embodiment of the generation method of the sub-key of a kind of access card provided by the invention;
Fig. 5 is the structural representation of the embodiment of a kind of entrance guard authentication system provided by the invention;
Fig. 6 is the structural representation of the embodiment of card reader in Fig. 5;
Fig. 7 is the structural representation of the embodiment of access card in Fig. 5.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Please refer to Fig. 1, be the schematic flow sheet of the first embodiment of a kind of entrance guard authentication method provided by the invention, described authentication method comprises:
Step S11, card reader judges sub-key that in its private cipher key and access card, described card reader is specified whether authentication success; Wherein, the sub-key that at least two have common female key is stored in described access card;
Wherein, the private cipher key of card reader and access card at least two of storing have the sub-key of common female key is all that key management system belonging to it writes in advance.
Particularly, the key management system of each nuclear power plant area (also known as tier-2 department) of same nuclear power enterprise subordinate is provided respectively and is managed a card reader.The private cipher key that the card reader of each nuclear power plant area stores has a common female key.Usually, each key management system is that the private cipher key of card reader of its management defines an identification number, to facilitate the certification with the sub-key of access card.
Wherein, the initialization of access card then can be performed by the unified key management system of department's (also known as level portion) of each nuclear power plant area of management.When after access card initialization, the key management system of each nuclear power plant area all can write sub-key in this access card, each key management system defines the identification number of the sub-key of its write, this identification number mates (identical or corresponding) with the identification number of the private cipher key in the card reader that it manages, and meets the sub-key of authorising conditional (i.e. door-opening condition) for distinguishing each nuclear power on-site.Wherein, each key management system all can write the reason of sub-key and is in this access card: the initialization of access card is by the unified key management system execution of each key management system of management.
In this step, owing to storing the sub-key that at least two have common female key in access card, therefore, before card reader and described access card carry out key authentication, card reader also needs the sub-key of specifying the access card carrying out certification with it.The different sub-key identification numbers stored due to access card make a distinction, and therefore, card reader, by specifying the mode of the identification number mated with the identification number of the private cipher key of its storage, specifies the sub-key of the access card carrying out certification with it.
In this step, if card reader judges its sub-key authentication success of specifying in its private cipher key and access card, flow process enters step S12, if authentification failure, then exits identifying procedure.
Step S12, described card reader obtains its data message of asking described access card to return.
Step S13, the data message of described acquisition is sent to access control terminal by described card reader, and receive data message described in described access control terminal authentication correct after the message be proved to be successful that returns.
Card reader is by the data information transfer of the access card of acquisition to access control terminal, and access control terminal when verifying that the data message of this acquisition is legal, then returns the message be proved to be successful, and opens the door to card reader.
In the present embodiment, because access card stores multiple sub-key having common female key, therefore, the card reader that this access card can manage with multiple key management system carries out certification, thus achieves the mutual certification of access card and multiple card reader.If access card distinguishes authentication success with multiple card reader respectively, then the plurality of card reader all can obtain the data message of this access card, and by this data information transfer to access control terminal.Access control terminal when verifying that the data message of this acquisition is legal, is then opened the door, and so then achieves and uses the nuclear power personnel of access card capable at the all-purpose card of each nuclear power plant area of same nuclear power enterprise subordinate.
Please refer to Fig. 2, is the schematic flow sheet of the embodiment of step S12 in the embodiment shown in Fig. 1 of the present invention,
Described method comprises:
Step S23, described card reader sends random information to described access card; Described random information comprises cipher text part and clear portion, and the described transmission security key of described cipher text part is encrypted, and is used to indicate the data message that described in described card reader request, access card returns; Described clear portion is used to specify the sub-key carrying out certification in described access card with described card reader;
Wherein, the private cipher key of card reader, specifically comprises transmission security key and root key, and this transmission security key and root key are all that the key management system belonging to card reader writes.Wherein, the data message that described in described card reader request, access card returns can be specifically the sequence number for identifying described access card.
Step S24, described card reader receives the data message that described access card returns after the described random information of deciphering;
Wherein, access card, before return data information is to card reader, also needs to perform:
Described access card receives the random information that described card reader is sent, and the clear portion obtained in random information, and according to the instruction of clear portion, judge in the multiple sub-keys stored in it, which sub-key is the sub-key carrying out certification with it that card reader is specified, and obtains this sub-key of specifying.Wherein, the sub-key stored in access card comprises sub-transmission security key and sub-root key.
Can the sub-transmission security key that described access card application card reader is specified goes to decipher the cipher text part in described random information, and judge decipher described cipher text part; If described cipher text part can be deciphered, then according to the instruction of the cipher text part after decryption processing, return the data message that card reader request returns.Wherein, when returning this data message, the sub-root key using described card reader to specify is needed to be encrypted.Wherein, this data message can be the sequence number for unique identification access card.
Step S25, described card reader judges the data message that can described root key be deciphered described access card and return;
In this step, if judge, described root key can decipher described data message, then flow process enters step S26, if can not decipher, then exits identifying procedure.
Step S26, if can decipher described data message, then described card reader confirms authentication success.
Further, before execution step S23, also comprise:
Step S21, described card reader judges whether to sense described access card;
In this step, card reader outwards sends electromagnetic wave with certain frequency cycle ground, when access card enters the electromagnetic scope of card reader transmission, then card reader judges to sense described access card, and enter step S22, whether sense access card if fail, then continuing induction has access card.
Step S22, described card reader inner obtains random information from it, and uses described transmission security key to encrypt cipher text part in described random information.
In the present embodiment, card reader, when sensing access card, obtains random information, and uses the cipher text part in transmission security key encryption random information, and the data message that reception access card returns, thus achieves appointment and the certification of the sub-key of access card.
Please refer to Fig. 3, be the schematic flow sheet of the embodiment of the private cipher key generation method of a kind of card reader provided by the invention, described method comprises:
Step S31, one-level encryption equipment generates at least two different root keys, and by the root key corresponding stored that generates at least two different secondary encryption equipments;
In specific implementation, one-level encryption equipment generates at least two different root keys, comprising:
One-level encryption equipment receives the key seed of at least two user's inputs;
Wherein, the key seed of at least two user's inputs, can be identical, also can be different.The reason that one-level encryption equipment needs reception at least two users to input key seed is: the security ensureing the female key generated.All users that one-level encryption equipment only has acquisition to hold key seed could produce identical female key after inputting key seed.
One-level encryption equipment according to described in the key seed that receives, according to female key schedule, generate female key;
Wherein, described female key schedule, comprises the enciphering and deciphering algorithm needed for gate control system.The enciphering and deciphering algorithm of the key seed received according to gate control system is calculated, female key of specified type T, version V and index I can be generated.
One-level encryption equipment receives at least two different business dispersion factors of user's input, according to female key decentralized algorithm, described female key is dispersed at least two different root keys.
Wherein, described female key decentralized algorithm, comprises the key decentralized algorithm in gate inhibition field.Business dispersion factor in this step, is also called key dispersion factor.The root key that one-level encryption equipment at least two of generating according to key decentralized algorithm are different has common female key.And divided each root key shed by female key, then become the root key of each nuclear power plant area.Usually, female key that one-level encryption equipment generates is managed by the primary department of nuclear power enterprise, and one-level encryption equipment divides the distribution of each root key shed also to be managed by the primary department of nuclear power enterprise with monitoring.
Wherein, described at least two different root keys stored in the object in secondary encryption equipment are by one-level encryption equipment: the security ensureing the sub-key generated.
In specific implementation, one-level encryption equipment under the protection of specifying Protective Key, can derive the root key of specified type T, version V and index I, and by it stored in secondary encryption equipment, such as, stored in different USB-Key.Each nuclear power plant area (tier-2 department) has the USB-Key that uniquely stores this root key, and so, primary department then completes the distribution of root key.There is unique key management system managing its root key independently in each nuclear power plant area, and the key management system of each nuclear power plant area can not produce and influences each other.Can understand like this, the quantity of the key management system of second part and the quantity of secondary encryption equipment are one to one, and a nuclear power plant area correspondence has a key management system and a secondary encryption equipment obtained from primary department.
Step S32, the base condition code that the root key that described at least two different secondary encryption equipments store according to it respectively input with the key management system of its correspondence, according to the private cipher key generating algorithm stored separately, the private cipher key of generation correspondence.
Because each root key be dispersed into is stored to secondary encryption equipment by one-level encryption equipment, and this secondary encryption equipment is disperseed to each nuclear power plant area of same nuclear power enterprise subordinate.And, there are independently key management system and the secondary encryption equipment obtained from primary department in each nuclear power plant area, therefore, the base condition code that the root key that the secondary encryption equipment that each nuclear power plant area has then can store according to it respectively inputs with the key management system of its correspondence, according to the private cipher key generating algorithm that it stores, the private cipher key of the card reader of corresponding generation correspondence.Wherein, the base condition code of key management system input, for the unique nuclear power plant area under the same nuclear power enterprise of unique identification.The root key that the secondary encryption equipment had due to district of different IPs power plant stores is different, and the base condition code that the key management system that secondary encryption equipment receives inputs is different, its private cipher key generating algorithm stored is also likely different, and the so last private cipher key generated is different certainly.Be understandable that, the root key due to each nuclear power plant area has a common female key, and the private cipher key that the secondary encryption equipment of each nuclear power plant area so last generates also has common female key.
After secondary encryption equipment generates private cipher key, the key management system that this secondary encryption equipment is corresponding also derives the private cipher key of generation, and is write in card reader.
Particularly, the process that the private cipher key that secondary encryption equipment generates by key management system writes in card reader comprises:
(1) obtain transmission security key and root key from secondary encryption equipment, be stored in respectively in two different cards, at this, these two cards be called transmission security key card and root key card.
Particularly, the generative process of transmission security key card is:
Key management system is by calling the key derivation service interface of secondary encryption equipment (as USB-Key), and to after USB-Key sends and specifies type T, the version V of transmission security key of card reader and the message of index I, the transmission security key that USB-Key returns can be received.The transmission security key that this gets, after getting transmission security key from USB-Key, can write in a card, thus define transmission security key card by key management system.
The generative process of root key card is:
Key management system by calling the key derivation service interface of USB-Key, and to after USB-Key sends and specifies type T, the version V of transmission security key of card reader and the message of index I, can receive the transmission security key that USB-Key returns.The transmission security key that this gets, after getting transmission security key from USB-Key, can write in a card by key management system.After this clamping receives the transmission security key that key management system sends, under the protection of its initiating master key, store transmission security key, and return transmission security key and store successful message to card sending system.
Key management system receives after transmission security key that this card returns stores successful message, by calling the key derivation service interface of USB-Key, and to after USB-Key sends and specifies type T, the version V of root key of card reader and the message of index I, the root key that USB-Key returns can be received.The root key that this gets, after getting root key from USB-Key, can be write this card, thus define root key card by key management system.
(2) write of card reader private cipher key
The transmission security key of write card reader, particularly, writes the transmission security key stored in transmission security key card in the SAM of card reader.
The root key of write card reader, particularly, under the protection of the transmission security key of this write, by its SAM of root key write card reader that stores in root key card, thus completes the write of card reader private cipher key.
Please refer to Fig. 4, be the schematic flow sheet of the embodiment of the sub-key generation method of a kind of access card provided by the invention, described method comprises:
Step S41, one-level encryption equipment generates at least two different root keys, and by the root key corresponding stored that generates at least two different secondary encryption equipments;
Step S42, described at least two different secondary encryption equipments according to base condition code and its root key stored of card sending system input, according to the private cipher key generating algorithm stored separately, generate corresponding private cipher key respectively;
In the present embodiment, the operation of step S41-S42 is identical with the operation of step S31-S32 in the embodiment shown in Fig. 3, does not repeat them here.
Step S43, described at least two different secondary encryption equipments are respectively according to the customer identification number that the key management system of its correspondence inputs, and according to the sub-key decentralized algorithm stored separately, the private cipher key stored is dispersed into the sub-key of correspondence.
Wherein, the key management system that secondary encryption equipment receives its correspondence inputs different customer identification numbers, and the sub-key of so corresponding generation is also different.After secondary encryption equipment generates sub-key, the sub-key generated also writes in subscriber card by key management system.
Particularly, key management system calls the key derivation service interface of secondary encryption equipment (as USB-Key), and to after USB-Key sends and specifies type T, the version V of master control key of access card and the message of index I, the master control key that USB-Key returns can be received.Key management system is after getting master control key from USB-Key, and the master control key that this can be got writes in access card.
Further, key management system writes successful message family receiving the master control key that access card returns, and under the protection of the master control key of said write, the sub-key of write access card, specifically comprises:
Key management system by calling the key derivation service interface of USB-Key, and to after USB-Key sends and specifies type T, the version V of transmission security key of access card and the message of index I, can receive the transmission security key that USB-Key returns.Key management system is after getting transmission security key from USB-Key, and the transmission security key that this can be got writes access card.
Key management system receives after transmission security key writes successful message, also obtains root key from USB-Key.Particularly, card sending system is by calling the key distribution services interface of USB-Key, and to after USB-Key sends type T, the version V of the transmission security key of specifying the access card sequence number of access card (specify), index I, the root key that USB-Key returns can be received.Key management system is after getting root key from USB-Key, and the root key that this can be got writes access card.
It should be noted that, arbitrary key management system of each nuclear power plant area all can according to method described above, the sub-key write access card that the secondary encryption equipment had generates.
The above-mentioned authentication method to a kind of access card provided by the invention has carried out description detailed, below, composition graphs 5-7, is described in detail the system adopting above-mentioned authentication method to carry out access card certification.
As shown in Figure 5, be the structural representation of the first embodiment of a kind of entrance guard authentication system disclosed by the invention, described Verification System comprises: card reader 51, access card 52 and access control terminal 53;
Wherein, described card reader 51, for judging sub-key that in its private cipher key and described access card, described card reader is specified whether authentication success; And when authentication success, obtain the data message that it asks described access card to return; Wherein, the sub-key that at least two have common female key is stored in described access card;
Wherein, the private cipher key of card reader and access card at least two of storing have the sub-key of common female key is all that key management system belonging to it writes in advance.
Particularly, the key management system of each nuclear power plant area (also known as tier-2 department) of same nuclear power enterprise subordinate is provided respectively and is managed a card reader.The private cipher key that the card reader of each nuclear power plant area stores has a common female key.Usually, each key management system is that the private cipher key of card reader of its management defines an identification number, to facilitate the certification with the sub-key of access card.
Wherein, the initialization of access card then can be performed by the unified key management system of department's (also known as level portion) of each nuclear power plant area of management.When after access card initialization, the key management system of each nuclear power plant area all can write sub-key in this access card, each key management system defines the identification number of the sub-key of its write, this identification number mates (identical or corresponding) with the identification number of the private cipher key in the card reader that it manages, and meets the sub-key of authorising conditional (i.e. door-opening condition) for distinguishing each nuclear power on-site.Wherein, each key management system all can write the reason of sub-key and is in this access card: the initialization of access card is by the unified key management system execution of each key management system of management.
Wherein, owing to storing the sub-key that at least two have common female key in access card, therefore, before card reader and described access card carry out key authentication, card reader also needs the sub-key of specifying the access card carrying out certification with it.The different sub-key identification numbers stored due to access card make a distinction, and therefore, card reader, by specifying the mode of the identification number mated with the identification number of the private cipher key of its storage, specifies the sub-key of the access card carrying out certification with it.
Described access card 52, for returning data message that described card reader 51 asks to return to described card reader 51;
Described access control terminal 53, for receiving the data message of the described acquisition that described card reader 51 is sent, and is verifying that the message returning after described data message correctly and be proved to be successful is to described card reader.
Card reader 52 is by the data information transfer of the access card of acquisition to access control terminal 53, and access control terminal 53 when verifying that the data message of this acquisition is legal, then returns the message be proved to be successful, and opens the door to card reader 51.Wherein, the whether legal method of the data message that access card returns is technology well-known to those skilled in the art, is not described in detail at this.
In the present embodiment, because access card stores multiple sub-key having common female key, therefore, the card reader that this access card can manage with multiple key management system carries out certification respectively, thus achieves the mutual certification of access card and multiple card reader.If access card respectively with multiple card reader authentication success, then the plurality of card reader all can obtain the data message of this access card, and by this data information transfer to access control terminal.Access control terminal when verifying that the data message of this acquisition is legal, is then opened the door.Like this then achieve and use the nuclear power personnel of this access card capable at the all-purpose card of each nuclear power plant area of same nuclear power enterprise subordinate.
Please refer to Fig. 6, be the structural representation of the embodiment of a kind of card reader provided by the invention, described card reader comprises:
First transceiver module 61, for sending random information to described access card 51; Described random information comprises cipher text part and clear portion, and the described transmission security key of described cipher text part is encrypted, and is used to indicate the data message that described card reader request access card returns; Described clear portion is used to specify the sub-key carrying out certification in described access card with described card reader;
Wherein, the private cipher key of described card reader comprises transmission security key and root key.
Described first transceiver module 61, also for receiving the data message that described access card returns after the described random information of deciphering;
First judge module 62, for judging the data message that can described root key be deciphered described first transceiver module 61 and receive;
Confirming module 63, for when the judged result of described first judge module 62 is for being, confirming described card reader authentication success.
Further, described card reader also comprises:
Whether induction module 64, exist described access card for induction;
Card reader outwards sends electromagnetic wave with certain frequency cycle ground, when access card 51 enters the electromagnetic scope of card reader transmission, then induction module 64 can sense described access card, and whether if induction module 64 fails to sense access card, then continuing induction has access card.
Obtaining encrypting module 65, for when the judged result of described induction module 64 is for being, inner obtaining random information from it, and use described transmission security key to encrypt cipher text part in described random information;
Described first transceiver module 61, sends to access card for the random information after being encrypted by described acquisition encrypting module 65.
In the present embodiment, obtain encrypting module when induction module senses access card, obtain random information, and use transceiver module to send random information to access card, and the data message that reception access card returns, thus achieve appointment and the certification of the sub-key of access card.
Please refer to Fig. 7, be the structural representation of a kind of access card provided by the invention, described access card comprises:
Second transceiver module 71, for receiving the random information that described card reader is sent;
Wherein, the sub-key of access card comprises: sub-transmission security key and sub-root key.
Acquisition module 72, for the instruction of clear portion in the random information that receives according to described second transceiver module 71, obtains sub-transmission security key and sub-root key that described card reader specifies;
Second judge module 73, judges that can sub-transmission security key that the described card reader that described acquisition module 72 gets is specified decipher the cipher text part of described random information;
Described second transceiver module 71, also for when the judged result of described second judge module 73 is for being, according to the instruction of the cipher text part after deciphering, returns the data message that described card reader request returns; Described data message uses described sub-root key of specifying to encrypt.
One of ordinary skill in the art will appreciate that all or part of flow process realized in above-described embodiment method, that the hardware that can carry out instruction relevant by computer program has come, described program can be stored in a computer read/write memory medium, this program, when performing, can comprise the flow process of the embodiment as above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc.
Above disclosedly be only present pre-ferred embodiments, certainly the interest field of the present invention can not be limited with this, one of ordinary skill in the art will appreciate that all or part of flow process realizing above-described embodiment, and according to the equivalent variations that the claims in the present invention are done, still belong to the scope that invention is contained.
Claims (9)
1. an entrance guard authentication method, is characterized in that, comprising:
Card reader judges sub-key that in its private cipher key and access card, described card reader is specified whether authentication success; Wherein, the sub-key that at least two have common female key is stored in described access card;
If authentication success, then described card reader obtains its data message of asking described access card to return;
The data message of described acquisition is sent to access control terminal by described card reader, and receive data message described in described access control terminal authentication correct after the message be proved to be successful that returns;
Wherein, the private cipher key of described card reader comprises: transmission security key and root key, and described card reader judges sub-key that in its private cipher key and access card, described card reader is specified whether authentication success, comprising:
Described card reader sends random information to described access card; Described random information comprises cipher text part and clear portion, and the described transmission security key of described cipher text part is encrypted, and is used to indicate the data message that described in described card reader request, access card returns; Described clear portion is used to specify the sub-key carrying out certification in described access card with described card reader;
Described card reader receives the data message that described access card returns after the described random information of deciphering;
Described card reader judges the data message that can described root key be deciphered described access card and return;
If can decipher described data message, then described card reader confirms authentication success.
2. authentication method as claimed in claim 1, is characterized in that, before described card reader transmission random information is to described access card, also comprises:
Described card reader judges whether to sense described access card;
Sense described access card if judge, then described card reader inner obtains random information from it, and uses described transmission security key to encrypt cipher text part in described random information.
3. authentication method as claimed in claim 1, it is characterized in that, described sub-key comprises: sub-root key and sub-transmission security key, before described card reader receives the data message that described access card returns after the described random information of deciphering, also comprises:
Described access card receives the random information that described card reader is sent;
Described access card, according to the instruction of clear portion in described random information, obtains sub-transmission security key and sub-root key that described card reader specifies;
Described access card judges that can described sub-transmission security key of specifying decipher the cipher text part of described random information;
If can decipher described cipher text part, then described access card is according to the instruction of the cipher text part after deciphering, returns the data message that described card reader request returns; Described data message uses described sub-root key of specifying to encrypt.
4. the authentication method as described in any one of claim 1-3, the generation method of the private cipher key that institute's card reader stores comprises:
One-level encryption equipment generates at least two different root keys, and by the root key corresponding stored that generates at least two different secondary encryption equipments;
The base condition code that the root key that described at least two different secondary encryption equipments store according to it respectively input with the key management system of its correspondence, according to the private cipher key generating algorithm stored separately, the private cipher key of the card reader of generation correspondence.
5. authentication method as claimed in claim 4, is characterized in that, described one-level encryption equipment generates at least two different root keys, comprising:
One-level encryption equipment receives the key seed of at least two user's inputs;
One-level encryption equipment according to described in the key seed that receives, according to female key schedule, generate female key;
One-level encryption equipment receives at least two different business dispersion factors of user's input, according to female key decentralized algorithm, described female key is dispersed at least two different root keys.
6. authentication method as claimed in claim 4, is characterized in that, the generation method of the sub-key stored in described access card comprises:
Described at least two different secondary encryption equipments are respectively according to the customer identification number that the key management system of its correspondence inputs, and according to the sub-key decentralized algorithm stored separately, the private cipher key stored is dispersed into the sub-key of correspondence.
7. an entrance guard authentication system, is characterized in that, comprising:
Card reader, for judging sub-key that in its private cipher key and access card, described card reader is specified whether authentication success; And when authentication success, obtain the data message that it asks described access card to return; Wherein, the sub-key that at least two have common female key is stored in described access card;
Access card, for returning data message that described card reader request returns to described card reader;
Access control terminal, for receiving the data message of the described acquisition that described card reader is sent, and is verifying that the message returning after described data message correctly and be proved to be successful is to described card reader;
Wherein, the private cipher key of described card reader comprises: transmission security key and root key, and described card reader comprises:
First transceiver module, for sending random information to described access card; Described random information comprises cipher text part and clear portion, and the described transmission security key of described cipher text part is encrypted, and is used to indicate the data message that described card reader request access card returns; Described clear portion is used to specify the sub-key carrying out certification in described access card with described card reader;
Described first transceiver module, also for receiving the data message that described access card returns after the described random information of deciphering;
First judge module, for judging the data message that can described root key be deciphered described first transceiver module and receive;
Confirming module, for when the judged result of described first judge module is for being, confirming described card reader authentication success.
8. Verification System as claimed in claim 7, it is characterized in that, described card reader also comprises:
Whether induction module, exist described access card for induction;
Obtaining encrypting module, for when the induction result of described induction module is for being, inner obtaining random information from it, and use described transmission security key to encrypt cipher text part in described random information.
9. Verification System as claimed in claim 7, it is characterized in that, described sub-key comprises: sub-root key and sub-transmission security key, and described access card comprises:
Second transceiver module, for receiving the random information that described card reader is sent;
Acquisition module, for the instruction of clear portion in the random information that receives according to described second transceiver module, obtains sub-transmission security key and sub-root key that described card reader specifies;
Second judge module, judges that can sub-transmission security key that the described card reader that described acquisition module gets is specified decipher the cipher text part of described random information;
Described second transceiver module, also for when the judged result of described second judge module is for being, according to the instruction of the cipher text part after deciphering, returns the data message that described card reader request returns; Described data message uses described sub-root key of specifying to encrypt.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210010295.1A CN102542645B (en) | 2012-01-13 | 2012-01-13 | A kind of entrance guard authentication method and Verification System |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210010295.1A CN102542645B (en) | 2012-01-13 | 2012-01-13 | A kind of entrance guard authentication method and Verification System |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102542645A CN102542645A (en) | 2012-07-04 |
| CN102542645B true CN102542645B (en) | 2015-09-23 |
Family
ID=46349451
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210010295.1A Active CN102542645B (en) | 2012-01-13 | 2012-01-13 | A kind of entrance guard authentication method and Verification System |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102542645B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103971426A (en) * | 2013-01-31 | 2014-08-06 | 北京同方微电子有限公司 | PSAM safety control-based access control system and safe access control method using the same |
| CN106341817A (en) * | 2016-09-05 | 2017-01-18 | 努比亚技术有限公司 | Access control system, access control method, mobile terminals and access server |
| CN106952375B (en) * | 2017-03-30 | 2019-02-12 | 东信和平科技股份有限公司 | A kind of access control method and access controller |
| CN108961475B (en) * | 2017-05-19 | 2022-01-07 | 腾讯科技(深圳)有限公司 | Access control deployment method and access control deployment server |
| CN108230522B (en) * | 2018-03-16 | 2023-05-12 | 深圳市欣横纵技术股份有限公司 | High security access control card reader and encryption protection system and method thereof |
| CN115017927B (en) * | 2021-11-15 | 2023-04-11 | 荣耀终端有限公司 | Card simulation method, electronic device, and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818923A (en) * | 2006-03-17 | 2006-08-16 | 清华大学 | Enciphering authentication for radio-frequency recognition system |
| CN101246607A (en) * | 2007-02-13 | 2008-08-20 | 陈年 | Digital authentication control method for access control system and access control system using the same |
| CN101458834A (en) * | 2007-12-14 | 2009-06-17 | 英业达股份有限公司 | Door inhibition authentication method, mobile electronic device and door inhibition system applying the same |
| CN102201135A (en) * | 2011-05-26 | 2011-09-28 | 深圳中兴力维技术有限公司 | Access control management method applied to base station |
| CN102271040A (en) * | 2011-07-26 | 2011-12-07 | 北京华大信安科技有限公司 | Identity verifying system and method |
| CN102855517A (en) * | 2012-08-22 | 2013-01-02 | 中国银行股份有限公司 | Intelligent bank card with hospital general treatment function |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1873960B1 (en) * | 2006-06-29 | 2013-06-05 | Incard SA | Method for session key derivation in a IC card |
-
2012
- 2012-01-13 CN CN201210010295.1A patent/CN102542645B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818923A (en) * | 2006-03-17 | 2006-08-16 | 清华大学 | Enciphering authentication for radio-frequency recognition system |
| CN101246607A (en) * | 2007-02-13 | 2008-08-20 | 陈年 | Digital authentication control method for access control system and access control system using the same |
| CN101458834A (en) * | 2007-12-14 | 2009-06-17 | 英业达股份有限公司 | Door inhibition authentication method, mobile electronic device and door inhibition system applying the same |
| CN102201135A (en) * | 2011-05-26 | 2011-09-28 | 深圳中兴力维技术有限公司 | Access control management method applied to base station |
| CN102271040A (en) * | 2011-07-26 | 2011-12-07 | 北京华大信安科技有限公司 | Identity verifying system and method |
| CN102855517A (en) * | 2012-08-22 | 2013-01-02 | 中国银行股份有限公司 | Intelligent bank card with hospital general treatment function |
Non-Patent Citations (1)
| Title |
|---|
| IC卡门禁系统中的无线通信加密技术;戴毅;《科技资讯》;20100531(第05期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102542645A (en) | 2012-07-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103714639B (en) | A kind of method and system that realize the operation of POS terminal security | |
| US9948624B2 (en) | Key downloading method, management method, downloading management method, device and system | |
| CN102542645B (en) | A kind of entrance guard authentication method and Verification System | |
| CN107358441B (en) | Payment verification method and system, mobile device and security authentication device | |
| CN111147432B (en) | KYC data sharing system with confidentiality and method thereof | |
| CN102123027A (en) | Information security processing method and mobile terminal | |
| CN101593389A (en) | A kind of key management method and system that is used for the POS terminal | |
| CN103067160A (en) | Method and system of generation of dynamic encrypt key of encryption secure digital memory card (SD) | |
| CN103580852A (en) | Initialization of embedded secure elements | |
| CN107547203B (en) | Anti-counterfeiting tracing method and system | |
| US20140161260A1 (en) | Major management apparatus, authorized management apparatus, electronic apparatus for delegated key management, and key management methods thereof | |
| CN105653986A (en) | Micro SD card-based data protection method and device | |
| CN114786160B (en) | NFC label key management system | |
| CN102833077A (en) | Encryption and decryption methods of remote card-issuing data transmission of financial IC (Integrated Circuit) card and financial social security IC card | |
| CN103138925B (en) | Hair fastener method of operation, IC-card sheet and card-issuing equipment | |
| CN110098925A (en) | Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system | |
| CN108234126B (en) | System and method for remote account opening | |
| CN110100411A (en) | Cryptographic system management | |
| CN103916237A (en) | Method and system for managing user encrypted-key retrieval | |
| CN102404363A (en) | Access method and access device | |
| CN100486157C (en) | Distribution type data encryption method | |
| CN105245526A (en) | Method and device for invoking SIM card application | |
| Lee et al. | A new privacy-preserving path authentication scheme using RFID for supply chain management | |
| CN110086627A (en) | Based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method and system | |
| CN104579644A (en) | Key generation and recovery method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: 518000 Guangdong province Futian District Shangbu Road West of the city of Shenzhen Shenzhen science and technology building 15 layer (1502-1504, 1506) Patentee after: CHINA NUCLEAR POWER TECHNOLOGY RESEARCH INSTITUTE Patentee after: China General Nuclear Power Corporation Address before: 518000 Guangdong city of Shenzhen province Futian District science and technology building, Shangbu Road 15 Patentee before: Zhongkehua Nuclear Power Technology Institute Co., Ltd. Patentee before: China Guangdong Nuclear Power Group Co., Ltd. |