CN103051459A - Management method and device of traction secrete key of safety card - Google Patents

Management method and device of traction secrete key of safety card Download PDF

Info

Publication number
CN103051459A
CN103051459A CN2013100185412A CN201310018541A CN103051459A CN 103051459 A CN103051459 A CN 103051459A CN 2013100185412 A CN2013100185412 A CN 2013100185412A CN 201310018541 A CN201310018541 A CN 201310018541A CN 103051459 A CN103051459 A CN 103051459A
Authority
CN
China
Prior art keywords
key
transaction
user
financial
information
Prior art date
Application number
CN2013100185412A
Other languages
Chinese (zh)
Other versions
CN103051459B (en
Inventor
孙贵成
李春
陈燕
Original Assignee
北京印天网真科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京印天网真科技有限公司 filed Critical 北京印天网真科技有限公司
Priority to CN201310018541.2A priority Critical patent/CN103051459B/en
Publication of CN103051459A publication Critical patent/CN103051459A/en
Application granted granted Critical
Publication of CN103051459B publication Critical patent/CN103051459B/en

Links

Abstract

The embodiment of the invention provides a management method and device of a traction secrete key of a safety card. The method mainly comprises the following steps of: obtaining a user certificate of a user of the safety card by a financial platform; extracting a certificate public key in the user certificate; sending a transaction secrete key applying request carrying the certificate public key and basic information of the user to financial encryption equipment; generating transaction secrete key information of the user by the financial encryption equipment according a set algorithm; carrying out encryption on the transaction secrete key information by using the certificate public key; and sending the encrypted transaction secrete key information to the safety card through the financial platform. According to the management method and device disclosed by the embodiment of the invention, hardware safety equipment such as the financial platform, a financial CA, the financial encryption equipment is used; and an asymmetrical secret key encryption technology and a symmetrical secret key encryption technology are comprehensively utilized in a process of producing transaction secrete key applying request data of the safety card to reduce the risk grade of decoding the secret key to the lowest, so that the safety financial transaction data of the safety card is ensured.

Description

安全卡的交易密钥的管理方法和装置 Management method and apparatus for transaction security key card

技术领域 FIELD

[0001] 本发明涉及密钥管理技术领域,尤其涉及一种安全卡的交易密钥的管理方法和装置。 [0001] Technical Field The present invention relates to key management, particularly to a security card transaction management method and apparatus key.

背景技术 Background technique

[0002] 随着科技的发展,智能便携设备用户持续增长,智能便携设备将传统的金融交易方式转换到移动用户,而且它还具有省时、省事、便捷、易操作等特性。 [0002] With the development of science and technology, intelligent portable device users continues to grow, the smart portable device to convert conventional financial transactions to mobile users, but also when it has the province, easy, convenient, easy operation and other features.

[0003] 智能便携设备最主要的就是保证金融交易的安全性,如果智能便携设备的金融交易数据泄露将直接对用户的经济利益造成损失。 [0003] smart portable devices most important is to ensure the security of financial transactions, if the financial transaction data leakage smart portable devices will cause direct damage to the economic interests of the user. 因此,开发一种保证智能便携设备的金融交易的安全的方法是十分必要。 Therefore, to develop a safe method of financial transactions to ensure that the smart portable devices is essential.

发明内容 SUMMARY

[0004] 本发明的实施例提供了一种安全卡的交易密钥的管理方法和装置,以保证安全卡金融交易数据的安全。 [0004] Embodiments of the present invention provides a method and apparatus for managing a secure transaction key card, security card to ensure the security of financial transaction data.

[0005] 一种安全卡的交易密钥的管理方法,包括: Management methods [0005] a secure key card transactions, including:

[0006] 金融平台获取安全卡片的用户的用户证书,提取出所述用户证书中的证书公钥,向金融加密机发送携带所述证书公钥和所述用户的基本信息的交易密钥申请请求; [0006] Financial card platform obtains user security credentials of the user, the user extracts the public key certificate of the certificate, transmits the transaction key request carries request information of the basic public key certificate of the user and the financial Encryptor ;

[0007] 金融加密机接收到所述交易密钥申请请求后,按照设定的算法生成所述用户的交易密钥信息,并使用所述证书公钥对所述交易密钥信息进行加密,将加密后的交易密钥信息发送给所述金融平台; After the [0007] finance the transaction encryption key receives the application request, in accordance with an algorithm to generate the user setting information of the session key, and a certificate using the public key to encrypt the transaction information, Session key encrypted information is sent to the financial platform;

[0008] 所述金融平台将所述加密后的交易密钥信息发送给所述安全卡片。 [0008] The key financial trading platform after the encrypted information to the security card.

[0009] 一种安全卡的交易密钥的管理系统,包括: [0009] A transaction card key security management system, including:

[0010] 金融平台,用于获取安全卡片的用户的用户证书,提取出所述用户证书中的证书公钥,向金融加密机发送携带所述证书公钥和所述用户的基本信息的交易密钥申请请求;将所述金融加密机返回的加密后的交易密钥信息发送给安全卡片; [0010] financial platform, configured to obtain a user certificate for the user of the security card, the user extracts the public key certificate of the certificate, encrypted transaction message carrying the basic information of the public key certificate of the user and the financial Encryptor key application request; transmitting the encrypted session key encrypted financial information unit returns to the security card;

[0011] 金融加密机,用于接收到所述交易密钥申请请求后,按照设定的算法生成所述用户的交易密钥信息,并使用所述证书公钥对所述交易密钥信息进行加密,将加密后的交易密钥信息发送给所述金融平台; [0011] Financial encryption engine, for the session key after receiving the application request, in accordance with the algorithm generates the user setting information transaction key, and a certificate using the public key of the key information of the transaction encryption, the encrypted transaction key to send information to the financial platform;

[0012] 安全卡片,用于接收所述金融平台发送过来的交易密钥信息。 [0012] Security card, for receiving the financial transaction key information sent from the internet.

[0013] 由上述本发明的实施例提供的技术方案可以看出,本发明实施例借助金融平台、金融CA和金融加密机等硬件安全设备,在安全卡的金融交易请求数据生产的过程中综合运用了非对称密钥加解密技术和对称密钥加解密技术,将密钥被破译的风险等级降至最低,确保安全卡的金融交易数据的安全。 [0013] provided by embodiments of the present invention, the above-described embodiment can be seen in the art, embodiments of the present invention by means of internet banking, finance CA encryption and financial and other hardware security device, the security card of the financial transaction request data during the production of integrated use of asymmetric key encryption technology and symmetric key encryption technology, the key is to decipher the level of risk to a minimum, ensure the security of financial transaction data security card.

附图说明 BRIEF DESCRIPTION

[0014] 为了更清楚地说明本发明实施例的技术方案, 下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。 [0014] In order to more clearly illustrate the technical solutions in the embodiments of the present invention, briefly describes the accompanying drawings required for describing the embodiments used in the following embodiments will be apparent in the following description of the accompanying drawings are merely some embodiments of the present invention. embodiment, those of ordinary skill in the art is concerned, without any creative effort, and may also obtain other drawings based on these drawings.

[0015] 图1为本发明实施例一提供的一种安全卡的交易密钥的获取方法的处理流程示意图; [0015] FIG. 1 is a schematic process flow of a method for obtaining a secure transaction card according to a first embodiment of the present invention, a key;

[0016] 图2为本发明实施例二提供的一种安全卡的交易密钥的使用方法的处理流程示意图; [0016] FIG. 2 is a schematic process flow of the method used in a secure transaction card key according to a second embodiment of the present invention;

[0017]图3为本发明实施例三提供的一种安全卡的交易密钥的管理系统的具体结构示意图。 [0017] Fig 3 a schematic view of a specific configuration of the key management system a secure transaction card according to a third embodiment of the present invention.

具体实施方式 Detailed ways

[0018] 为便于对本发明实施例的理解,下面将结合附图以几个具体实施例为例做进一步的解释说明,且各个实施例并不构成对本发明实施例的限定。 [0018] To facilitate understanding of the embodiments of the present invention, following with reference to several specific embodiments Example embodiments further explanation, and not intended to limit the various embodiments embodiment of the present invention.

[0019] 实施例一 [0019] Example a

[0020] 该实施例提供的一种安全卡的交易密钥的获取方法的处理流程示意图如图1所示,包括如下的处理步骤: [0020] A method of obtaining a secure card transaction processing flow of this embodiment provides a schematic diagram of the key 1, the process comprising the steps of:

[0021] 步骤11、安全卡片首先生成用户的公私钥对,向金融平台发送携带上述用户的基本信息、用户公钥等信息的PKCS#10(Public_Key Cryptography Standards,证书请求的公钥密码学标准)请求,上述用户为上述安全卡片的使用者。 [0021] Step 11, the security card first generates a public and private key to the user, said user message carrying information of PKCS # basic information, and other user's public key 10 (Public_Key Cryptography Standards, PKCS certificate request) to the financial platform requesting the user to the user of the security card.

[0022] 步骤12、金融平台接收到上述PKCS#10请求后,向金融CA (certificateauthority,认证中心)发送携带上述用户的基本信息、用户公钥的用户证书申请请求。 [0022] Step 12, after receiving the financial platform PKCS # 10 request, transmits the financial CA (certificateauthority, Authentication Center) carries the basic information of the user, the user public key certificate request user.

[0023] 步骤13、金融CA接收到上述用户证书申请请求后,生成上述用户的用户证书,该用户证书中包括证书公钥、有效期、颁发机构、用户的基本信息等信息,上述证书公钥的具体数值和上述用户公钥的具体数值相等。 [0023] Step 13, after receiving the user financial CA certificate request, generates the user's user certificate, the user certificate including public key certificate is valid, the issuer, the basic information of the user information, the above-described public key certificate specific numerical values ​​are equal and said user specific public key.

[0024] 步骤14、金融CA将上述用户证书发送给上述金融平台。 [0024] Step 14, the financial CA transmits the user certificate to said financial internet.

[0025] 步骤15、金融平台接收到上述用户证书后,将上述用户证书在内部的存储器中进行存储。 [0025] Step 15, after receiving the financial internet user certificate, the certificate for said user stored in the internal memory. 然后,提取出用户证书中的证书公钥、有效期、颁发机构等信息,向金融加密机发送携带证书公钥、用户的基本信息的交易密钥申请请求。 Then, extract the public key certificate user certificate, valid, issued by the information agencies, send a certificate carrying a public key to encrypt financial machine, the key trading application requests basic information about the user.

[0026] 步骤16、金融加密机接收到上述交易密钥申请请求后,按照设定的算法生成上述用户的交易密钥信息,并使用证书公钥对交易密钥信息进行加密。 After [0026] Step 16, the financial transaction encryption key receives the above application request, in accordance with a preset algorithm to generate the key information of the user's transaction, and the transaction using the public key certificate information is encrypted.

[0027] 在实际应用中,上述交易密钥信息可以为多个交易密钥和每个交易密钥对应的索弓I。 [0027] In practical applications, the above-described transaction may be a plurality of key information for each transaction and the session key corresponding to the key bow index I. 金融加密机将上述加密后的交易密钥信息在内部的存储器中进行存储。 Financial transaction machine encryption key encrypted information stored in the internal memory.

[0028] 步骤17、金融加密机把加密后的交易密钥信息返回给金融平台,金融平台将接收到的加密后的交易密钥信息在内部的存储器中进行存储。 [0028] Step 17, the financial transaction key information encryption unit to the encrypted transaction key information back to the financial platform, financial platform received encrypted stored in the internal memory. 然后,将上述加密后的交易密钥信息返回给安全卡片。 Then, after the transaction encryption key information back to the safety card.

[0029] 步骤18、安全卡片接收到上述加密后的交易密钥信息后,使用用户私钥解密上述加密后的交易密钥信息,验证非对称密钥的正确性。 [0029] Step 18, after receiving the transaction card security key information the encrypted information using the session key to decrypt the encrypted private key of the user, to verify the correctness of the asymmetric key. 在解密和验证成功后,安全卡片将上述加密后的交易密钥信息存储到内部的安全区中的存储器中。 After successful decryption and authentication, secure transaction card stores the key information encrypted to the internal memory in the security zone.

[0030] 实施例二[0031] 该实施例提供的一种安全卡的交易密钥的使用方法的处理流程示意图如图2所示,包括如下的处理步骤: Process flow according to a second [0031] method using a session key security card provided in this embodiment [0030] The diagram shown in Figure 2, the process comprising the steps of:

[0032] 步骤21、安全卡片从安全区中提取出公钥加密后的交易密钥信息密文,安全卡片使用用户私钥解密公钥加密后的交易密钥密文得到交易密钥信息。 [0032] Step 21, the security card is extracted from the secure area after the transaction public key encryption key ciphertext information, the security card using the user's private key to decrypt the encrypted public key ciphertext obtained trading transaction key information. 当上述交易密钥信息为多个交易密钥和每个交易密钥对应的索引时,安全卡片从上述多个交易密钥中选取一个要使用的交易密钥,获取该交易密钥的索引。 When said plurality of transaction information key for each transaction, and the transaction key corresponding to a key index, the security card selected from the plurality of transaction keys to use a session key, the transaction key index to be retrieved.

[0033] 步骤22、安全卡片使用选取的交易密钥对交易密码明文进行3DES-ECB (TripleData Encryption Algorithm,三重数据加密算法-电子秘本方式)加密,得到加密后的交易密码密文。 [0033] Step 22, the security card using the transaction key selected transaction password plaintext 3DES-ECB (TripleData Encryption Algorithm, Triple Data Encryption Algorithm - secret electronic present embodiment) encryption, the encrypted transaction resulting cipher text.

[0034]步骤 23、安全卡片使用UTF-8(8_bit Unicode Transformation Format,8 比特统一码转换格式)编码方式获取交易请求报文的MD5摘要,再对上述MD5摘要进行补位处理,在MD5摘要的最后补8个字节值,该8个字节值为:' 0x80 00 00 00 00 00 00 00'。 [0034] Step 23, the security card using (8_bit Unicode Transformation Format, 8-bit Unicode Transformation Format) UTF-8 encoding obtain the MD5 digest of the transaction request message, then the above MD5 digest fill bit processing, the MD5 digest of the last eight bytes of fill values, the 8-byte values: '0x80 00 00 00 00 00 00 00'.

[0035] 安全卡片对上述已经补位的MD5摘要进行MAC(Message Authentication Codes,消息的散列算法)计算,MAC计算采用标准的3DES — CBC (Triple Data EncryptionAlgorithm,三重数据加密算法-密文分组链接方式)算法,将最后一次DES运算的8字节输出数据的最左边的4字节数据作为MAC效验值。 [0035] The security card has the above-described fill bit MD5 digest MAC (Message Authentication Codes, the message hash algorithm) calculation, MAC is calculated using a standard 3DES - CBC (Triple Data EncryptionAlgorithm, Triple Data Encryption Algorithm - ciphertext block chaining embodiment) 4-byte data leftmost algorithm, the DES operation last 8 bytes of output data as the MAC values ​​efficacy.

[0036] 步骤24、安全卡片向金融平台发送包含上述交易密码密文、所使用交易密钥的索弓1、MAC效验值等信息的金融交易请求。 [0036] Step 24, the security card transmits the ciphertext including the password to the financial transaction platform, the transaction using the financial transaction request information index key bow 1, MAC efficacy values ​​and the like.

[0037] 步骤25、上述金融平台接收到上述金融交易请求后,将上述所使用交易密钥的索弓1、MAC效验值发送给金融加密机,金融加密机对上述所使用交易密钥的索引、MAC效验值进行验证,在验证通过后向金融平台返回验证通过信息,金融平台对上述金融交易请求进行后续的处理。 [0037] Step 25, after the above-mentioned financial platform receiving the request for the financial transaction, the transaction key used in the above-described cable bow 1, MAC value to the financial efficacy encryptor, encryptor financial index transaction key used in the above , the MAC values ​​to verify efficacy, returns to the verification, the above financial platform financial transaction request information to the subsequent process by the financial platform after the verification.

[0038] 金融加密机在上述验证没有通过后向金融平台返回验证失败信息,金融平台向上述安全卡片返回交易失败消息。 [0038] Financial encryptor return validation failure information to the financial platform after the verification does not pass, the financial platform of the transaction failure message to the security card.

[0039] 实施例三 [0039] Example three

[0040] 该实施例提供的一种安全卡的交易密钥的管理系统的具体结构示意图如图3所示,包括如下的模块: [0040] The specific configuration of the key management system a transaction security card provided in this embodiment As shown in Figure 3, includes the following modules:

[0041] 金融平台31,用于获取安全卡片的用户的用户证书,提取出所述用户证书中的证书公钥,向金融加密机发送携带所述证书公钥和所述用户的基本信息的交易密钥申请请求;将所述金融加密机返回的加密后的交易密钥信息发送给安全卡片; [0041] financial platform 31 for a user to obtain the user credentials of the security card, the user extracts the public key certificate of the certificate, transmits the transaction to the basic information carried in the user's public key and certificate to encrypt financial machine key application request; transmitting the encrypted session key to the encrypted financial information unit returns to the security card;

[0042] 金融加密机32,用于接收到所述交易密钥申请请求后,按照设定的算法生成所述用户的交易密钥信息,并使用所述证书公钥对所述交易密钥信息进行加密,将加密后的交易密钥信息发送给所述金融平台; [0042] Financial encryptor 32, for the session key after receiving the application request, in accordance with an algorithm to generate the user setting information of the session key, and a certificate using the public key of the transaction key information encrypts the transaction encryption key after sending information to the financial platform;

[0043] 安全卡片33,用于接收所述金融平台发送过来的交易密钥信息。 [0043] The security card 33, the transaction key for receiving information transmitted over the financial internet.

[0044] 具体的,所述的安全卡片33可以包括: [0044] Specifically, the security card 33 may comprise:

[0045] 请求处理模块331,用于生成用户的公私钥对,向所述金融平台发送携带所述用户的基本信息、用户公钥的PKCS#10请求; [0045] The request processing module 331, for generating a public and private key to the user, transmits the basic information to the user carrying the financial platform, the user public key PKCS # 10 request;

[0046] 交易密钥验证模块332,用于接收到所述加密后的交易密钥信息后,使用用户私钥解密所述加密后的交易密钥信息,验证非对称密钥的正确性,在解密和验证成功后,安全卡片将所述加密后的交易密钥信息存储到安全区; [0046] transaction key verification module 332, after receiving the transaction information of the encrypted key using the private information of the user transaction key after decrypting the encrypted verify the correctness of asymmetric keys, in after the decryption and authentication is successful, the transaction card security key encrypted information stored in a secure area;

[0047] 交易密钥使用模块333,用于从安全区中提取出加密后的交易密钥信息,使用用户私钥解密所述加密后的交易密钥信息得到交易密钥信息,从所述交易密钥信息中选取某一个交易密钥,获取该某一个交易密钥的索引; [0047] The session key using the module 333 for extracting, from the secure area key information encrypted transaction, the transaction key using the user private key to decrypt the encrypted key information to obtain transaction information from the transaction key information in a transaction select a key to get the key index certain transactions;

[0048] 使用所述某一个交易密钥对交易密码明文进行3DES-ECB加密,得到加密后的交易密码密文; [0048] Using one of the cryptographic transaction key transaction 3DES-ECB encrypting a plaintext, the encrypted transaction resulting cipher text;

[0049] 使用UTF-8编码方式获取交易请求报文的MD5摘要,再对上述MD5摘要进行补位处理,对补位后的MD5摘要进行MAC计算得到MAC效验值; [0049] The use UTF-8 encoding MD5 digest acquisition transaction request message, then the above process MD5 digest fill bits of the MD5 digest computed fill bit MAC value MAC efficacy;

[0050] 向所述金融平台发送包含所述交易密码密文、所述某一个交易密钥的索引、MAC效验值信息的金融交易请求。 [0050] transmitted to the platform, comprising the financial transaction cipher text, the index key one transaction, financial transaction request MAC efficacy value information.

[0051] 具体的,所述的金融平台31 ,具体用于接收到所述PKCS#10请求后,向金融认证中心发送携带所述用户的基本信息、用户公钥的用户证书申请请求。 [0051] Specifically, the financial platform 31, specifically configured to receive the basic information of the PKCS # 10 request, the authentication center sends the financial carrying the user, the user public key certificate request user.

[0052] 进一步地,所述的系统还可以包括: [0052] Further, the system may further comprise:

[0053] 金融认证中心34,具体用于接收到所述用户证书申请请求后,生成所述用户的用户证书,该用户证书中包括证书公钥、有效期、颁发机构、用户的基本信息,将所述用户证书发送给所述金融平台。 [0053] Financial authentication center 34, specifically for a user after receiving the certificate request, the user generates a user certificate, the user certificate including public key certificate is valid, the issuer, the basic information of the user, The the user certificate to the said financial internet.

[0054] 用本发明实施例的系统进行安全卡的交易密钥的管理的具体过程与前述方法实施例类似,此处不再赘述。 The specific process [0054] The transaction management system of an embodiment of the key with the security card of the present invention similar to the embodiment of the foregoing method, is not repeated here.

[0055] 本领域普通技术人员可以理解:附图只是一个实施例的示意图,附图中的模块或流程并不一定是实施本发明所必须的。 [0055] Those of ordinary skill in the art will be understood: the drawings is only a schematic example of embodiment, the modules or processes in the accompanying drawings are not necessarily embodiments of the present invention it is necessary.

[0056] 本领域普通技术人员可以理解:实施例中的设备中的模块可以按照实施例描述分布于实施例的设备中,也可以进行相应变化位于不同于本实施例的一个或多个设备中。 [0056] Those of ordinary skill in the art will be appreciated that: the apparatus embodiment module according to one or more embodiments of the apparatus of the present embodiment may be distributed to the embodiments described embodiment of the device, it may be performed according to the embodiments which are different from Example . 上述实施例的模块可以合并为一个模块,也可以进一步拆分成多个子模块。 Modules of the embodiments may be combined into one module, or split into multiple submodules.

[0057] 综上所述,本发明实施例借助金融平台、金融CA和金融加密机等硬件安全设备,在安全卡的金融交易请求数据生产的过程中综合运用了非对称密钥加解密技术和对称密钥加解密技术,将密钥被破译的风险等级降至最低,保证安全的密钥传输,安全的密钥管理,确保安全卡的金融交易数据的安全。 [0057] In summary, embodiments of the present invention by means of the process of internet banking, finance CA encryption and financial and other hardware security device, the security card financial transaction request data produced by the integrated use of asymmetric key encryption technology and symmetric key encryption technology, the key is to decipher the level of risk to a minimum, ensure that key transport safety, secure key management, ensure the security of financial transaction data security card.

[0058] 以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。 [0058] The above are only the preferred specific embodiments of the invention, but the scope of the present invention is not limited thereto, any skilled in the art in the art within the scope of the invention disclosed can be easily thought variations or replacements shall fall within the protection scope of the present invention. 因此,本发明的保护范围应该以权利要求的保护范围为准。 Accordingly, the scope of the present invention should be defined by the scope of the claims.

Claims (9)

1. 一种安全卡的交易密钥的管理方法,其特征在于,包括:金融平台获取安全卡片的用户的用户证书,提取出所述用户证书中的证书公钥,向金融加密机发送携带所述证书公钥和所述用户的基本信息的交易密钥申请请求;金融加密机接收到所述交易密钥申请请求后,按照设定的算法生成所述用户的交易密钥信息,并使用所述证书公钥对所述交易密钥信息进行加密,将加密后的交易密钥信息发送给所述金融平台;所述金融平台将所述加密后的交易密钥信息发送给所述安全卡片。 Session key management method 1. A security card, characterized by comprising: obtaining a user certificate user financial platform security card, the user extracts the public key certificate of the certificate, is transmitted to the encryption unit carries the financial basic key request transaction information and said public key certificate request from the user; financial transaction to the encryption key receives the application request, in accordance with an algorithm to generate the user setting information of the session key, and uses the said certificate of said public key encrypted session key, transmits the encrypted key information to the financial transaction platform; the financial transaction platform the encrypted key information is transmitted to the security card.
2.根据权利要求1所述的安全卡的交易密钥的管理方法,其特征在于,所述的金融平台获取安全卡片的用户的用户证书,包括:安全卡片生成用户的公私钥对,向金融平台发送携带所述用户的基本信息、用户公钥的证书请求的公钥密码学标准PKCS#10请求;所述金融平台接收到所述PKCS#10请求后,向金融认证中心发送携带所述用户的基本信息、用户公钥的用户证书申请请求;所述金融认证中心接收到所述用户证书申请请求后,生成所述用户的用户证书,该用户证书中包括证书公钥、有效期、颁发机构、用户的基本信息,将所述用户证书发送给所述金融平台。 The transaction key management method according to the security card as claimed in claim 1, characterized in that the platform obtains the user credentials of user financial security card, comprising: a security card to generate public and private key to the user, the financial carrying platform sends the user basic information, PKCS PKCS # 10 certificate request requesting the user's public key; after the receipt of the financial internet PKCS # 10 request, sends the user carries CFCA basic information, a user public key user certificate request; after the financial center receiving the user authentication certificate request, the user generates a user certificate, the user certificate including public key certificate is valid, the issuer, user's basic information, sends the user credentials to the financial platform.
3.根据权利要求1所述的安全卡的交易密钥的管理方法,其特征在于,所述的交易密钥信息包括多个交易密钥和每个交易密钥对应的索引。 3. The method of managing security keys transaction card according to claim 1, wherein said transaction comprises a plurality of key information for each transaction and the session key corresponding to the index key.
4.根据权利要求1或2或3所述的安全卡的交易密钥的管理方法,其特征在于,金融平台将所述加密后的交易密钥信息发送给所述安全卡片之后,还包括:所述安全卡片接收到所述加密后的交易密钥信息后,使用用户私钥解密所述加密后的交易密钥信息,验证非对称密钥的正确性,在解密和验证成功后,安全卡片将所述加密后的交易密钥信息存储到安全区。 The security card transaction management method of claim 1 or 2 or 3 key claim, wherein, after transmitting the transaction key to the encrypted financial platform information to the security card, the method further comprising: after receiving the transaction card security key information the encrypted using the transaction key information decrypting the encrypted private key of a user, verify the correctness of the asymmetric key, and after decryption verification is successful, the security card the transaction information after the encryption key stored in a secure area.
5.根据权利要求4所述的安全卡的交易密钥的管理方法,其特征在于,所述的方法还包括:安全卡片从安全区中提取出加密后的交易密钥信息,使用用户私钥解密所述加密后的交易密钥信息得到交易密钥信息,从所述交易密钥信息中选取某一个交易密钥,获取该某一个交易密钥的索引;所述安全卡片使用所述某一个交易密钥对交易密码明文进行3DES-ECB加密,得到加密后的交易密码密文;所述安全卡片使用8比特统一码转换格式UTF-8编码方式获取交易请求报文的MD5摘要,再对上述MD5摘要进行补位处理,对补位后的MD5摘要进行消息的散列算法MAC计算得到MAC效验值;所述安全卡片向所述金融平台发送包含所述交易密码密文、所述某一个交易密钥的索引、MAC效验值信息的金融交易请求。 The transaction key management method according to the security card as claimed in claim 4, characterized in that, said method further comprising: a security card is extracted from the transaction secure area key information encrypted using the user's private key session key after decrypting the encrypted transaction information to obtain key information, select a transaction key from a key information in the transaction, obtaining the index of a particular transaction key; the security card using one of the trading transactions cryptographic key 3DES-ECB encrypts plaintext, the ciphertext is encrypted transaction password; security card using the 8-bit Unicode Transformation format UTF-8 encoding obtain the MD5 digest of the transaction request message, then the above hash algorithm MD5 calculation MAC digest bits fill process, the fill of the MD5 digest of message bits efficacy obtained MAC value; transmitting the security card transaction comprising said cryptographic cipher text to the financial platform, one of the transactions the key index, financial transaction request MAC efficacy value information.
6. 一种安全卡的交易密钥的管理系统,其特征在于,包括:金融平台,用于获取安全卡片的用户的用户证书,提取出所述用户证书中的证书公钥, 向金融加密机发送携带所述证书公钥和所述用户的基本信息的交易密钥申请请求;将所述金融加密机返回的加密后的交易密钥信息发送给安全卡片;金融加密机,用于接收到所述交易密钥申请请求后,按照设定的算法生成所述用户的交易密钥信息,并使用所述证书公钥对所述交易密钥信息进行加密,将加密后的交易密钥信息发送给所述金融平台;安全卡片,用于接收所述金融平台发送过来的交易密钥信息。 A transaction card security key management system, characterized by comprising: a financial platform, configured to obtain a user certificate for the user of the security card, the user extracts the public key certificate of the certificate, the encrypted financial machine transaction key request message carrying a request of basic information and the public key certificate of the user; transmitting the encrypted session key encrypted financial information unit returns to the security card; financial encryptor configured to receive the key request request later transaction, according to an algorithm to generate the user setting information of the session key, and a certificate using the public key to encrypt the transaction information and sends the encrypted key information to the transaction the financial platform; security card for the transaction key information sent from receiving the financial platform.
7.根据权利要求6所述的安全卡的交易密钥的管理系统,其特征在于,所述的安全卡片包括:请求处理模块,用于生成用户的公私钥对,向所述金融平台发送携带所述用户的基本信息、用户公钥的PKCS#10请求;交易密钥验证模块,用于接收到所述加密后的交易密钥信息后,使用用户私钥解密所述加密后的交易密钥信息,验证非对称密钥的正确性,在解密和验证成功后,安全卡片将所述加密后的交易密钥信息存储到安全区;交易密钥使用模块,用于从安全区中提取出加密后的交易密钥信息,使用用户私钥解密所述加密后的交易密钥信息得到交易密钥信息,从所述交易密钥信息中选取某一个交易密钥,获取该某一个交易密钥的索引;使用所述某一个交易密钥对交易密码明文进行3DES-ECB加密,得到加密后的交易密码密文;使用UTF-8编码方式获取交易请求报文 The transaction card security key management system according to claim 6, characterized in that said security card comprising: a request processing module, for generating a public and private key to the user, to send the financial carrying platform basic information of the user, PKCS # 10 request user's public key; transaction key verification module, after receiving the session key for the encrypted information, using the transaction key by the private key to decrypt the encrypted user information, verify the correctness of the asymmetric key, and after decryption verification is successful, the transaction card security key is stored encrypted information to the security zone; key usage transaction module, for extracting the encrypted from the security zone the key information after the transaction, the transaction key using the user private key to decrypt the encrypted information to obtain key information transaction, a transaction select a transaction key from the key information, to obtain the session key of a certain index; one transaction using the transaction key cryptographic encryption 3DES-ECB plaintext, the ciphertext is encrypted transaction password; UTF-8 encoding using the acquisition transaction request messages MD5摘要,再对上述MD5摘要进行补位处理, 对补位后的MD5摘要进行MAC计算得到MAC效验值;向所述金融平台发送包含所述交易密码密文、所述某一个交易密钥的索引、MAC效验值信息的金融交易请求。 MD5 digest, and then the above process MD5 digest fill bits of the MD5 digest computed fill bit MAC value MAC efficacy; transmitting to the internet comprising the financial transaction password ciphertext, said one transaction key index, financial transaction request MAC efficacy value information.
8.根据权利要求7所述的安全卡的交易密钥的管理系统,其特征在于:所述的金融平台,具体用于接收到所述PKCS#10请求后,向金融认证中心发送携带所述用户的基本信息、用户公钥的用户证书申请请求。 The transaction card security key management system according to claim 7, wherein: said financial platform, particularly for receiving the PKCS # 10 request, the authentication center sends the financial carrying the basic information of the user, the user public key user certificate application request.
9.根据权利要求8所述的安全卡的交易密钥的管理系统,其特征在于,所述的系统还包括:金融认证中心,具体用于接收到所述用户证书申请请求后,生成所述用户的用户证书, 该用户证书中包括证书公钥、有效期、颁发机构、用户的基本信息,将所述用户证书发送给所述金融平台。 9. The transaction card security key management system according to claim 8, characterized in that said system further comprises: the financial authentication center, particularly for receiving the user certificate request, generates the user user certificate, the user certificate including public key certificate is valid, the issuer, the basic information of the user, the user sends the certificate to the financial internet.
CN201310018541.2A 2013-01-17 2013-01-17 The management method of the transaction key of safety card and device CN103051459B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310018541.2A CN103051459B (en) 2013-01-17 2013-01-17 The management method of the transaction key of safety card and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310018541.2A CN103051459B (en) 2013-01-17 2013-01-17 The management method of the transaction key of safety card and device

Publications (2)

Publication Number Publication Date
CN103051459A true CN103051459A (en) 2013-04-17
CN103051459B CN103051459B (en) 2016-04-06

Family

ID=48063967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310018541.2A CN103051459B (en) 2013-01-17 2013-01-17 The management method of the transaction key of safety card and device

Country Status (1)

Country Link
CN (1) CN103051459B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105279648A (en) * 2014-07-04 2016-01-27 Ub特伦株式会社 Internet banking login service system by using key-lock card with security card and internet banking login method thereof
CN106251132A (en) * 2016-07-28 2016-12-21 恒宝股份有限公司 A kind of HCE security off-line promotes system and implementation method
CN107508796A (en) * 2017-07-28 2017-12-22 北京明朝万达科技股份有限公司 A kind of data communications method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035135A (en) * 2007-04-27 2007-09-12 清华大学 Digital certificate system applicable to the no/weak local storage client system
CN101393628A (en) * 2008-11-12 2009-03-25 北京飞天诚信科技有限公司 Novel network safe transaction system and method
CN101631305A (en) * 2009-07-28 2010-01-20 交通银行股份有限公司 Encryption method and system
CN101931532A (en) * 2009-09-08 2010-12-29 北京握奇数据系统有限公司 Telecommunication smart card-based digital certificate management method and telecommunication smart card

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035135A (en) * 2007-04-27 2007-09-12 清华大学 Digital certificate system applicable to the no/weak local storage client system
CN101393628A (en) * 2008-11-12 2009-03-25 北京飞天诚信科技有限公司 Novel network safe transaction system and method
CN101631305A (en) * 2009-07-28 2010-01-20 交通银行股份有限公司 Encryption method and system
CN101931532A (en) * 2009-09-08 2010-12-29 北京握奇数据系统有限公司 Telecommunication smart card-based digital certificate management method and telecommunication smart card

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105279648A (en) * 2014-07-04 2016-01-27 Ub特伦株式会社 Internet banking login service system by using key-lock card with security card and internet banking login method thereof
CN106251132A (en) * 2016-07-28 2016-12-21 恒宝股份有限公司 A kind of HCE security off-line promotes system and implementation method
CN107508796A (en) * 2017-07-28 2017-12-22 北京明朝万达科技股份有限公司 A kind of data communications method and device
CN107508796B (en) * 2017-07-28 2019-01-04 北京明朝万达科技股份有限公司 A kind of data communications method and device

Also Published As

Publication number Publication date
CN103051459B (en) 2016-04-06

Similar Documents

Publication Publication Date Title
CN101765996B (en) Apparatus and method for remote authentication and transaction signature
JP4617763B2 (en) Device authentication system, device authentication server, terminal device, device authentication method, and device authentication program
US9887838B2 (en) Method and device for secure communications over a network using a hardware security engine
JP2008533882A (en) How to backup and restore encryption keys
CN103714641B (en) A terminal master key method and system for secure download tmk
US7571320B2 (en) Circuit and method for providing secure communications between devices
US8239679B2 (en) Authentication method, client, server and system
EP0820670A1 (en) Computer-assisted method for the exchange of cryptographic keys between a user computer unit (u) and network computer unit (n)
US10461933B2 (en) Methods for secure credential provisioning
CN1954308A (en) System and method of secure information transfer
US8130961B2 (en) Method and system for client-server mutual authentication using event-based OTP
CN101340279B (en) Method, system and apparatus for data ciphering and deciphering
KR20080050936A (en) Method for transmitting data through authenticating and apparatus therefor
CN1659821A (en) Method for secure data exchange between two devices
KR20080090989A (en) Apparatus and method for providing security service in home network
CN101282222B (en) Digital signature method based on CSK
US9379891B2 (en) Method and system for ID-based encryption and decryption
CN102098157A (en) A system and method for designing secure client-server communication protocols based on certificateless public key infrastructure
CN101340437B (en) Time source regulating method and system
CN101005361A (en) Server and software protection method and system
CN100536393C (en) Secret shared key mechanism based user management method
JPH0575598A (en) Key data sharing device
US20120170740A1 (en) Content protection apparatus and content encryption and decryption apparatus using white-box encryption table
CN102624522A (en) Key encryption method based on file attribution
KR20070029864A (en) Method and apparatus for securely transmitting and receiving data in peer to peer

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model