The application be on September 24th, 2006 application application number be 11/534, the partial continuous application of the CO-PENDING application of the U.S. Patent application of 653, existing U.S. Patent number is 8,118,218, also be in the application number of application on April 23rd, 2007 be the part continuation application of the U.S. Patent application of 11/739,044.
[embodiment]
Detailed description of the present invention carrys out the running of direct or indirect simulation technical solution of the present invention mainly through program, step, logical block, process or other symbolistic descriptions.For thorough understanding the present invention, in ensuing description, set forth a lot of specific detail.And when not having these specific detail, the present invention then may still can realize.Affiliated those of skill in the art use the work that these describe and statement effectively introduces them to the others skilled in the art in affiliated field herein essential.In other words, be object of the present invention of avoiding confusion, due to the method known and program easy understand, therefore they are not described in detail.
Alleged herein " embodiment " or " embodiment " refers to special characteristic, structure or the characteristic that can be contained at least one implementation of the present invention.Different local in this manual " in one embodiment " occurred not all refers to same embodiment, neither be independent or optionally mutually exclusive with other embodiments embodiment.In addition, represent sequence of modules in the method for one or more embodiment, flow chart or functional block diagram and revocablely refer to any particular order, not also being construed as limiting the invention.Key set herein refers to a group key.
Each embodiment of the present invention is introduced below with reference to Figure 1A-7.But the those of ordinary skill in affiliated field is it is easily understood that the details description listed according to these accompanying drawings is here only indicative, and the present invention is not limited in these embodiments.
When having near-field communication (Near Field Communication, be called for short NFC) function mobile phone be used for such as payment services, traffic ticketing service, credit services, physical access control and other infusive new services time, NFC demonstrates great business opportunity.In order to support the business environment of this rapid development, comprise financial institution, the various manufacturer (manufacturer with the mobile phone of NFC function, or claim producer), software developer (developer, or claim developer) and multiple entities of Mobile Network Operator (Mobile Network Operators, be called for short MNO) participate in moving the ecosystem into NFC.Due to the characteristic of they independent role, these participants need to exchange mutually and reliable with one, interoperable mode exchange message.
Being downloaded to and being stored in the continuation raising with the data of the cell-phone of NFC function and the confidentiality of sensitive application and fail safe performing contactless sexual transaction (contactless transactions) is all of equal importance for each entity above-mentioned.There is provided fail safe and confidentiality to support that the assembly of various business prototype can be called as safety element (Secure Element is called for short SE) in mobile phone.
Figure 1A shows the simple architecture of calculation element 100.Unless stated otherwise, the use that " calculation element ", " mobile device ", cellular phone or " cell-phone " will can substitute mutually in this article, but the those of ordinary skill in affiliated field can be understood above-mentioned vocabulary and also can refer to other devices, such as smart phone, notebook computer, contactless property smart card and other mancarried devices.
Described mobile device 100 comprises NFC controller 101, and this NFC controller 101 makes described mobile device 100 can with other device wireless communication with swap data.Such as, described mobile device 100 can be carried out purchase payment as stored value card (e-purse) by user.When operating, described stored value card is controlled by safety element 102.Described safety element 102 can make such a mobile device 100 perform financial transaction, traffic ticketing service, credit services, physical access control and other infusive services in a secure manner.In order to provide such service, described safety element 102 can support various Java applet program, application or module (illustrate only two examples 104 and 106 in Figure 1A).When realizing, these modules can be the hardware modules embedding or be inserted therein, and also can be the software modules downloaded from one or more server by data network.
When buying mobile device the earliest or the earliest mobile device is consigned to client, the safety element 102 of described mobile device is installed one group of default key (a set of default keys, or be called default key collection), issuer security domain (Issuer Security Domain the is called for short ISD) key set such as arranged by safety element producer (manufacter).When realizing, described safety element 102 can be the form of smart card, integrated circuit (IC) or software module, by rewriteeing partly or entirely can upgrade it in this software module.In one embodiment, described safety element 102 is tamper resistant smartcard chips, level of security according to demand, and this intelligent card chip can embed card level application (such as pay, transmit).As shown in Figure 1A, the application that described safety element 102 embeds or coordinates contactless property NFC relevant, and be connected using as contactless property front end with described NFC controller 101.
Typically, standard compliant safety element and an issuer security domain (issuer security domain, be called for short ISD) and the selection of one or more supplementary security domain (supplemental security domains, abbreviation SSD) supply together.Each territory comprises a group key (a set ofkey, or title key set).In one embodiment, described safety element 102 embeds the chip in described mobile device 100 or inserted mobile device 100 by card interface 109 small card.In another embodiment, described safety element 102 is or comprises the software module in the secure memory space 107 that is loaded in described mobile device.Can by the network interface 103 (such as 3G network or LTE (Long Term Evolution) network) in described mobile device 100 from given server down loading updating assembly to upgrade described software module.
Described safety element 102 needs before use through individualized (Personalization or Personalizing) process.In one embodiment, described personalization process individualizes key set (derived personalized key set) according to the derivation of card issuer (such as so-called safety element publisher) selected to load for described safety element 102 or to upgrade a key set.Such personalization process also can be called layoutprocedure.According to an embodiment, perform described layoutprocedure with individualized described safety element when installing application or enabled services (such as application is installed and individualized) with online mode (Over the air).When making described safety element relate to a safety element publisher, just perform the individualized of described safety element.When user orders or install application, need to install and configuration for each application performs application.
In one embodiment, in renewal or when promoting described safety element 102, for avoiding the individualized described safety element 102 that starts anew, only replace or some assemblies in described safety element 102 with new renewal.When realizing, can automatically or manually obtain these new renewals, and they being loaded into described mobile device 100.
In one embodiment, according to corresponding safety element publisher and TSM, the mobile device with NFC function can from server or TSM entrance (TSM portal) down load application.TSM refers to trusted service management (Trusted Service Management), is a kind of set of service.A dominant role of described TSM is the issue of the client secure of the use mobile network that help ISP (service provider) is for they and manages contactless sex service.Described TSM or its server necessarily do not participate in the contactless sexual transaction of reality (transaction) using NFC device.The system process that these transaction are provided by ISP and their business partner usually.Another role of described TSM is that it is conducive to the other side of the commercial relations between contractual arrangement and different each side, makes mobile network's commercial affairs become possibility like this by accelerating successful deployment that mobile NFC applies and lifting as business go-between.
Service centre can be arrived and perform described personalization process, also can by personalization process described in webpage entrance (web portal) long-distance support of TSM server.Under the first scene, client can arrive service centre, allows service on behalf individualize safety element in mobile device.Be arranged in the computer being connected with NFC card reader of given place (such as service centre), configuration manager (provisioning manager) can be the application of installing or the application based on webpage being connected to rear end TSM.Described configuration manager is used for carrying out communication (as by card reader) with the safety element of mobile device.Such personalization process also can be called as the process of (Over the Internet) Network Based.
In a second possible scenario, client registers his/her mobile phone by server (TSM webpage entrance).The universal resource identifier of configuration manager (universal resource identifier is called for short URI) can be sent to registered mobile phone by described TSM server.Based on the type of described mobile device, send mode can be that short message service sends (Short Message Service Push) or Google's Android sends (Google Android Push).Described configuration manager can be downloaded in described mobile device by described client, and starts described personalization process.Such personalization process is called as based on wireless process.
Under any one scene, described configuration manager is as the agency between the safety element of mobile device and TSM server.Refer now to shown in Figure 1B, it illustrates flow process or the process 110 of individualized safety element according to an embodiment of the invention.When realizing, described process 110 can be realized by the combination of software or software and hardware.When user receives a new NFC device (part for such as mobile device), need individualized described safety element in it.
In operation 112, determine whether described new NFC device is real NFC device.An example checks the sequence number (serial number) relevant to described NFC device.Described sequence number can carry out certification by the database relevant to TSM server.In the example of NFC mobile device, the device sequence number of described mobile device can be used for carrying out certification.The described NFC device of present hypothesis is a real NFC device, can be identified by mobile operator.Described process 110 will enter operation 114, make described NFC device and private server carry out communication.In one embodiment, described private server is a part for TSM system, and conducts interviews to it by wireless network, the Internet or wireless and wired combination (referred to herein as data network or referred to as network).
In operation 116, make described NFC device to described server registration.Once described NFC device becomes a part for described TSM system, various service and data can carry out communication by network and described NFC device.As a part for personalization process, in operation 118, the device information of safety element described in described server request.In one embodiment, described server sends request of data (such as information on services, WAP PUSH) in described NFC device.Respond described request of data, described NFC device beams back card product life cycle (Card Product Life Cycle the is called for short CPLC) information extracted from described safety element.Described CPLC information comprises safety element product information (such as smart card ID, producer's information and batch number etc.).Based on described CPLC information, described server can extract correspondence acquiescence issuer security domain (Issuer Security Domain the is called for short ISD) information of this safety element from its producer, warranty of attorney (authorized distributor) or ISP.When realizing, described server and safety element producer have two kinds of communication modes, specifically give a detailed description at desired part hereafter.
In operation 120, determined whether to upgrade described device information by described producer.Usually, when a safety element is sent by its producer, described safety element is embedded with some default apparatus information.If determine that described default apparatus information (such as CPLC data) needs to upgrade with described producer, described process 110 enters operation 122, and corresponding updating device information is uploaded to described server by described producer.In operation 124, by described updating device information transmission to described NFC mobile device, and be stored in described safety element.If determine that the default apparatus information of described safety element does not need to upgrade with described producer, described process 110 enters operation 124, the default apparatus information of extraction is stored in the database relevant to TSM server.In one embodiment, described server comprises the interface obtaining derivative key collection (derived keyset).In one embodiment, described derivative key collection is produced according to the device information (such as, ISD) of described safety element.When successfully installing derivation ISD key set in described safety element, notify that deriving from ISD key set described in corresponding safety element publisher uses.
According to one embodiment of present invention, in operation 126, described device information (acquiescence or upgrade) is used for producing key set (or claiming a group key).In one embodiment, described server is used for using acquiescence ISD to set up escape way between his hardware security module (HSM) and described safety element.Described server is also used for as described safety element calculates derivative key collection.Based on business agreement, the main ISD key of the publisher of safety element can be arranged in the local hardware security module of the hardware security module relevant to described server or described safety element publisher.Described hardware security module is a kind of secure crypto processor, and it is for administering digital key, accelerates ciphering process, and provides the certification of effect to the pass key-encrypting key of access services device application.If be arranged in the hardware security module in described server, described server is used for hardware security module described in instruction and goes to calculate described derivative key collection.Subsequently, described server provides a kind of mechanism (such as PUT KEY APDU) and uses default channel, the default key collection substituted in described safety element with described derivative key collection.If the main ISD key of described safety element publisher (SE issurer) is in the local hardware security module of described safety element publisher, described server is also used for the hardware security module of far-end alternately to extract described main ISD key.
In operation 128, described key set safety is passed to described safety element.Dissolve in described safety element by key set individual, described key set is in the various safety operation that utilizes NFC device to carry out or service like this.In operation 130, described server is used for described safety element to carry out synchronous (such as, the notice of regarding safety element state being sent to described publisher or provider) with its publisher or provider.
After individualized, the individualized ISD key of described SE publisher can be used to visit described safety element.Based on the demand for security of each service provider, described TSM can provide extra SSD with their respective application (module 104 or 106 such as, in Figure 1A) individualized for each provider.
As described above, two kinds of modes are had can be used for from described safety element, extracting corresponding acquiescence ISD information to the reciprocal process of described producer.Based on architecture, producer can choice for use real-time mode (real-time approach) or batch processing mode (batch approach).
In real-time mode, when described TSM server individualizes described safety element, described server is provided for carrying out communication with producer's (such as its server).Like this, described default key collection is through requiring to extract from the server of producer.In one embodiment, described TSM server comprises the plug-in unit module carrying out communication with each producer.
In batch processing mode, can perform with line model, also can perform with off-line mode.In disconnection mode, described safety element producer is all safety element transmission acquiescence ISD information supported by encrypted medium.The manager of described TSM or calculation element can be provided for the information in described physical media to input a calculation element.Subsequently, decipher and extract described acquiescence ISD information, and being stored in a database.Under line model, described SE manufacturer uploads the acquiescence ISD information of the safety element that it is supported by network.Subsequently, decipher and extract described acquiescence ISD information, and being stored in a database.Then, described TSM only needs to access in safety element personalization process at its oneself hardware security module or database.Fig. 1 C illustrates the relation when off-line and line model between SE producer, TSM manager, TSM system.
According to one embodiment of present invention, Fig. 1 D shows the user of NFC device (such as NFC mobile phone), NFC device, TSM server, corresponding data flowchart between SE producer and SE publisher.
On the one hand, the safety element 102 can thinking in Figure 1A is the preloading operation systems in smart card, and it provides PIN to manage and the platform of escape way (or claiming security domain) for card individualized (card personalization).The interest of described safety element 102 combined with intelligent card issuer, seller, industry group, public entities and scientific & technical corporation, for running on multiple application definition demand on smart card and technical standard.
As an example, a module 104 as stored value card safety defines one group of agreement, and this group agreement makes small amount payment transaction can be performed by wired or wireless environment.For the stored value card being stored in smart card, after described stored value card is released, a group key (symmetry or asymmetrical) individual is dissolved described stored value card.In process of exchange, in order to make described stored value card and safety certification module (Security Authentication Module, SAM) the information channel safety or between back-end server, described stored value card uses one group of respective key to be encrypted and calculates with MAC.For single function card, described stored value card security module 104 is used as the door protecting the practical operation performed on single function card.In individualized period, by electronic-purse transaction key, described single function card access key (or his conversion) individual is dissolved described stored value card.
Fig. 1 E according to one embodiment of present invention, shows the SAM based on platform or network electronic wallet server 152, as stored value card 154 and single functional label 156 of entrance guard, and the personal data flow process 150 between these three entities.The described SAM based on platform or the communication between network electronic wallet server 152 and stored value card 154 are by order (the such as APDU according to a type, application protocol number Ju unit) carry out, and the order of alternatively type is carried out by communication between stored value card 154 and single functional label 156, wherein said stored value card plays the effect of entrance guard, to ensure only having safe and reliable and through authorizing data interaction just can be allowed to carry out.
In one embodiment, the physical security of stored value card realizes in a simulator.Simulator used herein refers to that other modules expect a hardware unit mutual with it or one section of program, or to call oneself be another special device or program.Described stored value card be safely for provide electronic purse function and and one or more java applet applet of paying server communication between realize.Support that the safety element of stored value card is responsible for upgrading safe key to set up mutual appropriate channel between paying server and java applet applet, wherein stored value card program goes regulate or control described exchanges data as entrance guard.
Shown in Fig. 2 A, it illustrates a mobile ecosystem 200, the related side wherein participated in the described mobile ecosystem lists successively.In one embodiment, a NFC device is allowed to download from corresponding given server 202 (such as application management supplier) or one or more application is installed, wherein these application are developed at first by application developer 204, and issued by ISP 210, application management supplier 202 or other related sides.Suppose that the safety element 206 having safety element supplier 208 to provide individualizes via TSM or trusted third party (such as, financial institution 212).
Once install an application in described NFC device, next step will be configure described application by described safety element.The layoutprocedure of application can start in several ways.A kind of mode is wherein that a safety element owner selects an application on the mobile device from TSM entrance, and starts layoutprocedure.Another kind of mode is the application configuration notification that described safety element owner receives the TSM from representative application supplier on the mobile device.
Described TSM or application supplier can issue their application on TSM entrance, have safety element for downloading to and/or sign on the mobile device of user's request (such as SE owner).In one embodiment, described TSM provides cloud service for multiple SE publisher.Like this, the many application from each ISP can obtain from TSM porch.But when logining described TSM entrance, safety element owner is only to see that those pass through the application of his safety element supplier certification.Based on the agreement between safety element and ISP, the ISD key set of use safety element or the SSD key set of specifying of ISP can realize apply download/installations/individualize.If be not provided with SSD key set in described safety element, then in the process can installed an application, it is installed.
Described TSM knows the store status of safety element for each SSD.Based on the storage allocation strategy of SSD and the store status of described safety element, can different instructions be labeled as the useful application for various SSD in application shop, such as " can install " or " install and store deficiency ".The failure that user is unnecessary can be prevented like this.
Once install an application in a NFC device, described application initiates self layoutprocedure, or TSM server sends configuration notification to described NFC device by cellular network or radio data network.According to the type of described NFC device, have a variety of transmission message (PUSH message, or be called promote message) mode start described layoutprocedure to make described NFC device.An example of sending method comprises short message sending or Android Google sends.Once user receives described notice, described layoutprocedure starts.When considering appropriate in detail, layoutprocedure will be described.
As the part that described application configures, TSM server performs some protective mechanisms.One is prevent safety element from surprisingly locking.Another is if stop the download of application when not having enough memory spaces in safety element.
If have too many mutual authentification failure during escape way is set up, then safety element may permanent locking oneself.In order to prevent described safety element from surprisingly locking, when setting up escape way between two sides (entities), described TSM continues the number of the authentification failure followed the tracks of between safety element and TSM.In one embodiment, if reach preset limit, described TSM will refuse any further request.If service centre manual restart described safety element, described TSM can continue treatment S E request.
The storage that described TSM also continues to follow the tracks of each safety element uses.Based on the memory allocation distributing to each ISP by described SE publisher, described TSM determines whether an application can be installed on a safety element.According to an embodiment, there is the strategy of three types:
Preassignment fixed storage space, this ensures space;
Preassignment minimized storage space, this ensures minimum space;
Best endeavors.
Described safety element publisher uses described TSM webpage entrance to complete this work.
1., for a collection of safety element, described safety element publisher can be that ISP's preassignment storage policy is to install its application by TSM webpage entrance;
2., when an application is installed in mobile device request, whether the space of the corresponding ISP of TSM server authentication meets its storage policy; If do not met, then refuse this request;
3. otherwise, described TSM server will process described configuring request;
4. if, configuration successful, described TSM is by the storage size of this application service of accumulation.
When a mobile subscriber subscribes to a Mobile solution (if it is installed), before described application uses, this application needs via the safety element configuration on mobile device.In one embodiment, described layoutprocedure comprises four Main Stage;
If needed, described safety element creates and supplements security domain (SSD);
Described safety element is downloaded and an application is installed;
Described application is individualized at described safety element;
Download UI (user interface) assembly on mobile device.
Fig. 2 B shows flow process or the process 220 of the one or more application of configuration according to an embodiment of the invention.Described process 220 can be implemented as the combination of software or software and hardware.In one embodiment, described application layoutprocedure 220 needs to enter configuration manager (such as acting on behalf of) on the mobile device with mutual with the safety element in it.
As shown in Figure 2 B, at operation 222 place, described application layoutprocedure 220 can be that automatic or manual starts.Such as, suppose that it is not also configured, user can install to spend by selection one and order related service to start described layoutprocedure, or starts described layoutprocedure when having installed application described in activating.In another embodiment, apply supplier and send an information (such as note) to described mobile phone to start described layoutprocedure.
Under any circumstance, described program 220 enters operation 224, extract described device information (such as, CPLC) from the safety element of mobile device after, set up with private server (such as TSM server or by the server applied publisher and run) and communicate.At operation 226 place, together with the identifier that described device information and identification are applied, be transferred into described server.In operation 228, described server, first based on the publisher of safety element described in described device information identification, determines whether described safety element is personalized in operating 230.If described safety element is not also personalized, described process 220 enters operation 232, and with individualized described safety element, an embodiment of described operation 232 can realize according to the process 110 in Figure 1B.
Now suppose that the safety element in mobile device is personalized.Described process 220 enters operation 234, uses derivation ISD and described safety element to set up escape way here.According to whom for ISD provides hardware security module HSM (such as TSM or SE publisher), described for contact hardware security module goes to derive from ISD into described safety element calculates by described server, and uses this derivation ISD and described safety element to set up escape way.Subsequently, in operation 236, described server checks whether a SSD relevant to this application.If the SSD that this application neither one is corresponding, inspection database is seen whether it has been installed on described safety element by described server.If need SSD to install, described flow process 220 enters 240 and goes to install described SSD.In one embodiment, the installation of SSD (key) described in described user is reminded.In operation 238, suppose that user refuses to install described SSD, described process 220 stops and entering operation 222, restarts described layoutprocedure 220.
Now suppose to perform in operation 240 SSD process is installed.Described SSD is installed similar with installation ISD.Described TSM server contact has the hardware security module HSM of main SSD key in it, is that described safety element calculates and derives from SSD key set.Described main SSD key can in TSM, ISP or safety element publisher, and this depends primarily on each side and how to reach an agreement on.
In order to download/installing application in safety element, in operation 242, described server is used for using derivation SSD and described safety element to set up escape way.In one embodiment, this is similar to and how sets up escape way based on derivation ISD.In operation 244, prepare the data of described application, its details will be described in more detail below.According to an embodiment, ISP described in described server contact, to prepare to store market demand protocol Data Unit APDUs.According to being installed on an application in mobile device, described server can repeat to issue and store data with individualized described application.If the described configurator of successful execution, the excessive data comprising a suitable interface (such as, the user interface of the application of each mobile device) can be downloaded.In operation 246, described server notifies the state of the application be configured to an application supplier.
Fig. 2 C shows the data flow 250 not mutual between Tongfang when configuration one is applied.
As the operation 244 in Fig. 2 B, an important application of configuration application is as targeted security element prepares customized application data.Such as, for electronic wallet application, the personal data of this application comprises the various personalized transaction keys that the device information (such as CPLC information) based on safety element produces.In order to carry stored value card, the part of personal data comprises the Mifare access key of the identifier being derived from Mifare card, and described server both can individualize the application of Java card sheet, also can individualize Mifare4Mobile service goal.Usually, the mode of two kinds of different preparation data is had at least, to facilitate transaction subsequently.
In order to data encasement, one embodiment of the present of invention support and the mutual two kinds of patterns of described ISP are to calculate individualized application data.For the first pattern, described TSM server does not directly access the hardware security module associated with ISP.Described ISP can make the server mutual with its hardware security module produce to apply key (such as, transmit, stored value card or Mifare key).Described TSM data encasement realizes being that the agreement using application programming interfaces (API) or server to provide goes for ask and derives from application key (derived application key).The second pattern is that data encasement realizes directly to access the hardware security module relevant to ISP to produce application key.
According to an embodiment, Fig. 2 D shows the data flow 255 that when to prepare application data in configuration application process, Tongfang is not mutual.Fig. 2 D is first mode, and wherein said TSM server does not directly access the hardware security module associated with ISP.Except described application data prepare to realize by directly and the hardware security module of ISP alternately except, the second pattern has similar flow process.
Except supporting layoutprocedure, one embodiment of the present of invention also support the Life Cycle Management of safety element.Described Life Cycle Management includes but not limited to, safety element locking, safety element unlock and (disable) is deleted in application.Can notify to start these by TSM movable.In the actual use of mobile device, Fig. 2 E shows flow process or the process 260 that application has been installed in locking.A NFC device may install the application run on safety element of some.(such as, do not have activity for a long time or expire) because some reasons, application needs by its publisher or supplier's disable or locking.
The process 260 that disable one has installed application starts from operation 262.In one embodiment, described process 260 is manually booted by TSM webpage entrance by operator.In another embodiment, described process 260 is started automatically by ISP's internal work flow process (such as using TSM web service API).Once described process 260 starts, send information to one NFC device (such as in mobile device), an application in it needs by disable.When realizing, such message can have different-format.In one embodiment, described message is a PUSH order.In another embodiment, described message be one by network delivery to the TCP/IP request in described NFC device.In operation 264, server (such as TSM server) sends described message.When realizing, such a message comprises mark by the identifier of the application of locked or disable.When receiving such message, in operation 266, card manager agency (card manager proxy) in described NFC device is used for coming the whether certain original publisher from it of the such information of certification or supplier by replying an information.In one embodiment, described message is sent to TSM server and carries out certification.If authentification failure, namely do not respond such inquiry, described process 260 will terminate.
Suppose that described certification is passed through, the inquiry namely from the supplier for described application of described device have received reply confirmation, and described raw requests is proved to be real.Usually, in operation 268, such reply confirms the identifier comprising the application that will lock.Described TSM server be used for setting up one with the escape way of safety element.Subsequently, described TSM server prepares suitable APDUs (such as SET STATUS (arranging state), or/and DELETE (deletion)) by described card manager agency for described safety element.In operation 270, described device sends operation requests to described safety element, to lock application-specific.
In any case, respond described order, in step 272, described safety element SE locks or applies described in disable.According to an embodiment, described SE is caused and is separated with application, makes this mounted application no longer can use described safety element like this.In operation 274, described safety element is used for sending and confirms to notify related side, and this application no longer runs on described device and suffered.In one embodiment, described confirmation is sent to TMS server, has one to record which application and be installed in which device and the database of the corresponding state of each application in described TMS server.Described database root upgrades according to the confirmation (acknowledgement) from described safety element.
Fig. 2 E shows flow process or the process 260 that application has been installed in locking.For one of ordinary skilled in the art, other operation, such as unlock or enable one application is installed, extending the time limit that one has been installed application, is with the similar process shown in Fig. 2 E.
With reference to Fig. 2 F, Fig. 2 F root Ju specific embodiment of the present invention, illustrates portable equipment as the configuration diagram 280 when stored value card execution ecommerce and Mobile business.The portable phone 282 that described Figure 28 0 has comprised smart card module embedded.An example of this type of portable phone supports short-range communication (NFC, Near Field Communication), and comprise the portable phone of SmartMX (SMX) module.It should be noted that safety element and application can be integrated.Unless stated otherwise, ensuing description can not point out which part performs the function of safety element, and which part is used as application.One of ordinary skilled in the art it should be understood that and will to be performed according to the suitable part of hereafter given detailed description or function.
Described SMX module is mounted with Mifare simulator 288 (i.e. single function card) in advance, to be used for storing numerical value (values).Described portable phone is equipped with non-contact interface (such as ISO14443RFID), with the effect allowing described portable phone to play label.In addition, described SMX module to run the Java card sheet (JavaCard) of Java applet program.Root Ju specific embodiment, stored value card is based upon in described global platform (GP), and is embodied as the applet program in described SMX module.Described stored value card is set to can by the data structure of Mifare simulator described in cryptographic acess, and described password is obtained after suitable conversion by described access key.
Wallet administration device MIDlet program 284 is provided in described portable phone 282.In Mobile business, described MIDlet program 284 act as stored value card applet program 286 and the communication agent between one or more payment network and server 290, carries out smoothly to make the transaction between each side.The MIDlet program of indication is the component software being adapted at portable equipment runs herein.Described wallet administration device MIDlet program 284 may be implemented as " MIDlet program " on Java portable phone, or " executable application programs " on PDA(Personal Digital Assistant) equipment.One of function of described wallet administration device MIDlet program 284 is access of radio network, and communicates with the stored value card applet program operated in identical equipment or outside intelligent card.In addition, MIDlet program 284 is also set to provide management function, such as, change Personal Identification Number (PIN), check electronic purse balance amount and transactions history daily record.In an example application, card issuing business provides the security identity module (SAM) 292 of any transaction carried out between card and corresponding server (that is paying server) for support and certification.As shown in Figure 2 F, application protocol number Ju module (APDU) order is by can the server 290 of access security identification module (SAM) 292 create, and wherein said APDU module is the communication module between reader and card.The structure of described APDU module is according to ISO7816 standard formulation.Usually, APDU order to be embedded in internet message and to be transferred into described server 290 or described stored value card applet program 286 to accept process.
In ecommerce, web that computer (not shown) runs agency 294 be responsible for a contactless reader (such as an ISO14443RFID reader) and the described webserver 290 mutual.In practical operation, described agency 294 sends APDU order by described contactless reader 296 to the described stored value card applet program 286 run on portable phone 282, or receives corresponding reply by identical approach from described stored value card applet program 286.On the other hand, described agency 294 can generating network request (such as HTTP) receive corresponding reply from described paying server 290.
When individualized portable phone 282, the structure chart 300 in Fig. 3 A illustrates correlation module and interacts, and carries out personalized process to complete stored value card by donor.Structure chart 320 in Fig. 3 B illustrates correlation module and interacts, and carries out personalized process with the stored value card completed as shown in Figure 2 by its user.
Flow process in Fig. 3 C or procedure chart 350 illustrate according to a specific embodiment of the present invention, the process of individualized stored value card applet program.Fig. 3 C advises combining with Fig. 3 A and Fig. 3 B together understanding.Procedure chart 350 can be realized by the mode of software, hardware or software and hardware combining.
As previously mentioned, wallet administration device builds on global platform, security mechanism required during to provide individualized stored value card applet program.In practical operation, security domain is used to connect the escape way of personalization application server and described stored value card applet program.According to a specific embodiment, through individualize and the critical data being stored into described stored value card applet program comprises one or more operation key (being such as loaded into or supplementing with money key and purchase key), the Personal Identification Number preset, managing keys (such as block and remove PIN key and be again loaded into PIN key), and password (such as from the password of Mifare).
Assuming that user wants the individualized stored value card applet program be embedded in portable equipment (such as a portable phone).In the step 352 of Fig. 3 C, personalization process is activated.According to the difference of specific implementation, personalization process may realize in the module in portable equipment, and activated by mode manually or automatically, also may be embodied as the physical process started by donor (normally associated with card issuing business personnel).As shown in Figure 3A, donor starts personalization process 304, with the stored value card applet program of personalized user, described personalization process 304, in existing (existing) new stored value card security identity module 306 and existing security identity module 308, is undertaken by the contactless reader 310 as interface.Card management device 311 performs at least two functions: (1) sets up escape way by security domain, with in card personalization process, installs and individualized external application (such as stored value card applet program); And (2) create safety measure (such as Personal Identification Number), to protect described application program in follow-up operation.Use the result of personalization application server 304 as described personalization process, described stored value card applet program 312 and simulator 314 are personalized.
Similarly, as shown in Figure 3 B, electronic purse customer wishes to start personalization process, to wirelessly (such as by the Mobile business path in Fig. 2) individualized stored value card applet program.Different from Fig. 3 A, Fig. 3 B allows described personalization process to be activated by mode manually or automatically.Such as, portable phone is equipped with a device, if this device is pressed, then activates described personalization process.In another kind of scheme, the condition prompting of " not individualizing " can be submitted to user to start described personalization process.As previously mentioned, MIDlet program 322 (i.e. a service managerZ-HU) in portable equipment serves as agency to assist the communication between paying server 324 and stored value card applet program 312 and simulator 314, and wherein paying server 324 has the authority of accessing existing new stored value card security identity module 306 and existing security identity module 308.Through described personalization process, stored value card applet program 312 and simulator 314 are personalized.
Go back to now see Fig. 3 C, in figure 3 a shown in personalization process be activated after, contactless reader 310 be activated and in step 354 from the smart card in equipment reading tag identifier (ID) (i.e. RFID label tag ID) and critical data.By application safety territory (such as the default security settings of card issuing business), the new stored value card security identity module that connects in step 356 (security identity module 306 in such as Fig. 3 A) and the stored value card applet program (escape way of stored value card applet program 312 > in such as Fig. 3 A in portable equipment.
Each application safety territory of global platform comprises three DES keys.Such as:
Key 1:255/1/DES-ECB/404142434445464748494a4b4c4d4e4f
Key 2:255/2/DES-ECB/404142434445464748494a4b4c4d4e4f
Key 3:255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
Security domain is utilized for the secured session session key generation between two entities, described two entities can be card management device applet program and primary application program (host application), wherein said primary application program may be the individualized application program in tabletop machine, also may be the personalized service of the networking provided by back-end server.
The application domain of acquiescence can be installed by card issuing business, and distributes to different application/service providers.Each application program owner the initial period of described process (or) can change the numerical value of respective key group before personalization process.Application program can use described new key group to create escape way for performing personalization process afterwards.
By the described escape way set up by the application safety territory of application provider, first group of data can be personalized and stored in stored value card applet program.Second group of number Ju can be individualized by same passage equally.But if described data are kept in different security identity module, then one uses the new escape way of same key group (or different key group) can be used to individualized described second group of data.
In step 358, one group of e-wallet implementation key and Personal Identification Number is generated by new stored value card security identity module 306, for the exchanges data between new stored value card security identity module and stored value card applet program, and substantially individualized described stored value card applet program.
Be established between the stored value card applet program of Article 2 escape way in existing security identity module (security identity module 308 in such as Fig. 3 A) and portable equipment (the stored value card applet program 312 in such as Fig. 3 A) in step 360.Key after using described existing security identity module and label ID to generate one group of conversion in step 362.Key after described conversion is kept in described simulator for data access certification afterwards.Use described existing security identity module and label ID to generate one group of MF password in step 358, and by described password stored in stored value card applet program for data access certification afterwards.After aforesaid operations all completes, described stored value card, comprises described stored value card applet program and corresponding simulator, will be set to " individualized " state.
Based on a specific embodiment of the present invention, Fig. 4 A illustrates as stored value card is raised funds or the flow process of registering capital to or procedure chart 400 together with Fig. 4 B.Process 400 is implemented by the Mobile business path in Fig. 2.Interact in order to understanding process 400, Fig. 4 C better illustrates relevant square in a representative calcspar 450, figure to complete described process 400.According to the different situations of practical application of the present invention, described process 400 can realize by the mode of software, hardware or software and hardware combining.
Suppose that user obtains one and installed the portable equipment of stored value card (such as a portable phone).Described user wishes to inject fund to described stored value card from the account of bank.In step 402, described user inputs one group of Personal Identification Number (PIN).Assuming that described Personal Identification Number is effective, the wallet administration device in portable equipment is activated, and initiates request (being also referred to as aerial (OTA, Over-the-Air) charging request) in step 404.MIDlet program in a step 406 in portable equipment sends request to stored value card applet program, depicts wallet administration device MIDlet program 434 and the process communicated between stored value card applet program 436 in described step 406 in Fig. 4 C.
In a step 408, stored value card applet Program Generating is for responding the reply of described MIDlet PROGRAMMED REQUESTS.After receiving described reply, described reply is sent to payment network and server by cellular communications networks by described MIDlet program.As shown in Figure 4 C, wallet administration device MIDlet program 434 communicates to obtain reply with stored value card applet program 436, and described reply is sent to payment network and server 440 immediately.In step 410, process 400 needs the validity examining described reply.If described reply cannot be verified, process 400 will stop.If described reply is verified as effectively, then process 400 enters step 412 and checks account corresponding in bank.If described account exists really, value transfer request will be activated.In step 414, can return after described bank receives described request and reply to respond described request.Usually, described payment network and the information exchange between server and described bank need observe procotol (http protocol that such as Internet uses).
In step 416, the reply that described bank returns is transferred into payment network and server.In step 418, MIDlet program extracts source APDU order and by described transferring order to stored value card applet program from described reply.Described stored value card applet program examines described order at step 420 which, if described order is verified as authorized, then this order is sent to the simulator in step 420, upgrades transaction log simultaneously.In step 422, generating labels (ticket) is to be used for formulating the reply (such as the reply of APDU form) sent to described paying server.In step 424, described paying server upgrades after receiving and replying and sends success status information to described MIDlet program, preserves described APDU simultaneously and replys to check later.
As shown in Figure 4 C, payment network and server 440 receive the reply that wallet administration device MIDlet program 434 sends, and to examine described reply with security identity module 444 be sent by through the stored value card applet program 436 of authorizing at first.After described reply is verified, payment network and server 440 send request to financing bank 442, assuming that user 432 has account in described bank.Described bank can examine and authorize described request, then according to predetermined message format return authorization number.After bank 442 receives described reply, paying server 440 can send a network replies with refusal or approval described request to MIDlet program 434.
The validity (whether being such as APDU form) of described network replies examined by wallet administration device 434, then sends to simulator 438 and order and upgrade transaction log.So far, stored value card applet program 436 complete required step and to and MIDlet program 434 returns a reply, described MIDlet program 434 forwards to paying server 440 network request that embedded (APDU) reply again.
Although process 400 is described to injection fund in stored value card, others skilled in the art in this area easily can show that the process using stored value card to be undertaken by network buying is the same conclusion with process 400 in essence, and the process carrying out therefore buying no longer is discussed separately at this.
According to a specific embodiment of the present invention, in Fig. 5 A, illustrate first exemplary architecture 500 making portable equipment 530 can carry out ecommerce and Mobile business on cellular communications networks 520 (such as a GPRS network).Described portable equipment 530 is by base band 524 and safety element 529(such as smart card) form.An example of described portable equipment is the portable equipment (such as portable phone or PDA(Personal Digital Assistant)) supporting short-range communication or near-field communication (NFC, Near Field Communication).Described base band 524 provides an e-platform or environment (such as miniature edition Java(JME, Java Micro Edition), or mobile information apparatus framework (MIDP, Mobile Information Device Profile)), can perform or run application MIDlet program 523 and server manager 522 thereon.Described safety element 529 includes global platform (GP) card management device 526, and simulator 528 and other assemblies be Personal Identification Number manager (not shown) such as.
For supporting that described portable equipment 530 performs ecommerce and Mobile business, need install in advance thereon and arrange one or more service/application.An example (such as one has the MIDlet program of graphic user interface) of service managerZ-HU 522 needs to be activated.In a specific embodiment, service managerZ-HU 522 can be downloaded and install.In another specific embodiment, service managerZ-HU 522 can be pre-loaded.No matter adopt which kind of mode, once service managerZ-HU 522 is activated, the directory listing comprising various service will be shown.Described directory listing may comprise the service item relevant with the CAMEL-Subscription-Information of user, also may comprise the recommended project independent of user signing contract information.Described directory listing can obtain from the catalogue storehouse 502 LIST SERVER 512.LIST SERVER 512 may provide the ISP of product and/or service (such as build-in services device, personalized service device) to serve the effect (as Yellow Page function) of exchange centre (central hub) to registrant for various.The Yellow Page function of described LIST SERVER 512 can comprise service planning information (such as service charge, Start Date, Close Date etc.), installs, individualize and/or MIDlet download program place (as the Internet address).Described installation and personalization process may be provided by two different commercial entities, such as described installation process may be provided by the publisher of safety element 529, and described personalization process may be provided by the service provider of the application process key holding application-specific.
According to a specific embodiment, service managerZ-HU 522 is configured to the one or more servers 514 by cellular communications networks 520 Connection Service provider.Assuming that user have selected an application from presenting to his service catalogue.An escape way 518 will be set up between one or more server 514 and global platform manager 526 described, to install/to download the application applet program 527 that described user selects, and then individualized this applies applet program 527 and optional simulator 528, and final down load application MIDlet program 523.Applet program library 504 and MIDlet program library 506 provide general application applet program and application MIDlet program respectively.Global platform security identity module 516 and application security identification module 517 are used to set up escape way 518 to carry out individualized operation.
According to another specific embodiment of the present invention, Fig. 5 B illustrates second exemplary architecture 540 making portable equipment 530 can perform ecommerce and Mobile business on public network 521.Most of assemblies in described second framework 540 are similar with the assembly in Fig. 5 A first framework 500 in essence.Difference is that first framework 500 is based on the operation on cellular communications networks 520, and second framework 540 then employs public network 521 (such as Internet).Described public network 521 may comprise local area network (LAN) (LAN, Local Area Network), wide area network (WAN, Wide Area Network), WiFi(IEEE802.11) wireless connections, a Wi-Max(IEEE802.16) wireless connections etc.In order to carry out service operations on described public network 521, the example (namely with the same or analogous example of service managerZ-HU MIDlet program 522 function) of service managerZ-HU 532 by be installed in access public network 521 computer 538 on.Described computer 538 can be the described example of desktop personal computer (PC), notebook computer or other energy operation service managers 532, and accesses the computing equipment of public network 521.Connection between described computer 538 and portable equipment 530 is undertaken by a contactless reader 534.Service managerZ-HU 532 act as the role of agency, with between one or more servers 514 of assistance services provider and global platform card management device 526, and the installation undertaken by escape way 519 and personalization process.
Fig. 5 C is a flow chart, according to a specific embodiment of the present invention, depicts the process 550 enabling portable equipment carry out ecommerce and Mobile business function.Described process 550, according to the difference of specific implementation, can be realized by the mode of software, hardware or software and hardware combining.In order to understand described process 550 better, in following description, will some diagrams comparatively early be quoted, especially Fig. 5 A and Fig. 5 B.
Before process 550 starts, an example of service managerZ-HU 522 or 532 has been downloaded or preloaded on portable equipment 530 or computer 538.In step 552, service managerZ-HU is activated and sends service request to the server 514 that service provider locates.To be identified and portable equipment is verified as after effectively user, in step 554, described process 550 is according to the directory listing of signing (subscription) information providing services/application program of the user of portable equipment 530.Such as, described list may comprise mobile sale point application program, electronic wallet application, electronic bill application program and other business-like services.Then a service/application is chosen by from described directory listing.Such as, stored value card or mobile sale point can selectedly be used for configuring portable equipment 530.As the response selected user, process 550 is downloaded in step 556 and is installed described selected service/application.Such as, stored value card applet application program (namely applying applet program 527) is downloaded and is arranged in safety element 529 from applet program library 504.The path of described download or installation can be escape way 518 or 519.In step 558, if needed, process 550 is by the application applet program that has been downloaded described in individualized and described simulator 528.The application applet program that some are downloaded does not need to be personalized, and other then needs to individualize.In a specific embodiment, mobile sale point application applet program (" point of sale security identity module (POS SAM) ") needs to be personalized, then following information or data group must provide:
A () is uniquely based on the security identity module ID of underlying security element unique identifiers;
(b) one group of debit master key (debit master key);
Message Encryption key after (c) conversion;
Message identification key after (d) conversion;
E maximum length that the remarks section of () every off-line transaction can be allowed to;
Batch transaction key after (f) conversion; And
(g) global platform Personal Identification Number (GP PIN).
In another specific embodiment, during for single function card personalization stored value card applet program, not only need particular data (key, Start Date, Close Date etc. namely after Personal Identification Number, conversion) to be configured in stored value card, but also simulator will be set to can work in open system.Finally, in step 560, process 550 is downloaded and is started application MIDlet program 523 according to selection.Some personal data in described application applet program can accessed and display, or is provided by user.Described process 550 terminates after all service/application assemblies are all downloaded, install and individualize.
According to a specific embodiment, the exemplary process that portable equipment 530 can be used as a mobile sale point is as follows:
(a) access build-in services device (i.e. a station server 514 of service provider), and ask described server to set up Article 1 escape way (such as escape way 518), to connect the distribution quotient field (i.e. applet program library 504) and the global platform card management device 526 run on safety element 529;
B () receives one or more internet message, comprise some APDU requests of encapsulation point of sale security identity module applet program (such as from a Java Cap file of applet program library 504) in described message;
C () is extracted described APDU and is asked from the described internet message received;
D () sends the APDU request extracted according to correct order to global platform card management device 526, to install point of sale security identity module (namely applying applet program 527) on safety element 529;
(e) access personal server (i.e. the server 514 of a service provider), personalized service device and the escape way (according to server and/or path different, described escape way may be also may not be escape way 518) between newly downloaded applet program (i.e. point of sale security identity module) is connected to open Article 2.
F () receives one or more internet message to obtain one or more " data store APDU (STORE DATAAPTU) " separately;
G () is extracted and is sent described " data store APDU (STORE DATAAPTU) ", with individualized point of sale security identity module; And
H () is downloaded and is started point of sale manager (namely apply MIDlet and cross program 523).
Fig. 6 A illustrates a representational framework 600, and a root Ju specific embodiment of the present invention, wherein portable equipment 630 is as mobile sale point, to perform ecommerce and Mobile business.Described portable equipment 630 is made up of base band 624 and safety element 629.Point of sale manager 623 is downloaded and is arranged in described base band 624, and point of sale security identity module 628 is personalized and is arranged in safety element 629, with the role making portable equipment 630 can serve as mobile sale point.Transaction 639 real-time like this can support mobile sale point portable equipment 630 with support electronic token device 636(such as single function card or support the mobile device of stored value card) between carry out.Described electronic token may represent the payment token of electronic money (e-money), electronic business transaction certificate (e-coupon), electronic ticket (e-ticket), electronic vouchers (e-voucher) or any other form in equipment.
Real-time deal 639 can online under carry out (namely portable equipment not being accessed backend sales point transaction processing server 613).But, in specific actual conditions, such as, when trading volume has exceeded predetermined thresholding, or support the equipment 636 of electronic token to need to supplement with money or virtual when supplementing with money, or (single or batch) transaction is when uploading, described portable equipment 630 can access described backend sales point transaction processing server 613 by cellular network 520.
The off-line transaction record of accumulation needs to be uploaded to backend sales point transaction processing server 613 and processes.Described upload operation is performed by the portable equipment 630 being accessed point of sale (pos) transactions processing server 613 by escape way 618.Similar with personalization process to described installation, upload operation can perform via two different routes: cellular communications networks 520; Or public network 521.Fig. 6 A depicts described Article 1 route.
As shown in Figure 6B, a root Ju specific embodiment of the present invention, Fig. 6 B illustrates a representational framework 640 to described Article 2 route, and wherein portable equipment 630 performs the operation that transaction batch is uploaded as mobile sale point and on public network 521.Off-line transaction record in described mobile sale point is generally in the stacked transaction log be kept in point of sale security identity module 628.Described transaction log by contactless reader 634 read and act on behalf of 633 stored in the point of sale that is arranged in computer 638.Described point of sale agency 633 accesses point of sale (pos) transactions processing server 613 by escape way 619 again on public network 521.Each upload operation comprising one or more transaction record is labeled as an independent batch upload operation.Point of sale security identity module 628, contactless reader 634 and point of sale are acted on behalf of the data communication Bian form between 632 threes and are comprised described transaction record.The internet message of encapsulation APDU (such as HTTP) is then used to the communication between point of sale agency 632 and point of sale (pos) transactions processing server 613.
In a specific embodiment, one comprises from the representative batch upload procedure of point of sale manager 623 or point of sale agency 633:
A () sends request to initiate batch upload operation to point of sale security identity module 628;
B (), after described point of sale security identity module 628 agrees to described batch upload request, fetches the transaction record of accumulation from described point of sale security identity module 628 with the form of APDU order in " a collection of " that be labeled or " one group ";
The internet message of the APDU order of fetching c () establishment one or more comprises described in;
D described one or more internet message is sent to point of sale (pos) transactions processing server 613 by escape way 619 by ();
E () be confirmation of receipt signature information from described point of sale (pos) transactions processing server 613;
F described confirmation signature information is transferred to described point of sale security identity module 628 to examine with the form of APDU by (), then delete through confirming by the transaction record uploaded; And
If still have other not by the transaction record uploaded in (g) described same " batch " or " group ", then repeat step (b) to step (f).
Fig. 6 C illustrates a width flow chart, according to a specific embodiment of the present invention, depicts use and serves as the portable equipment 630 of mobile sale point and use as single function card and support that the device 636 of electronic token carries out the process 650 of Mobile business.In order to be more convenient for understanding, preferably by process 650 and diagram before, especially Fig. 6 A and Fig. 6 B associates and together investigates.Described process 650 can realize by the mode that software, hardware or soft or hard combine.
When supporting the holder of electronic token device (such as Mifare card or support stored value card and simulate the portable phone of single function card), when wishing to buy article or subscribed services by mobile sale point (i.e. portable equipment 630), (the process > performed by point of sale manager 623 in such as Fig. 6 A just can be activated process 650.In step 652, portable equipment 630 reads the device of described support electronic token and fetches electronic token (the label ID of such as Mifare card).Then, process 650 examine in step 654 described in the electronic token fetched whether effective.If support in Fig. 6 A that the device 636 of electronic token is single function card (such as Mifare), the described verification process then performed by point of sale manager 623 comprises: (i) reads card mark (ID) of described card, and described card mark is kept at not protected or is only subject on the region of known cryptographic key protection; (ii) request comprising described card mark is sent to point of sale security identity module 628; (iii) key (such as the key of transaction count, publisher's data etc.) after one or more conversion generated by point of sale security identity module 628 is received.If described in receive one or more change after key into invalid, the electronic token fetched is namely invalid, then terminal procedure 650.Else process 650 will be advanced into step 656 along "Yes" branch, will judge the expense whether having enough remaining sums to need to pay current exchange in the described electronic token fetched in step 656.If the result that step 656 judges can be selected to propose described holder in step 657 for its electronic token is supplemented with money (be namely loaded into, inject or raise funds) as "No", process 650.If described holder selects " negative " described proposal, then process 650 terminates.Described holder carries out charging in real time with the device meaning described support electronic token else if, then process 650 performs and to supplement with money or Virtual plan supplements operation with money in step 658.Process 650 returns step 656 afterwards.If there are enough coin remaining sums in electronic token, process 650 is in step 660 from supporting that the electronic token of electronic token device 636, deduction or debit complete the described number bought needs and pay.When described single function card, after described one or more conversion, key is used to authorize described deduction to operate.Last in step 662, the one or more off-line transaction records accumulated in point of sale security identity module 628 are uploaded to point of sale (pos) transactions processing server 613 and process.Described upload operation is carried out single transaction or batch transaction by cellular communications networks 520 or PD network 521.
Process 400 in Fig. 4 A describes aforesaidly supplements operation with money.Virtual supplement with money operation be described in supplement the specific type of operation with money, usual sponsored people or donor are used for improving the credit line of electronic token.Virtually supplement operation with money to use, described sponsor needs to set up an account, and by described account with support that the device (portable phone of such as single function card, Multifunction card, support electronic token etc.) of electronic token is bound.Such as, account on the line provided by commercial entity (such as enterprise, bank etc.).Once described sponsor has been filled with electronic token in account on described line, support that the holder of electronic token device just can receive electronic token when accessing mobile sale point from account described line.Multiple different safety measure will be carried out to guarantee that described virtual to supplement operation with money be safety and reliably.The representative application scenario of described virtual of supplementing with money is that father (mother) parent (i.e. sponsor) can be filled with electronic token in account on a line, on described line, account is connected with the portable phone (namely supporting the device of electronic token) of children (i.e. equipment holder), therefore when described children buy article at mobile sale point, the electronic token be charged described in described children just can receive.Except various ecommerce described herein and Mobile business function, point of sale manager 623 is also set to provide multiple query manipulation, such as, a () checks the revenue and expenditure record not forming batch (namely not uploaded) accumulated in the security identity module of point of sale, b () lists the transaction log not forming batch in the security identity module of point of sale, c () display is kept at the details of the particular transaction in the security identity module of point of sale, d () checks the current balance of the device supporting electronic token, e () lists the transaction log of the device supporting electronic token, and the details of the particular transaction of the device of electronic token is supported in (f) display.
Flow chart in Fig. 6 D, according to a specific embodiment of the present invention, depict and use the portable equipment 630 that can serve as mobile sale point and use as Multifunction card and support the device 636 of electronic token, carry out the representative process 670 of Mobile business.In order to be more convenient for understanding, preferably by process 670 and diagram before, especially Fig. 6 A and Fig. 6 B connects and together investigates.Described process 670 can realize by the mode that software, hardware or soft or hard combine.
When supporting the holder of electronic token device 636 (such as Multifunction card or support stored value card and the portable phone of simulation multifunctional card) to wish by mobile sale point (i.e. portable equipment 630) purchase article or subscribed services, process 670 (process in such as Fig. 6 A performed by point of sale manager 623) just can be activated.In step 672, process 670 initially buys request to supporting the device 636 of electronic token to send.Buying expenses and described initial purchase ask (such as ordering) together to send.Then process 670 proceeds to determination step 674.When not having enough remaining sums in the device 636 supporting electronic token, point of sale manager 623 will receive receiveing the response of the described initial purchase request of refusal.Result is that process 670 terminates because described purchase request is rejected.If support there are enough remaining sums in the device 636 of electronics generation joint, the result of determination step 674 is "Yes", and process 670 will proceed to step 676 along "Yes" branch.From supporting that the reply (such as APDU order) that the device 636 of electronic token there receives will be forwarded to point of sale security identity module 628.Information in described reply comprises the version of electronic token key, and will the random number setting up escape way be used to, the point of sale security identity module 628 that described escape way will the applet program (such as stored value card applet) connected on the device 636 supporting electronic token and portable equipment 630 be installed.Then, in step 678, process 670 receives by point of sale security identity module 628 to respond the described debit request (such as APDU order) forwarding reply (reply namely in step 676) and generation.Described debit request comprises message cognizance code (MAC, Message Authentication Code) so that applet program (i.e. stored value card applet program) examines the debit operation being about to carry out, the wherein said debit operation being about to carry out carries out to respond the debit request sent in step 680.Process 670 is advanced to step 682, receives the acknowledge message of described debit operation.Comprise in described acknowledge message and be used for by point of sale security identity module 628 and point of sale (pos) transactions processing server 613 the additional message cognizance code examining and process respectively.Next in step 684, described debit acknowledge message is forwarded to point of sale security identity module 628 to examine.Once described message cognizance code is verified as effectively, and purchase-transaction is recorded in point of sale security identity module 628, described in the transaction that is recorded be shown in step 686, then process 670 terminates.It should be noted that aforementioned electronic business transaction can be undertaken by point of sale (pos) transactions processing server 613 down or on line online.And when Sorry, your ticket has not enough value in the device supporting electronic token, can perform according to the process 400 described in Fig. 4 A and Fig. 4 B and supplement with money or register capital to operation.
Fig. 7 illustrate portable equipment be used to electronic bill application time representative setting.Portable equipment 730 is configured to comprise stored value card 724.When the owner of described portable equipment 730 or holder wish bill (such as concert tickets, the ball match admission ticket etc.) buying a participation specific activities, described owner can use stored value card 724 by an electronic ticket service provider 720 booking.Described electronic ticket service provider 720 can contact ticketing service application program 710 on traditional box office reservation system 716 or line and makes a reservation for and buy described bill.Electronic token (such as electronic money) is deducted by from the stored value card 724 of portable equipment 730 afterwards, with to credit/debit system 714(such as financial institution, and bank) pay bills buying expenses.Security identity module 718 is access in described electronic bill service provider 720, to guarantee that the stored value card 724 in portable equipment 730 is correctly validated.After receiving payment confirmation, electronic ticket is transferred into portable equipment 730 by aerial connect (such as cellular communications networks), and is stored on safety element 726, such as, in the mode of electronic ticket code, key or password in the mode of electronization.Afterwards, as the owner of described portable equipment 730, when namely the holder of described electronic ticket attends described specific activities, described electronic ticket holder only needs to allow entrance register reader 734 and reads the electronic ticket code or key preserved in portable equipment 730.In a specific embodiment, described entrance registration reader 734 is a contactless reader (such as observing the very-short-reach coupling device of ISO14443).Described portable equipment 730 is the mobile phones supporting short-range communication (NFC).
The present invention is more suitable for adopting software form to realize, but also can realize by the form of hardware or software and hardware combining.The present invention also can be implemented as the code that can be read by computer on computer-readable media.Described computer-readable media is that any can preservation can by several Ju storage devices of the data of computer system reads.The example of computer-readable media comprises read-only memory, random access memory, CD CD (CD-ROM), Digital video disc (DVD), tape, optical data storage device, and carrier wave.Described computer-readable media also can be distributed in the connected multiple stage computer system of network, and the described like this code that can be read by computer will store in a distributed fashion and run.
Above-mentioned explanation fully discloses the specific embodiment of the present invention.It is pointed out that the scope be familiar with person skilled in art and any change that the specific embodiment of the present invention is done all do not departed to claims of the present invention.Correspondingly, the scope of claim of the present invention is also not limited only to previous embodiment.