Summary of the invention
Technical matters to be solved by this invention is to provide a kind of USBKEY service implementation method and system, to improve the safety and reliability of USBKEY.
In order to solve the problems of the technologies described above, the invention discloses the implementation method of a kind of excellent shield (USBKEY) business, comprising:
When user initiates transaction application in USBKEY service system, USBKEY service system is used the PKI of USBKEY to be encrypted and to obtain A transaction request for data, use the shared key K1 of the common data SMS encryption and decryption agreement of formulating of bank and telecom operators to be encrypted and to obtain EA transaction request for data simultaneously, A and EA are stitched together and send to the Subscriber Identity Module (SIM) Card with USBKEY binding;
Described SIM card receives data, with K1, EA is partly decrypted and is shown to cellphone subscriber, when user confirms that Transaction Information is true, the shared key K2 that SIM card is used USBkey service system and telecom operators to consult encryption and decryption agreement is encrypted A partial data, and return to USBKEY service system and use data that K2 returns described SIM card to be decrypted to obtain A, the PKI that re-uses USBKEY is decrypted A, obtain clear data, and compare with the request sending, realize business handling.
Alternatively, said method also comprises:
When user handles USBKEY business, by USBKEY with the SIM card of data encryption feature, carry out man-to-man binding, wherein, the information of binding comprises that shared key K1, the USBKEY of the common data SMS encryption and decryption agreement of formulating of USBKEY sign, bank and telecom operators and telecom operators consult the shared key K2 of encryption and decryption agreement.
Alternatively, in said method, by USBKEY with the SIM card of data encryption feature, carry out man-to-man binding and comprise:
Utilize corresponding K1 and the K2 data of ID of identify label number (ID), teledata and this USBKEY of the USBKEY that the remote writing-card business function of telecom operators handled user to write in SIM card.
Alternatively, in said method, described transaction request for data at least comprises time word string, address word string, Transaction Information word string, anti-replay-attack word string.
The invention also discloses the system that realizes of a kind of excellent shield (USBKEY) business, comprise USBKEY service system platform, and the Subscriber Identity Module (SIM) Card with data encryption feature of binding one by one with user's USBKEY:
Described USBKEY service system platform, receive Client-initiated transaction application, use the PKI of USBKEY to be encrypted and to obtain A transaction request for data, use the shared key K1 of the common data SMS encryption and decryption agreement of formulating of bank and telecom operators to be encrypted and to obtain EA transaction request for data simultaneously, A and EA are stitched together and send to the SIM card with USBKEY binding, and use USBKEY service system platform and telecom operators to consult the shared key K2 of encryption and decryption agreement, the data that described SIM card is returned are decrypted and obtain A, the PKI that re-uses USBKEY is decrypted A, obtain clear data, and compare with the request sending, realize business handling,
Described SIM card, receive the data that USBKEY service system platform sends, with K1, the EA in described data is partly decrypted and is shown to cellphone subscriber, when user confirms that Transaction Information is true, the shared key K2 that uses USBKEY service system platform and telecom operators to consult encryption and decryption agreement is encrypted A partial data, and returns to USBKEY service system platform.
Alternatively, in said system, described USBKEY service system platform, when user handles USBKEY business, by USBKEY with the SIM card of data encryption feature, carry out man-to-man binding, wherein, the information of binding comprises that shared key K1, the USBKEY of the common data SMS encryption and decryption agreement of formulating of USBKEY sign, bank and telecom operators and telecom operators consult the shared key K2 of encryption and decryption agreement.
Alternatively, in said system, by USBKEY with the SIM card of data encryption feature, carry out man-to-man binding and comprise:
Utilize corresponding K1 and the K2 data of ID of identify label number (ID), teledata and this USBKEY of the USBKEY that the remote writing-card business function of telecom operators handled user to write in SIM card.
Alternatively, in said system, described transaction request for data at least comprises time word string, address word string, Transaction Information word string, anti-replay-attack word string.
Present techniques scheme, when user carries out business handling, is combined SIM technology with generation USBKEY, authenticate, and has solved following problem:
By user mobile phone, show Transaction Information, make user reach finding and institute sign;
Carry out encryption and decryption one to one with USBKEY and process, guarantee the security that data are transmitted.
Embodiment
Fig. 1 is the schematic diagram of the USBKEY that proposes of the present invention;
Fig. 2 is the USBKEY Verification System Organization Chart that the present invention proposes;
Fig. 3 is the USBKEY identifying procedure figure that the present invention proposes.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in connection with accompanying drawing, technical solution of the present invention is described in further detail.It should be noted that, in the situation that not conflicting, the application's embodiment and the feature in embodiment can combine arbitrarily mutually.
Embodiment 1
This case applicant proposes, and can on the basis of generation USBKEY, increase liquid crystal display and button, forms two generation USBKEY, and its outward appearance as shown in Figure 1.And, by existing SIM technology therewith USBKEY combine, like this, the use procedure meeting of USBKEY increases user key-press and confirms action, safe and reliable and be simple and easy to use.
Based on above-mentioned thought, the present embodiment provides a kind of USBKEY service implementation method, and the method depends on the network architecture shown in Fig. 2, specifically comprises following operation:
Step 1, configuration operation;
Particularly, this configuration operation comprises that bank and telecom operators formulate data SMS encryption and decryption agreement, shared key K1 jointly;
USBKEY and telecom operators consult encryption and decryption agreement (as encrypted band MAC etc.), shared key K2;
Step 2, by the binding of USBKEY and user mobile phone;
Particularly, when user handles USBKEY business, need binding with the cell-phone number of data encryption feature;
Increase data processing module, the major function of this module is: storage key K1, according to combination of protocols data, by specifying Number for access to be issued to the cell-phone number of binding;
Generation USBKEY with data decryption functions: transformation point, for COS part, need to increase the storage of K2.
User mobile phone SIM card with data encrypting and deciphering function: this is a SIM card that needs carrier customization, and this SIM card has been stored key K 1 and K2, and can carry out the decryption processing of data SMS.
Wherein, due to what realize between the USBKEY in the present embodiment and SIM card, it is user's one key, but USBKEY Shi bank handles application, and handle SIM card Shi operator business hall, therefore, the present embodiment proposes, and utilizes the remote writing-card business function of each telecom operators to make user's the key of USBKEY corresponding one by one with SIM card, precondition is ID and corresponding K1 and the K2 that USBKEY shares in telecom operators, and idiographic flow is as follows:
User handles Web bank in bank, applies USBKEY, has printed unique identification id number of this USBKEY on each USBKEY, needs user bound cell-phone number simultaneously;
Cell-phone number as existing in user, this user Xu Dao telecom operators place handles replacement card business, retain original cell-phone number, remote writing-card platform by typical operator is replaced by the SIM card with data encrypting and deciphering function by former SIM card, the ID of the USBKEY that remote writing-card business acquisition user has handled, writes teledata and corresponding K1 and the K2 data of this ID in card;
As user does not have cell-phone number, basic operation is similar with second step, different, and the business of now handling is new account, rather than replacement card, and finishing card needs the channel (phone, Web bank etc.) by bank that USBKEY and user mobile phone number are bound afterwards.
Step 3, initiates transaction application by user USBKEY service system (hereinafter to be referred as system) is upper, and system is first used request for data (comprise time word string, address word string, Transaction Information word string, anti-replay-attack word string is combined) the PKI U of USBKEY
pencryption obtains A, these group data is encrypted and to be obtained EA with K1 simultaneously, and A and EA are stitched together and issue mobile phone;
Step 4, mobile phone resolution data, is first partly decrypted EA with K1, and is presented on mobile phone screen, by user, confirms that whether Transaction Information is true, as confirms truely, uses K2 to be encrypted and to obtain EK A partial data
2a, and send;
Step 5, system by data retransmission to generation USBKEY, K2 data decryption EK for generation USBKEY
2a, obtains data A, and the modes such as checking MAC, random number that can increase are confirmed data integrity, data A is deciphered with Us, then obtain data B with Bp encryption, and generation USBKEY replies to system by data B;
Step 6, system is deciphered with Bs, obtains clear data, compares with the request sending, and completes handling of whole business.
Because this programme need to relate to telecom operators and field Ge Jia bank of financial world, as can be seen from Figure 3, in this programme, need two groups of symmetric keys and two groups of unsymmetrical key, according to application target, there is respectively different channels to preserve.In conjunction with the service handling flow process of Fig. 3, with regard to this programme, in the operating mode of existing generation USBKEY, need the transformation of carrying out again.
Embodiment 2
The present embodiment provides a kind of system that realizes of USBKEY business, and this system comprises USBKEY service system platform, and the SIM card with data encryption feature of binding one by one with user's USBKEY:
Described USBKEY service system, receive Client-initiated transaction application, use the PKI of USBKEY to be encrypted and to obtain A transaction request for data, use the shared key K1 of the common data SMS encryption and decryption agreement of formulating of bank and telecom operators to be encrypted and to obtain EA transaction request for data simultaneously, A and EA are stitched together and send to the SIM card with USBKEY binding, and use USBKEY service system and telecom operators to consult the shared key K2 of encryption and decryption agreement, the data that described SIM card is returned are decrypted and obtain A, the PKI that re-uses USBKEY is decrypted A, obtain clear data, and compare with the request sending, realize business handling,
Particularly, above-mentioned USBKEY service system, when user handles USBKEY business, by USBKEY with the SIM card of data encryption feature, carry out man-to-man binding, wherein, the information of binding comprises that shared key K1, the USBKEY of the common data SMS encryption and decryption agreement of formulating of USBKEY sign, bank and telecom operators and telecom operators consult the shared key K2 of encryption and decryption agreement.
Described SIM card, receive the data that USBKEY service system sends, with K1, the EA in described data is partly decrypted and is shown to cellphone subscriber, when user confirms that Transaction Information is true, the shared key K2 that uses USBKEY service system and telecom operators to consult encryption and decryption agreement is encrypted A partial data, and returns to USBKEY service system.
In the present embodiment, by USBKEY with the SIM card of data encryption feature, carry out man-to-man binding and comprise:
Utilize corresponding K1 and the K2 data of ID of identify label number (ID), teledata and this USBKEY of the USBKEY that the remote writing-card business function of telecom operators handled user to write in SIM card.
Described transaction request for data at least comprises time word string, address word string, Transaction Information word string, anti-replay-attack word string.
From above-described embodiment, can find out, present techniques scheme has following advantage:
Make full use of the ubiquity of mobile phone, in conjunction with safe storage and the calculating advantage of USBkey, strengthen using at present the level of security of most of bank of USBkey, effectively protect trojan horse;
Mobile phone and generation USBkey double insurance, indispensable, user's application risk is dropped to minimum.
One of ordinary skill in the art will appreciate that all or part of step in said method can come instruction related hardware to complete by program, described program can be stored in computer-readable recording medium, as ROM (read-only memory), disk or CD etc.Alternatively, all or part of step of above-described embodiment also can realize with one or more integrated circuit.Correspondingly, each the module/unit in above-described embodiment can adopt the form of hardware to realize, and also can adopt the form of software function module to realize.The application is not restricted to the combination of the hardware and software of any particular form.
The above, be only preferred embodiments of the present invention, is not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of making, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.