CN103701609B - A server operation of the terminal mutual authentication method and system - Google Patents

A server operation of the terminal mutual authentication method and system Download PDF

Info

Publication number
CN103701609B
CN103701609B CN201310740244.9A CN201310740244A CN103701609B CN 103701609 B CN103701609 B CN 103701609B CN 201310740244 A CN201310740244 A CN 201310740244A CN 103701609 B CN103701609 B CN 103701609B
Authority
CN
China
Prior art keywords
server
terminal
operation
certificate
serverwcrt
Prior art date
Application number
CN201310740244.9A
Other languages
Chinese (zh)
Other versions
CN103701609A (en
Inventor
洪逸轩
苏文龙
Original Assignee
福建联迪商用设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to CN2013100846538A priority Critical patent/CN103237005A/en
Priority to CN201310084673.5 priority
Priority to CN2013100843972A priority patent/CN103237004A/en
Priority to CN2013100846735A priority patent/CN103220271A/en
Priority to CN201310084653.8 priority
Priority to CN2013100846716A priority patent/CN103220270A/en
Priority to CN201310084671.6 priority
Priority to CN201310084397.2 priority
Application filed by 福建联迪商用设备有限公司 filed Critical 福建联迪商用设备有限公司
Priority to CN201310740244.9A priority patent/CN103701609B/en
Publication of CN103701609A publication Critical patent/CN103701609A/en
Application granted granted Critical
Publication of CN103701609B publication Critical patent/CN103701609B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]

Abstract

本发明公开一种服务器与操作终端双向认证的方法及系统。 The present invention discloses a bidirectional authentication server and the terminal operation method and system. 本发明服务器与操作终端双向认证的方法及系统中,服务器将服务器公钥发给CA中心,CA中心使用根证书AuthRCRT对应私钥对服务器公钥签名生成服务器工作证书ServerWCRT。 The method and system of the present invention is a terminal server and a mutual authentication operation, the server public key to the CA center server, the center CA root certificate using the server private key corresponding to the public key AuthRCRT signature generating server certificate work ServerWCRT. CA中心将工作证书ServerWCRT和根证书AuthRCRT发给服务器,存储在数据库中。 CA center will work ServerWCRT certificate and root certificate AuthRCRT to the server, stored in the database. 操作终端将公钥发给CA中心,CA中心使用根证书AuthRCRT对应私钥对操作终端公钥签名生成工作证书OptmWCRT,OptmWCRT和AuthRCRT发给操作终端存储在加密模块中。 Operator terminal public key to the CA center, CA root certificate center using the corresponding private key AuthRCRT operator terminal public key certificate signature generation work OptmWCRT, OptmWCRT and sent to the operation terminal AuthRCRT stored within the cryptographic module. 之后在远程主秘钥下载方案中,就使用之前生成好的证书和预置的根证书进行双向认证,提高了系统安全性。 After the remote master keys download programs, use of pre-generated certificates and root certificate before mutual authentication, improve system security.

Description

一种服务器与操作终端双向认证的方法及系统 A server operation of the terminal mutual authentication method and system

技术领域 FIELD

[0001] 本发明涉及电子支付领域,尤其涉及一种服务器与操作终端双向认证的方法及系统。 [0001] The present invention relates to the field of electronic payment, particularly to a terminal server and the operation of mutual authentication method and system. 背景技术 Background technique

[0002] 银行卡(BANK Card)作为支付工具越来越普及,通常的银行卡支付系统包括销售点终端(Point Of Sale,P0S)、P0S收单系统(P0SP)、密码键盘(PIN PAD)和硬件加密机(Hardware and Security Module,HSM)。 [0002] bank card (BANK Card) is becoming increasingly popular as a payment instrument, usually a bank card payment system include point of sale terminals (Point Of Sale, P0S), P0S receiving system (P0SP), keyboard password (PIN PAD) and hardware encryption machine (hardware and Security Module, HSM). 其中P0S终端能够接受银行卡信息,具有通讯功能,并接受柜员的指令完成金融交易信息和有关信息交换的设备;P0S收单系统对P0S终端进行集中管理,包括参数下载,密钥下载,接受、处理或转发P0S终端的交易请求,并向P0S终端回送交易结果信息,是集中管理和交易处理的系统;密码键盘(PIN PAD)是对各种金融交易相关的密钥进行安全存储保护,以及对PIN进行加密保护的安全设备;硬件加密机(HSM) 是对传输数据进行加密的外围硬件设备,用于PIN的加密和解密、验证报文和文件来源的正确性以及存储密钥。 P0S terminal which can accept credit card information, communication-capable, and accept the teller's instructions to complete the financial transaction information and device information exchange; P0S acquiring system P0S terminal centralized management, including parameter download, download key, acceptance, transaction processing or forwarding requests P0S terminal, and terminal loopback P0S transaction result information, centralized system management and transaction processing; PIN Pad (PIN PAD) is a variety of financial transactions related to the key storage security protection, as well as PIN protected by encryption security apparatus; hardware encryption machine (HSM) to encrypt data is the peripheral hardware device for the PIN encryption and decryption, storage key and verify the correctness of the packet and the source file. 个人标识码(Personal Identificat1n Number,PIN),即个人密码,是在联机交易中识别持卡人身份合法性的数据信息,在计算机和网络系统中任何环节都不允许以明文的方式出现;终端主密钥(Terminal Master Key,TMK),P0S终端工作时,对工作密钥进行加密的主密钥,加密保存在系统数据库中;P0S终端广泛应用于银行卡支付场合,比如厂商购物、酒店住宿等,是一种不可或缺的现代化支付手段,已经融入人们生活的各种场合。 Personal identification code (Personal Identificat1n Number, PIN), namely personal password, is identified in the online identity of the cardholder transaction legitimacy of data, any links are not allowed in clear text appears in the computer and network systems; the main terminal key (terminal master key, TMK), when P0S terminal work, the work of master keys for encryption keys, encrypted and stored in the system database; P0S bank card payment terminals are widely used in applications, such as vendor shopping, hotels and accommodation , is an integral part of modern means of payment, it has been integrated into people's lives on various occasions. 银行卡,特别是借记卡,一般都由持卡人设置了PIN,在进行支付过程中,P0S终端除了上送银行卡的磁道信息等资料外,还要持卡人输入PIN供发卡银行验证持卡人的身份合法性, 确保银行卡支付安全,保护持卡人的财产安全。 Card, in particular debit card, the cardholder is provided by a PIN general, performing the payment process, P0S sent to the terminal in addition to the card track information and other information, but also the cardholder to enter a PIN issuing bank for verification the identity of the legitimacy of the cardholder's bank card payments to ensure the safety, protection of property security of the cardholder. 为了防止PIN泄露或被破解,要求从终端到发卡银行整个信息交互过程中,全程对PIN进行安全加密保护,不允许在计算机网络系统的任何环节,PIN以明文的方式出现,因此目前接受输入PIN的P0S终端都要求配备密钥管理体系。 In order to prevent leakage or cracked PIN request from the terminal to the card-issuing bank the entire information exchange process, the whole security of PIN encryption is not permitted in any part of the computer network system, PIN appears in clear text, so now accept the input PIN the P0S terminals are equipped with key management system requirements.

[0003] P0S终端的密钥体系分成二级:终端主密钥(TMK)和工作密钥(WK)。 Key System [0003] P0S terminal into two: the terminal master key (TMK) and a working key (WK). 其中TMK在WK更新过程中,对WK进行加密保护。 TMK in which the WK update process, the WK be password protected. 每台P0S终端与P0S之间共享唯一的TMK,必须要有安全保护, 保证只能写入设备并参与计算,不能读取;TMK是一个很关键的根密钥,如果TMK被截取,工作密钥就比较容易被破解,将严重威胁银行卡支付安全。 Each P0S shared only between the terminal and P0S TMK, security must be protected to ensure that only involved in the calculation and the writing device can not be read; TMK is a critical root key, if TMK is intercepted, encrypted work key is relatively easy to crack, would seriously threaten the bank card payment security. 所以能否安全下载TMK到P0S终端, 成为整个P0S终端安全性的关键。 So you can safely download TMK to P0S terminal, a key security throughout P0S terminal. 下面归纳现有的TMK下载方案如下: The following conventional induction TMK download scheme is as follows:

[0004] 1、密钥母P0S方案:用户在P0S收单系统硬件加密机和密钥母P0S输入一样的传输加密密钥。 [0004] 1, the master key P0S scheme: P0S user receiving system and a hardware encryption key master machine P0S input the same traffic encryption key. P0S终端通过密钥母P0S向P0S收单系统发起终端主密钥下载请求,P0S收单系统驱动硬件加密机随机生成终端主密钥,并用传输加密密钥加密传输给密钥母P0S,密钥母P0S用传输加密密钥解密后再传输给P0S终端,P0S终端获得终端主密钥明文,保存到P0S终端密码键盘,从而实现P0S终端和P0S收单系统之间终端主密钥的同步。 P0S initiated by the terminal master key P0S P0S receiving system to the terminal master key download request, receiving system P0S driving machine hardware encryption key randomly generated master terminal, and transmitting encrypted traffic encryption key to the key master P0S, key P0S master transport encryption key using the decrypted and then transmitted to the P0S terminal, the terminal master key to obtain the terminal P0S plaintext password saved to P0S terminal keyboard, in order to achieve synchronization between the terminal and the P0S P0S terminal receiving system master key.

[0005] 2、1C卡解密方案:用户在P0S收单系统硬件加密机和1C卡中注入一样的传输加密密钥。 [0005] 2,1C card containing decryption scheme: injecting a user in the same traffic encryption key P0S receiving system hardware encryptor and 1C card. 用户将1C卡插入P0S终端,P0S终端向P0S收单系统发起终端主密钥下载请求,P0S收单系统驱动硬件加密机随机生成终端主密钥,并用传输加密密钥加密传输给POS终端,POS终端用1C卡中的传输加密密钥解密终端主密钥密文,获得终端主密钥明文,保存到P0S终端密码键盘,从而实现P0S终端和P0S收单系统之间终端主密钥的同步。 1C P0S user card into a terminal, the terminal master key P0S terminal initiates a download request to P0S receiving system, receiving system P0S drive terminal hardware encryptor randomly generated master key, and the encryption key transmitted by the transmission to the POS terminal, POS 1C card terminal using traffic encryption key to decrypt the ciphertext terminal master key, the master key to obtain the terminal plaintext password saved to P0S terminal keyboard, in order to achieve synchronization between the terminal and the P0S P0S terminal receiving system master key.

[0006] 上述两种方案都有以下缺点:终端主密钥明文出现在安全设备之外,为防范密钥泄露风险,终端主密钥的下载必须控制在管理中心的安全机房进行,通过人工集中下载终端主密钥。 [0006] Both programs have the following disadvantages: terminal master key explicitly appear in addition to safety equipment, to guard against the risk of key compromise, download terminal master key must be controlled in a secure room management center carried out by manual focus download terminal master key. 从而带来“维护中心机房工作量大;设备出厂后需要运输到管理中心安全机房下载密钥才能部署到商户,运输成本上升;为了集中下装密钥,需要大量的人手和工作时间, 维护成本大、维护周期长”等问题。 Leading to "maintain the central office workload; the need to transport equipment to the factory management center security room to download key to deploy to the merchant, rising transportation costs; order to focus on key download, requires a lot of manpower and working hours, maintenance costs large, long maintenance cycle "and so on. 发明内容 SUMMARY

[0007] 为解决上述技术问题,本发明采用的一个技术方案是提供一种服务器与操作终端双向认证的方法,包括步骤: [0007] To solve the above problems, an aspect of the present invention uses a server to provide a mutual authentication operation of the terminal, comprising the steps of:

[0008] S1、CA中心预装载服务器工作证书ServerWCRT和根证书AuthRCRT至服务器,以及预装载操作终端工作证书OptmWCRT和根证书AuthRCRT至操作终端,其中,操作终端工作证书OptmWCRT由根证书AuthRCRT对应私钥对操作终端公钥OptmWCRT_pu签名生成,服务器工作证书ServerWCRT由根证书AuthRCRT对应私钥对服务器公钥ServerWCRT_pu签名生成; [0008] S1, CA preload central server certificate ServerWCRT work and AuthRCRT root certificate to the server, and a pre-load operation and operation of the terminal certificate OptmWCRT AuthRCRT root certificate to the operator terminal, wherein the operation terminal corresponding to the working root certificate Certificate OptmWCRT AuthRCRT generating a private key signature of the public key operation terminal OptmWCRT_pu, server certificate ServerWCRT work by the private key corresponding to the root certificate AuthRCRT ServerWCRT_pu public key signature generation server;

[0009] S2、服务器将服务器工作证书ServerWCRT发送给操作终端;[〇〇1〇] S3、操作终端使用根证书AuthRCRT验证服务器工作证书SeverWCRT合法性,当验证合法时,生成第一随机数ATI并发送至服务器;[〇〇11] S4、服务器使用服务器工作证书ServerWCRT对应私钥ServerWCRT_prk对第一随机数ATI签名生成第一签名数Signl并发送给操作终端; [0009] S2, the server sends the server certificate ServerWCRT work to the operating terminal; [〇〇1〇] S3, the operation terminal uses AuthRCRT root certificate validation server certificate SeverWCRT legitimacy work, when the authentication method, and generates a first random number ATI to the server; [〇〇11] S4, the server certificate using the server work ServerWCRT ServerWCRT_prk the corresponding private key of the signature first random number generation ATI Signl first signature number and sends the operation terminal;

[0012] S5、操作终端使用服务器工作证书ServerWCRT提取服务器公钥ServerWCRT_pu验证第一签名数Signl合法性,当验证合法时,发送操作终端工作证书OptmWCRT至服务器; [0〇13] S6、服务器使用根证书AuthRCRT验证操作终端工作证书OptmWCRT合法性,当验证合法时,生成第二随机数AT2并发送至操作终端;[〇〇14] S7、操作终端使用操作终端工作证书OptmWCRT对应私钥0ptmWCRT_prk对第二随机数AT2签名生成第二签名数Sign2并发送给服务器;[〇〇15] S8、服务器使用操作终端工作证书OptmWCRT提取公钥0ptmWCRT_pu验证第二签名数Sign2合法性,当验证合法时,完成操作终端与服务器的双向认证。 [0012] S5, the operation terminal certificate using the server work ServerWCRT_pu ServerWCRT extraction server public key to verify the legitimacy of the first signature number Signl, when the authentication method, the terminal transmitting operation to work the server certificate OptmWCRT; [0〇13] S6, the root server certificate verification operation terminal operating AuthRCRT OptmWCRT legitimacy certificate, when the authentication method, and generates a second random number transmitted to the operation terminal AT2; [〇〇14] S7, the operation using the operation terminal operating terminal OptmWCRT the corresponding private key certificate for the second 0ptmWCRT_prk generating a second random number signature number of signature AT2 Sign2 sends to the server; [〇〇15] S8, the server certificate using the operation terminal operating 0ptmWCRT_pu OptmWCRT extract the public key to verify the legitimacy of the second signature number Sign2, when the authentication method, to complete the operation terminal the server mutual authentication.

[0016] 本发明的另一技术方案为提供一种服务器与操作终端双向认证的系统,包括CA中心、与CA中心通信连接的服务器、以及与服务器通信连接的操作终端,所述CA中心包括预装载模块;所述服务器包括第一服务器发送模块、第二服务器发送模块、第三服务器发送模块、验证模块;所述操作终端包括第一操作终端发送模块、第二操作终端发送模块、第三操作终端发送模块; [0016] Another aspect of the present invention is to provide a bidirectional authentication server and the terminal operating system, comprising a CA center, the server is connected in communication with the CA center, and an operation terminal is connected in communication with the server, the CA center comprises a pre- loading module; the server includes sending a first server module, the server sends a second module, the third module transmitting server, the verification module; the operating terminal includes a first operation terminal transmitting module, a second module sending operation terminal, the third operation terminal transmitting module;

[0017] 预装载模块用于预装载服务器工作证书ServerWCRT和根证书AuthRCRT至服务器, 以及预装载操作终端工作证书OptmWCRT和根证书AuthRCRT至操作终端,其中,操作终端工作证书OptmWCRT由根证书AuthRCRT对应私钥对操作终端公钥0ptmWCRT_pu签名生成,服务器工作证书ServerWCRT由根证书AuthRCRT对应私钥对服务器公钥ServerWCRT_pu签名生成; [0017] The means for pre-loading the preload work server certificate and root certificate AuthRCRT ServerWCRT to the server, and a pre-load operation and operation of the terminal certificate OptmWCRT AuthRCRT root certificate to the operator terminal, wherein the terminal operator work certificate from the root certificate OptmWCRT AuthRCRT private key corresponding to the public key of the operation terminal 0ptmWCRT_pu signature generation server certificate ServerWCRT work by the private key corresponding to the root certificate AuthRCRT ServerWCRT_pu public key signature generation server;

[0018] 第一服务器发送模块用于将预装载模块预装载的服务器工作证书ServerWCRT发送给操作终端; Work certificate server [0018] The first server sends the pre-loading module for module preloaded ServerWCRT transmitted to the operation terminal;

[0019] 第一操作终端发送模块用于将预装载模块预装载的服务器根证书AuthRCRT验证第一服务器发送模块发送给操作终端的服务器工作证书SeverWCRT合法性,当验证合法时, 生成第一随机数ATI并发送至服务器; [0019] The terminal transmits a first operating means for transmitting the pre-loading module preloaded root certificate AuthRCRT authentication server transmits a first server module to work SeverWCRT certificate server legitimacy of the operation terminal, when the authentication method, generating a first ATI and the random number transmitted to the server;

[0020] 第二服务器发送模块用于使用预装载模块预装载的服务器工作证书ServerWCRT 对应私钥SerVerWCRT_prk对第一操作终端发送模块发送给服务器的第一随机数ATI签名生成第一签名数Signl并发送给操作终端;[〇〇21]第二操作终端发送模块用于使用第一服务器发送模块发送的服务器工作证书ServerWCRT提取服务器公钥ServerWCRT_pu验证第二服务器发送模块发送给操作终端的第一签名数Signl合法性,当验证合法时,发送操作终端工作证书Op tmWCRT至服务器;[〇〇22]第三服务器发送模块用于使用预装载模块预装载的根证书AuthRCRT验证第二操作终端发送模块发送给服务器的操作终端工作证书〇PtmWCRT合法性,当验证合法时,生成第二随机数AT2并发送至操作终端;[〇〇23]第三操作终端发送模块用于使用预装载模块预装载的操作终端工作证书OptmWCRT对应私钥OptmWCRT_prk对第三服务器 [0020] The second server transmits the server module for work certificate using a pre-loading module preloaded ServerWCRT private key corresponding to the first random number ATI SerVerWCRT_prk transmitting terminal transmits the first operation module to generate a first signature server signature number Signl sent to the operation terminal; [〇〇21] second operating means for transmitting terminal certificate with the server transmits the transmission work server ServerWCRT a first extraction module public key ServerWCRT_pu authentication server a second server module transmitting a first signature sent to the operation terminal Signl number of legitimacy, when the authentication method, the terminal transmits the operation Op tmWCRT work certificate to the server; [〇〇22] the third sending module root certificate server using a pre-loaded pre-loading module verifies the second operation terminal transmits AuthRCRT work module certificate 〇PtmWCRT legitimacy of the operation terminal transmits to the server, when the authentication method, and generates a second random number transmitted to the operation terminal AT2; [〇〇23] third means for transmitting terminal operation using a pre-pre-loading module work loading operation terminal OptmWCRT the corresponding private key certificate for the third server OptmWCRT_prk 发送模块发送给操作终端的第二随机数AT2 签名生成第二签名数Sign2并发送给服务器;[〇〇24]服务器验证模块用于使用第二操作终端发送模块发送给服务器的操作终端工作证书OptmWCRT提取公钥OptmWCRT_pu验证第三操作终端发送模块发送给服务器的第二签名数Sign2合法性,当验证合法时,完成操作终端与服务器的双向认证。 Sending module sends to the operating terminal AT2 signature second random number to generate a second signature number Sign2 sends to the server; [〇〇24] Server authentication module configured to send the certificate to the operating terminal is operating using the second operation OptmWCRT terminal server sending module extract the public key to verify the second signature number Sign2 OptmWCRT_pu legitimacy third sending module operating terminal to the server, when the authentication method, a complete two-way authentication operation terminal and a server.

[0025]本发明有益效果:本发明服务器与操作终端双向认证的方法及系统中,服务器调用加密机生成服务器公私钥对,并将服务器公钥发给CA中心,CA中心使用根证书AuthRCRT 对应私钥对服务器公钥签名生成服务器工作证书ServerWCRT AA中心将工作证书ServerWCRT和根证书AuthRCRT发给服务器,存储在数据库中。 [0025] Advantageous Effects of Invention: The present invention is a method and system for mutual authentication operation of the terminal server, the server calls the public encryption key pair generation server machine, the server and the public key to the CA center, the center of the root CA certificate corresponding to the private AuthRCRT server public key for signature generation server certificate ServerWCRT AA work center will work ServerWCRT certificate and root certificate AuthRCRT to the server, stored in the database. 操作终端在安全环境下,生成公私钥对,将公钥发给CA中心,CA中心使用根证书AuthRCRT对应私钥对操作终端公钥签名生成工作证书Op tmWCRT,Op tmWCRT和AuthRCRT发给操作终端存储在加密模块中。 Operating the terminal in a secure environment, to generate a public and private key, public key to the CA center, center CA root certificate using the corresponding private key of the operation terminal AuthRCRT public key signature generation work certificate Op tmWCRT, Op tmWCRT and sent to the operation terminal storage AuthRCRT in the encryption module. [〇〇26]之后在远程主秘钥下载方案中,就使用之前生成好的证书和预置的根证书进行双向认证,P0S终端产生TK,操作终端采集TK并将TK传输给KMS系统或MTMS系统(服务器可为KMS系统或MTMS系统),其中,通过CA中心对操作终端与KMS系统的身份进行认证。 Generated certificates Before After [〇〇26] download the remote master secret key scheme, and on the use of root certificates preset mutual authentication, the terminal generates P0S TK, TK and TK acquisition operation of the terminal to a transmission system or KMS MTMS system (KMS system may be a server system or MTMS), wherein, to authenticate the identity of the operator terminal and the KMS system through the CA center. 通过CA中心对操作终端和KMS系统身份进行认证,确保操作终端将TK传输给合法的KMS系统,以及确保KMS系统从合法的操作终端得到上传的TK,防止伪操作终端上传假TK,以及防止伪KMS系统截取TK,提高TK上传和TMK下载安全。 By CA center of the terminal and the KMS system authentication, ensure that the operator terminal TK transmitted to the legitimate KMS system and to ensure KMS system has been uploaded from the legitimate operation of the terminal TK, to prevent spurious operation of the terminal to upload a false TK, and to prevent pseudo KMS system intercepts TK, TK improve upload and download TMK security. 提高了系统安全性。 Improve system security. 附图说明 BRIEF DESCRIPTION

[0027] 图1为本发明的一种服务器与操作终端双向认证的方法的一个实施方式的执行流程图; Execution Flow [0027] FIG 1 one embodiment of the present invention, a server and a method of operating a terminal mutual authentication;

[0028] 图2为本发明的一种服务器与操作终端双向认证的系统一个实施方式的结构框图;[〇〇29]主要元件符号说明: [0028] block diagram of a structure of the terminal server and mutual authentication operation system of Figure 2 according to one embodiment of the present invention; and [〇〇29] Description of Symbols principal elements:

[0030] 1、服务器与操作终端双向认证的系统; [0030] 1, the terminal server and the mutual authentication operation system;

[0031] 10、CA中心;11、预装载模块;[〇〇32] 20、服务器;21、第一服务器发送模块;22、第二服务器发送模块;23、第三服务器发送模块;24、验证模块;[〇〇33] 30、操作终端;31、第一操作终端发送模块;32、第二操作终端发送模块;33、第三操作终端发送模块。 [0031] 10, CA center; 11, pre-loaded module; [〇〇32] 20, a server; 21, a first server sending module; 22, the second server sending module; 23, the third server sending module; 24, authentication module; [〇〇33] 30, terminal operation; 31, a first terminal sending module operation; 32, a second transmitting terminal operation module; 33, a third sending module operating terminal. 具体实施方式 Detailed ways

[0034] 为详细说明本发明的技术内容、构造特征、所实现目的及效果,以下结合实施方式并配合附图详予说明。 [0034] The teachings of the present invention in detail, structural features, objects and effects of the implementation, the following embodiments in conjunction with the accompanying drawings and to be described in detail.

[0035] 为解决背景技术中存在的技术问题,本发明采用一种新的主密钥下载方案,通过P0S终端随机产生TK(Transmiss1n Key,传输密钥),将产生后的TK保存于P0S终端的密码键盘中,并将TK通过各种应用场景下所需的传输方式传送至KMS(Key Management System, 密钥管理系统,用于管理终端主密钥TMK)中。 [0035] In order to solve the technical problems present in the background art, the present invention employs a new master key to download the program, random TK (Transmiss1n Key, transmission key), the TK generated P0S stored in the terminal by the terminal P0S password keyboard, and sent to the KMS TK transmission requirements under various scenarios (key management system, key management system, for managing the terminal master key TMK) in. [〇〇36] 当P0S终端申请下载终端主密钥TMK时,KMS系统使用TK加密终端主密钥TMK,并将加密后的终端主密钥密文发送给P0S终端,P0S终端接收后用TK对主密钥密文进行解密,得到终端主密钥TMK,并将终端主密钥TMK保存在密码键盘里。 [〇〇36] P0S terminal when the terminal application download master key TMK, KMS system using a TK encrypted master key TMK terminal, and the terminal master key ciphertext P0S sent encrypted to the terminal, the receiving terminal P0S TK the master key to decrypt the ciphertext to obtain the master key TMK terminal, and the terminal master key TMK is stored in the password in the keyboard. [〇〇37] 如此,通过TK加密终端主密钥TMK,使TMK能够进行远程传输,方便TMK的安全下载。 [〇〇37] Thus, by a TK-end encryption master key TMK, TMK possible to enable remote transmission, to facilitate the secure download TMK. [〇〇38]在某些场景下,采用操作终端采集P0S终端产生的TK,并由操作终端负责将TK传输给KMS系统,或者传输给MTMS系统(Material Tracking Management System,物料追溯系统,主要在工厂生产中使用),由MTMS系统统一管理TK,并将TK发送给相应的KMS系统,所述输送过程由CA中心(Certificate Authority,证书授权中心,采用Public Key Infrastructure公开密钥基础架构技术,专门提供网络身份认证服务,负责签发和管理数字证书,且具有权威性和公正性的第三方信任机构)鉴别操作终端、MTMS系统和KMS系统的身份。 [〇〇38] In some scenarios, the operation terminal using the acquired terminal generates P0S TK, by the operator responsible for the terminal to transmit TK KMS system, or transmitted to the system MTMS (Material Tracking Management System, material traceability system, mainly in the plant is used), a unified management system MTMS TK, TK and sent to the corresponding KMS system, the center of the delivery process by the CA (certificate authority, the certificate authority, using Public key infrastructure public-key infrastructure technology, specifically providing network authentication services, responsible for issuing and managing digital certificates, and has the authority and impartiality of a trusted third party organization) authentication operation terminal, MTMS system and the KMS system. 采用操作终端采集TK可以方便TK的采集操作(可以实现一键采集等)和TK采集的权限管理;采用MTMS系统可以方便对TK统一管理,方便以后售后维修时P0S终端的数据查找与下载,通过MTMS系统可以实现按生产单批量传输TK,方便TK的传输管理,防止TK误传给错误的对象;引入CA中心可以防止伪终端和伪KMS系统窃取TK。 Using the operating terminal acquisition TK can easily TK acquisition operation (can realize a key collection, etc.) rights management and TK acquisition; the use of MTMS system can facilitate unified management of TK, convenient after-sales maintenance data lookup and download time P0S terminal by MTMS system may be implemented in a single production batch TK transmission, the transmission management convenience of TK, TK prevent misinformation to the wrong object; CA introduced pseudo terminals can be prevented and the center of the dummy KMS system steal TK. [〇〇39]上述通过操作终端采集传输密钥TK后发送至银行端KMS系统对TMK进行加密,再通过P0S终端远程下载经TK加密后的TMK的方法可以保证TMK的传输安全。 [〇〇39] The operation of the terminal by the transmission key TK is sent to the collecting bank client KMS system TMK encrypted, and then downloaded by a remote terminal through P0S TMK TK encryption method can guarantee the transmission security of TMK.

[0040]操作终端作为一个对安全性要求很高的设备,为了防止非法的设备接入系统,需要实现操作终端与服务器端进行双向认证。 [0040] As an operator terminal demanding safety device, in order to prevent illegal access to system devices, it is necessary to achieve the operation terminal mutual authentication with the server. [0041 ]下面就对本发明克服上述问题的技术方案进行详细说明。 [0041] The following detailed description will overcome the aforementioned problems the technical solution of the present invention. [〇〇42]请参阅图1,是本发明一种服务器与操作终端双向认证的方法的执行流程图,该方法包括步骤:[〇〇43] S1、CA中心预装载服务器工作证书ServerWCRT和根证书AuthRCRT至服务器,以及预装载操作终端工作证书OptmWCRT和根证书AuthRCRT至操作终端,其中,操作终端工作证书OptmWCRT由根证书AuthRCRT对应私钥对操作终端公钥OptmWCRT_pu签名生成,服务器工作证书ServerWCRT由根证书AuthRCRT对应私钥对服务器公钥ServerWCRT_pu签名生成; [〇〇42] Please refer to FIG. 1, the implementation of the present invention is flowchart of a method of operating a terminal server and mutual authentication, the method comprising the steps of: [〇〇43] S1, CA preload central server and work certificate ServerWCRT AuthRCRT root certificate to the server, and a pre-load operation and operation of the terminal certificate OptmWCRT AuthRCRT root certificate to the operator terminal, wherein the operation terminal corresponding to a work certificate OptmWCRT AuthRCRT root certificate public key private key pair OptmWCRT_pu signature generation operation terminal, the server certificate work ServerWCRT corresponding to the private key of the root certificate AuthRCRT ServerWCRT_pu public key signature generation server;

[0044] S2、服务器将服务器工作证书ServerWCRT发送给操作终端;[〇〇45] S3、操作终端使用根证书AuthRCRT验证服务器工作证书SeverWCRT合法性,当验证合法时,生成第一随机数ATI并发送至服务器;[〇〇46] S4、服务器使用服务器工作证书ServerWCRT对应私钥ServerWCRT_prk对第一随机数ATI签名生成第一签名数Signl并发送给操作终端;[〇〇47] S5、操作终端使用服务器工作证书ServerWCRT提取服务器公钥ServerWCRT_pu验证第一签名数Signl合法性,当验证合法时,发送操作终端工作证书Op tmWCRT至服务器; [〇〇48] S6、服务器使用根证书AuthRCRT验证操作终端工作证书Op tmWCRT合法性,当验证合法时,生成第二随机数AT2并发送至操作终端;[〇〇49] S7、操作终端使用操作终端工作证书OptmWCRT对应私钥OptmWCRT_prk对第二随机数AT2签名生成第二签名数Sign2并发送给服务器; [0044] S2, the server sends the server certificate ServerWCRT work to the operating terminal; [〇〇45] S3, the operation terminal uses AuthRCRT root certificate validation server certificate SeverWCRT legality, when the authentication method, generating a first random number and transmits ATI to the server; [〇〇46] S4, the server certificate using the server work ServerWCRT ServerWCRT_prk the corresponding private key of the first random number to generate a first signature number of signature ATI Signl terminal sends operation; [〇〇47] S5, the operation using the server terminal work extraction server public key certificate ServerWCRT ServerWCRT_pu verify the legitimacy of the first signature number Signl, when the authentication method, the terminal transmits the operation Op tmWCRT work certificate to the server; [〇〇48] S6, the server uses the root certificate AuthRCRT work certificate verification operation terminal Op tmWCRT legality, when the authentication method, and generates a second random number transmitted to the operation terminal AT2; [〇〇49] S7, the operation using the operation terminal operating terminal certificate OptmWCRT OptmWCRT_prk the corresponding private key of the signature second random number to generate a second AT2 signature number Sign2 sends to the server;

[0050] S8、服务器使用操作终端工作证书OptmWCRT提取公钥OptmWCRT_pu验证第二签名数Sign2合法性,当验证合法时,完成操作终端与服务器的双向认证。 [0050] S8, terminal servers use the operating certificate OptmWCRT work OptmWCRT_pu extract the public key to verify the legitimacy of the second signature number Sign2 when validating legitimate, complete with two-way authentication operation of the terminal server. [0051 ]上述各步骤中的服务器可为MTMS系统或KMS系统。 [0051] each of the above steps may be a server system or MTMS KMS system. [0〇52] 在本实施方式中,所述“CA中心预装载服务器工作证书ServerWCRT和根证书AuthRCRT至服务器,以及预装载操作终端工作证书Op tmWCRT和根证书AuthRCRT至操作终端”具体包括步骤:[〇〇53] 服务器调用加密机产生服务器公钥SerVerWCRT_pu和服务器私钥ServerWCRT_ prk,将服务器公钥ServerWCRT_pu发给CA中心;[〇〇54] 操作终端产生操作终端公钥0ptmWCRT_pu和操作终端私钥0ptmWCRT_prk,将操作终端公钥〇ptmWCRT_pu发给CA中心;[〇〇55] CA中心使用根证书AuthRCRT对应私钥,对服务器公钥ServerWCRT_pu签名,生成服务器工作证书ServerWCRT,并将根证书AuthRCRT和服务器工作证书ServerWCRT发送给服务器;[〇〇56] CA中心使用根证书AuthRCRT对应私钥,对操作终端公钥Op tmWCRT_pu签名,生成操作终端工作证书〇P tmWCRT,并将操作终端工作证书Op tmWCRT和根证书AuthRCRT发给操作终端。 [0〇52] In the present embodiment, the "pre-loading the CA server work center certificate and root certificate AuthRCRT ServerWCRT to the server, and a pre-load operation and operation of the terminal certificate Op tmWCRT AuthRCRT root certificate to the operator terminal" comprises step: [〇〇53] encryptor call server generates the server private key and server public SerVerWCRT_pu ServerWCRT_ prk, the central server's public key ServerWCRT_pu issued CA; [〇〇54] operator terminal generates a public key operation terminal and operation terminal personal 0ptmWCRT_pu key 0ptmWCRT_prk, the operation of the terminal public key issued to the CA center 〇ptmWCRT_pu; [〇〇55] CA center using the private key corresponding to the root certificate AuthRCRT, ServerWCRT_pu signature public key of the server, the server generating the certificate work ServerWCRT, and the root certificate and the server AuthRCRT working ServerWCRT certificate to the server; [〇〇56] AuthRCRT the CA root certificate center using the corresponding private key, the public key of the operation terminal Op tmWCRT_pu signature generating operation terminal works certificate 〇P tmWCRT, and the work terminal operation and root certificate Op tmWCRT AuthRCRT certificate issued to the operator terminal. [〇〇57]在本实施方式中,所述步骤S8后还包括步骤:操作终端与服务器完成双向认证后, 操作终端将采集的P0S终端产生的传输密钥TK发送给服务器。 [〇〇57] In the present embodiment, after the step S8 further comprising the step of: after completion of the operation terminal mutual authentication with the server, the transmission operation of the terminal collected P0S key TK generated by the terminal to the server. [〇〇58]请参阅图2,是本发明一种服务器与操作终端双向认证的系统的结构框图。 [〇〇58] Please refer to FIG. 2, it is a structural block diagram of a bidirectional authentication server and the terminal operation system of the present invention. 上述的一种传输密钥TK的采集方法应用于该系统中。 A transmission key TK aforementioned method is applied to the collection system.

[0059] 所述服务器与操作终端双向认证的系统包括CA中心10、与CA中心通信连接的服务器20、以及与服务器通信连接的操作终端30,其中所述服务器20可为MTMS系统或KMS系统, 所述CA中心包括预装载模块11;所述服务器20包括第一服务器发送模块21、第二服务器发送模块22、第三服务器发送模块23、验证模块24;所述操作终端包括第一操作终端发送模块31、第二操作终端发送模块32、第三操作终端发送模块33; [0059] The terminal server and mutual authentication operation system 10 includes a CA center, connected to the server 20 in communication with the CA center, and the operation terminal 30 is connected in communication with the server, wherein the server system 20 may be MTMS or KMS system, the CA center comprises a pre-loading module 11; the server sending module 20 comprises a first server 21, second server sending module 22, the third server sending module 23, validation module 24; a first operation of the operation terminal comprises a terminal a sending module 31, a second transmitting terminal operation module 32, a third sending module operation terminal 33;

[0060] 预装载模块11用于预装载服务器工作证书ServerWCRT和根证书AuthRCRT至服务器,以及预装载操作终端工作证书〇PtmWCRT和根证书AuthRCRT至操作终端,其中,操作终端工作证书OptmWCRT由根证书AuthRCRT对应私钥对操作终端公钥0ptmWCRT_pu签名生成,月艮务器工作证书ServerWCRT由根证书AuthRCRT对应私钥对服务器公钥ServerWCRT_pu签名生成; [0060] The pre-loading module 11 for pre-loading work server certificate and root certificate AuthRCRT ServerWCRT to the server, and a pre-load operation and operation of the terminal certificate 〇PtmWCRT AuthRCRT root certificate to the operator terminal, wherein the terminal operation by a work certificate OptmWCRT AuthRCRT root certificate private key corresponding to the public key of the operation terminal 0ptmWCRT_pu signature generation, that works to monthly operating certificate from the root certificate AuthRCRT ServerWCRT private key corresponding to the public key ServerWCRT_pu signature generation server;

[0061]第一服务器发送模块21用于将预装载模块预装载的服务器工作证书ServerWCRT 发送给操作终端;[〇〇62]第一操作终端发送模块31用于将预装载模块预装载的服务器根证书AuthRCRT验证第一服务器发送模块发送给操作终端的服务器工作证书SeverWCRT合法性,当验证合法时,生成第一随机数ATI并发送至服务器;[〇〇63]第二服务器发送模块2 2用于使用预装载模块预装载的服务器工作证书ServerWCRT对应私钥SerVerWCRT_prk对第一操作终端发送模块发送给服务器的第一随机数ATI签名生成第一签名数Signl并发送给操作终端;[〇〇64]第二操作终端发送模块32用于使用第一服务器发送模块发送的服务器工作证书ServerWCRT提取服务器公钥ServerWCRT_pu验证第二服务器发送模块发送给操作终端的第一签名数Signl合法性,当验证合法时,发送操作终端工作证书Op tmWCRT至服务器;[〇〇65]第 [0061] The first server sending module 21 configured to pre-load the server certificate module working preloaded ServerWCRT transmitted to the operation terminal; [〇〇62] a first transmitting terminal module 31 for operating the pre-pre-loading module work carrier server certificate server legitimacy SeverWCRT AuthRCRT root certificate authentication server transmits a first module transmits to the operation terminal, when the authentication method, generating a first random number and send to the server ATI; [〇〇63] the second server sending module 22 pre-loading module using a server certificate preloaded work ServerWCRT private key corresponding to the first random number SerVerWCRT_prk transmits a first operation terminal ATI transmits to the server module generates a first signature to the signature number of concurrent operation Signl terminal; [〇〇64] the second sending module 32 ServerWCRT operation terminal extraction work for server certificate using a transmission module transmits a first server's public key to verify the first signature number Signl ServerWCRT_pu legitimacy sent to the operator server sends a second terminal module, when the verification method, the transmission operation of the terminal to the server work certificate Op tmWCRT; [〇〇65] of 服务器发送模块23用于使用预装载模块预装载的根证书AuthRCRT验证第二操作终端发送模块发送给服务器的操作终端工作证书〇PtmWCRT合法性,当验证合法时,生成第二随机数AT2并发送至操作终端;[〇〇66]第三操作终端发送模块33用于使用预装载模块预装载的操作终端工作证书OptmWCRT对应私钥OptmWCRT_prk对第三服务器发送模块发送给操作终端的第二随机数AT2 签名生成第二签名数Sign2并发送给服务器;[〇〇67]服务器验证模块24用于使用第二操作终端发送模块发送给服务器的操作终端工作证书OptmWCRT提取公钥OptmWCRT_pu验证第三操作终端发送模块发送给服务器的第二签名数Sign2合法性,当验证合法时,完成操作终端与服务器的双向认证。 Working operator terminal server certificate 〇PtmWCRT legitimacy root certificate sending module 23 for using a pre-loading module preloaded AuthRCRT verify the second operation terminal to the server sending module, when the authentication method, and generates a second random number AT2 transmitted to the operation terminal; [〇〇66] the third sending module 33 for operating the terminal using a pre-loading module preloaded working operation terminal certificate OptmWCRT OptmWCRT_prk the corresponding private key to a third operator terminal server transmitting a second module generating a second random number signature number of signature AT2 Sign2 sends to the server; [〇〇67] server 24 is configured to send authentication module using the second module to the operating terminal transmits operating terminal OptmWCRT work certificate authentication server extracts the public key of the third operation OptmWCRT_pu the second terminal sends the legitimacy of the signature number Sign2 module sent to the server when verifying legitimate, complete with two-way authentication operation of the terminal server. [〇〇68]在本实施方式中,所述服务器20还包括第四服务器发送模块;所述操作终端30还包括第四操作终端发送模块;所述CA中心10的预装载模块11具体包括第一CA中心发送模块、第二CA中心发送模块;[〇〇69] 第四服务器发送模块用于调用加密机产生服务器公钥ServerWCRT_pu和服务器私钥ServerWCRT_prk,将服务器公钥ServerWCRT_pu发给CA中心; [〇〇68] In the present embodiment, the server 20 further includes a fourth module sending a server; the operation terminal 30 further comprises a fourth operator terminal transmitting module; the CA module 10 is pre-loaded center 11 comprises CA center sends a first module, the second module transmits the CA center; [〇〇69] fourth means for recalling an encryption server transmits the locally generated server private key and server public ServerWCRT_pu ServerWCRT_prk, the server's public key issued ServerWCRT_pu CA center;

[0070]第四操作终端发送模块用于产生操作终端公钥OptmWCRT_pu和操作终端私钥OptmWCRT_prk,将操作终端公钥OptmWCRT_pu发给CA中心;[〇〇71]第一CA中心发送模块用于使用根证书AuthRCRT对应私钥,对第四服务器发送模块发送的服务器公钥ServerWCRT_pu签名,生成服务器工作证书ServerWCRT,并将根证书AuthRCRT和服务器工作证书ServerWCRT发送给服务器;[〇〇72]第二CA中心发送模块使用根证书AuthRCRT对应私钥,对第四操作终端发送模块发送的操作终端公钥〇P tmWCRT_pu签名,生成操作终端工作证书Op tmWCRT,并将操作终端工作证书Op tmWCRT和根证书AuthRCRT发给操作终端; [0070] The fourth operating terminal transmits operating terminal means for generating a public key and operator terminal OptmWCRT_pu private OptmWCRT_prk, the operation of the terminal public key issued to the CA center OptmWCRT_pu; [〇〇71] CA center transmitting a first module for the root AuthRCRT certificate corresponding to the private key, the server sends the server module sends a fourth public key ServerWCRT_pu signature generating server certificate ServerWCRT work, and the work of the root certificate and the server certificate ServerWCRT AuthRCRT to the server; [〇〇72] CA center sends a second AuthRCRT root certificate module uses the corresponding private key, a fourth operation terminal operating terminal sending module 〇P tmWCRT_pu signature public key, the certificate generation operation Op tmWCRT terminal work, and the work terminal operation Op tmWCRT certificate and root certificate issued operation AuthRCRT terminal;

[0073] 在本实施方式中,所述操作终端还包括第四操作终端发送模块;第四操作终端发送模块用于当验证模块验证操作终端与服务器的双向认证合法时,操作终端将采集的P0S 终端产生的传输密钥TK发送给服务器。 [0073] In the present embodiment, the operation terminal further comprises a fourth module sending operation terminal; and a fourth module for transmitting the operation terminal when the authentication module verifies the operation of the terminal and the server mutual authentication method, the collected operation terminal P0S the terminal generates transmission key TK is sent to the server.

[0074] 本发明有益效果:本发明服务器与操作终端双向认证的方法及系统中,服务器调用加密机生成服务器公私钥对,并将服务器公钥发给CA中心,CA中心使用根证书AuthRCRT 对应私钥对服务器公钥签名生成服务器工作证书ServerWCRTAA中心将工作证书ServerWCRT和根证书AuthRCRT发给服务器,存储在数据库中。 [0074] Advantageous Effects of Invention: The present invention is a method and system for mutual authentication operation of the terminal server, the server calls the public encryption key pair generation server machine, the server and the public key to the CA center, the center of the root CA certificate corresponding to the private AuthRCRT server public key for signature generation server certificate ServerWCRTAA work center will work ServerWCRT certificate and root certificate AuthRCRT to the server, stored in the database. 操作终端在安全环境下,生成公私钥对,将公钥发给CA中心,CA中心使用根证书AuthRCRT对应私钥对操作终端公钥签名生成工作证书OptmWCRT,OptmWCRT和AuthRCRT发给操作终端存储在加密模块中。 Operating the terminal in a secure environment, to generate a public and private key, public key to the CA center, center CA root certificate using the corresponding private key AuthRCRT operator terminal public key certificate signature generation work OptmWCRT, OptmWCRT and sent to the operation terminal AuthRCRT stored in the encrypted module. 之后在远程主秘钥下载方案中,就使用之前生成好的证书和预置的根证书进行双向认证,操作终端与服务器进行双向认证,提高了系统安全性。 After downloading remote master secret key scheme, and on the use of pre-generated certificates root certificate before mutual authentication operation terminal mutual authentication with the server, to improve system security. [〇〇75] P0S终端产生TK,操作终端采集TK并将TK传输给KMS系统或MTMS系统(服务器可为KMS系统或MTMS系统),其中,通过CA中心对操作终端与KMS系统或MTMS系统的身份进行认证。 [〇〇75] P0S terminal generates TK, TK and TK acquisition operation of the terminal to a transmission system or MTMS KMS system (KMS system may be a server system or MTMS), wherein the center of the CA system or the operator terminal and the KMS system MTMS identity authentication. 通过CA中心对操作终端和KMS系统身份进行认证,确保操作终端将TK传输给合法的KMS 系统,以及确保KMS系统从合法的操作终端得到上传的TK,防止伪操作终端上传假TK,以及防止伪KMS系统截取TK,提高TK上传和TMK下载安全。 By CA center of the terminal and the KMS system authentication, ensure that the operator terminal TK transmitted to the legitimate KMS system and to ensure KMS system has been uploaded from the legitimate operation of the terminal TK, to prevent spurious operation of the terminal to upload a false TK, and to prevent pseudo KMS system intercepts TK, TK improve upload and download TMK security.

[0076]以上所述仅为本发明的实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。 [0076] The embodiments described above are only embodiments of the present invention, not intended to limit the scope of the present invention, all utilize the present specification and drawings taken equivalent structures or equivalent process, or other direct or indirect application Related technical fields shall fall within the scope of protection of the present invention.

Claims (6)

1.一种服务器与操作终端双向认证的方法,其特征在于,包括步骤:51、 CA中心预装载服务器工作证书ServerWCRT和根证书AuthRCRT至服务器,以及预装载操作终端工作证书OptmWCRT和根证书AuthRCRT至操作终端,其中,操作终端工作证书OptmWCRT由根证书AuthRCRT对应私钥对操作终端公钥OptmWCRT_pu签名生成,服务器工作证书ServerWCRT由根证书AuthRCRT对应私钥对服务器公钥ServerWCRT_pu签名生成;52、 服务器将服务器工作证书ServerWCRT发送给操作终端;53、 操作终端使用根证书AuthRCRT验证服务器工作证书SeverWCRT合法性,当验证合法时,生成第一随机数ATI并发送至服务器;54、 服务器使用服务器工作证书ServerWCRT对应私钥ServerWCRT_prk对第一随机数ATI签名生成第一签名数Signl并发送给操作终端;55、 操作终端使用服务器工作证书ServerWCRT提取服务器公钥ServerWCRT_pu验证第一签名数Signl合法 CLAIMS 1. A method of operating a terminal server and mutual authentication, characterized by comprising the step of: 51, CA preload central server certificate ServerWCRT work and AuthRCRT root certificate to the server, and a pre-load operation and operation of the terminal certificate root certificate OptmWCRT AuthRCRT to operation terminal, the operation terminal corresponding to a work certificate OptmWCRT AuthRCRT root certificate public key private key pair OptmWCRT_pu signature generation operation terminal, the server certificate ServerWCRT work by the private key corresponding to the root certificate AuthRCRT ServerWCRT_pu public key signature generation server; 52, server the transmission work server certificate to the operating terminal ServerWCRT; 53, using the operation terminal AuthRCRT root certificate validation server certificate SeverWCRT legality, when the authentication method, generating a first random number and send to the server ATI; 54, the server certificate using the server work ServerWCRT ServerWCRT_prk the corresponding private key of the signature first random number generation ATI Signl first signature number and sends the operation terminal; 55, working operation terminal certificate using the server public key ServerWCRT_pu ServerWCRT extraction server verifying the first signature number Signl legitimate 性,当验证合法时,发送操作终端工作证书OptmWCRT至服务器;56、 服务器使用根证书AuthRCRT验证操作终端工作证书OptmWCRT合法性,当验证合法时,生成第二随机数AT2并发送至操作终端;57、 操作终端使用操作终端工作证书OptmWCRT对应私钥Op tmWCRT_prk对第二随机数AT2签名生成第二签名数Sign2并发送给服务器;58、 服务器使用操作终端工作证书OptmWCRT提取公钥OptmWCRT_pu验证第二签名数Sign2合法性,当验证合法时,完成操作终端与服务器的双向认证。 Of, when the authentication method, the terminal transmitting operation to work the server certificate OptmWCRT; 56, the server uses the root certificate verification operation terminal operating AuthRCRT OptmWCRT legitimacy certificate, when the authentication method, and generates a second random number transmitted to the operation terminal AT2; 57 , terminal operation using the operation terminal operating certificate OptmWCRT Op tmWCRT_prk the corresponding private key of the signature second random number to generate a second signature number AT2 Sign2 sends to the server; 58, working operation terminal server using a public key certificate OptmWCRT extracts the second signature verification number OptmWCRT_pu Sign2 legitimacy when validating legitimate, complete with two-way authentication operation of the terminal server.
2.根据权利要求1所述的一种服务器与操作终端双向认证的方法,其特征在于,所述“CA中心预装载服务器工作证书ServerWCRT和根证书AuthRCRT至服务器,以及预装载操作终端工作证书OptmWCRT和根证书AuthRCRT至操作终端”具体包括步骤:服务器调用加密机产生服务器公钥SerVerWCRT_pu和服务器私钥SerVerWCRT_prk,将服务器公钥ServerWCRT_pu发给CA中心;操作终端产生操作终端公钥〇ptmWCRT_pu和操作终端私钥OptmWCRT_prk,将操作终端公钥OptmWCRT_pu发给CA中心;CA中心使用根证书AuthRCRT对应私钥,对服务器公钥ServerWCRT_pu签名,生成服务器工作证书ServerWCRT,并将根证书AuthRCRT和服务器工作证书ServerWCRT发送给服务器;CA中心使用根证书AuthRCRT对应私钥,对操作终端公钥OptmWCRT_pu签名,生成操作终端工作证书OptmWCRT,并将操作终端工作证书OptmWCRT和根证书AuthRCRT发给操作终端。 The operation of the terminal A server mutual authentication method according to claim 1, wherein the "CA certificate work center server preload ServerWCRT AuthRCRT root certificate to the server and, and a pre-loading operation of the terminal work OptmWCRT certificate and a root certificate to the operator terminal AuthRCRT "specifically includes the steps of: generating a server call encryptor server private key and server public SerVerWCRT_pu SerVerWCRT_prk, the central server's public key ServerWCRT_pu issued CA; operator terminal generates a public key operation terminal and operation 〇ptmWCRT_pu private terminal OptmWCRT_prk, the operation of the terminal issued the public key OptmWCRT_pu CA center; AuthRCRT CA root certificate center using the corresponding private key, the public key of the server ServerWCRT_pu signature generating server certificate ServerWCRT work, and the work of the root certificate and the server certificate AuthRCRT transmission ServerWCRT to the server; root certificate using the CA center AuthRCRT corresponding private, public OptmWCRT_pu signature operator terminal, the operator terminal generates a certificate OptmWCRT work, and the work terminal operation OptmWCRT certificate and the root certificate issued AuthRCRT operation terminal.
3.根据权利要求2所述的一种服务器与操作终端双向认证的方法,其特征在于,所述步骤S8后还包括步骤:操作终端与服务器完成双向认证后,操作终端将采集的P0S终端产生的传输密钥TK发送给服务器。 A server according to the operation terminal mutual authentication method according to claim 2, wherein said step further comprises the step of S8: After the completion of the operation terminal mutual authentication with the server, the terminal operator terminal generates the collected P0S the transmission key TK is sent to the server.
4.一种服务器与操作终端双向认证的系统,其特征在于,包括CA中心、与CA中心通信连接的服务器、以及与服务器通信连接的操作终端,所述CA中心包括预装载模块;所述服务器包括第一服务器发送模块、第二服务器发送模块、第三服务器发送模块、验证模块;所述操作终端包括第一操作终端发送模块、第二操作终端发送模块、第三操作终端发送模块;预装载模块用于预装载服务器工作证书ServerWCRT和根证书AuthRCRT至服务器,以及预装载操作终端工作证书OptmWCRT和根证书AuthRCRT至操作终端,其中,操作终端工作证书OptmWCRT由根证书AuthRCRT对应私钥对操作终端公钥OptmWCRT_pu签名生成,服务器工作证书ServerWCRT由根证书AuthRCRT对应私钥对服务器公钥ServerWCRT_pu签名生成;第一服务器发送模块用于将预装载模块预装载的服务器工作证书ServerWCRT发送给操作终端;第一操作 A terminal server and mutual authentication operation system comprising CA center, the server is connected in communication with the CA center, and an operation terminal is connected in communication with the server, the CA center comprises a pre-loading module; the sending a first server comprises a server module, the server sends a second module, the third module transmitting server, the verification module; the operating terminal includes a first operation terminal transmitting module, a second module sending operation terminal, the third terminal transmits the operation module; pre pre-loading means for loading work server certificate and root certificate AuthRCRT ServerWCRT to the server, and a pre-load operation and operation of the terminal certificate OptmWCRT AuthRCRT root certificate to the operator terminal, wherein the operation terminal corresponding to the work OptmWCRT certificate private key of the root certificate AuthRCRT OptmWCRT_pu operator terminal public key signature generation server certificate ServerWCRT work by the private key corresponding to the root certificate AuthRCRT ServerWCRT_pu public key signature generation server; server sends a first module for pre-loading module preloaded server to a work certificate ServerWCRT operation terminal; a first operating 终端发送模块用于将预装载模块预装载的服务器根证书AuthRCRT验证第一服务器发送模块发送给操作终端的服务器工作证书SeverWCRT合法性,当验证合法时,生成第一随机数ATI并发送至服务器;第二服务器发送模块用于使用预装载模块预装载的服务器工作证书ServerWCRT对应私钥SerVerWCRT_prk对第一操作终端发送模块发送给服务器的第一随机数ATI签名生成第一签名数Signl并发送给操作终端;第二操作终端发送模块用于使用第一服务器发送模块发送的服务器工作证书ServerWCRT提取服务器公钥ServerWCRT_pu验证第二服务器发送模块发送给操作终端的第一签名数Signl合法性,当验证合法时,发送操作终端工作证书OptmWCRT至服务器;第三服务器发送模块用于使用预装载模块预装载的根证书AuthRCRT验证第二操作终端发送模块发送给服务器的操作终端工作证书OptmWCRT合法性,当验 Terminal transmitting means for pre-loading module preloaded root certificate AuthRCRT authentication server transmits a first server module sends the certificate to the working SeverWCRT legitimacy of the operation terminal server, when the authentication method, and generates a first random number transmitted to the ATI server; a second work certificate server sending module is configured to use pre-loaded pre-load module corresponding private SerVerWCRT_prk ServerWCRT transmitting module a first random number sent to the server for operating a first terminal a first signature number of signature generation ATI and Signl transmitted to the operation terminal; a second operating means for transmitting the server terminal using a first work certificate server sending module extracts the server's public ServerWCRT_pu ServerWCRT verify the legitimacy of the first signature number Signl server sending module sends to the second terminal of the operation, when legitimate authentication, the terminal transmitting operation to work the server certificate OptmWCRT; root certificate transmission means for the third server using a pre-loading module preloaded AuthRCRT second verification operation terminal sending module sends to the operator's operation of the terminal certificate server legitimacy OptmWCRT when test 合法时,生成第二随机数AT2并发送至操作终端;第三操作终端发送模块用于使用预装载模块预装载的操作终端工作证书OptmWCRT对应私钥OptmWCRT_prk对第三服务器发送模块发送给操作终端的第二随机数AT2签名生成第二签名数Sign2并发送给服务器;验证模块用于使用第二操作终端发送模块发送给服务器的操作终端工作证书OptmWCRT提取公钥OptmWCRT_pu验证第三操作终端发送模块发送给服务器的第二签名数Sign2合法性,当验证合法时,完成操作终端与服务器的双向认证。 Legitimate, and generating a second random number transmitted to the operation terminal AT2; third operating terminal transmits operating terminal OptmWCRT work certificate loader module means for using a pre-operation of the private key corresponding to the preloaded OptmWCRT_prk to a third server sending module terminal AT2 signature second random number generating a second signature number Sign2 sends to the server; authentication means for transmitting terminal operation using the second module transmits to the terminal operator's work server certificate OptmWCRT OptmWCRT_pu extract the public key to verify the operation terminal third sending module the second signature number Sign2 legitimacy sent to the server when verifying legitimate, complete with two-way authentication operation of the terminal server.
5.根据权利要求4所述的服务器与操作终端双向认证的系统,其特征在于,所述服务器还包括第四服务器发送模块;所述操作终端还包括第四操作终端发送模块;所述CA中心的预装载模块具体包括第一CA中心发送模块、第二CA中心发送模块;第四服务器发送模块用于调用加密机产生服务器公钥ServerWCRT_pu和服务器私钥ServerWCRT_prk,将服务器公钥ServerWCRT_pu 发给CA中心;第四操作终端发送模块用于产生操作终端公钥〇ptmWCRT_pu和操作终端私钥OptmWCRT_prk,将操作终端公钥OptmWCRT_pu发给CA中心;第一CA中心发送模块用于使用根证书AuthRCRT对应私钥,对第四服务器发送模块发送的服务器公钥ServerWCRT_pu签名,生成服务器工作证书ServerWCRT,并将根证书AuthRCRT 和服务器工作证书ServerWCRT发送给服务器;第二CA中心发送模块使用根证书AuthRCRT对应私钥,对第四操作终端发送模块发送 The terminal server and the mutual authentication operation system according to claim 4, wherein said server further comprises a fourth module sending a server; the operation terminal further comprises a fourth operator terminal transmitting module; the CA center pre-loading module specifically includes a first sending module CA center, the second center sends CA module; and a fourth means for recalling an encryption server transmits the locally generated server private key and server public ServerWCRT_pu ServerWCRT_prk, sent to the CA server's public key ServerWCRT_pu center; fourth operation means for generating operation terminal transmits the terminal operation terminal and a private key public key 〇ptmWCRT_pu OptmWCRT_prk, the operation of the terminal public key issued to the CA center OptmWCRT_pu; means for transmitting a first center CA root certificate using the corresponding private key AuthRCRT the server module sends the server sends a fourth public key ServerWCRT_pu signature generating server certificate ServerWCRT work, and the work of the root certificate and the server certificate ServerWCRT AuthRCRT to the server; and a second sending module center CA root certificate corresponding to the private key AuthRCRT of The fourth sending module sends the operation terminal 的操作终端公钥OptmWCRT_pu签名,生成操作终端工作证书OptmWCRT,并将操作终端工作证书OptmWCRT和根证书AuthRCRT发给操作终端。 OptmWCRT_pu public key signature operation terminal, an operation terminal certificate OptmWCRT work, and the work terminal operation OptmWCRT certificate and the root certificate issued AuthRCRT operation terminal.
6.根据权利要求5所述的服务器与操作终端双向认证的系统,其特征在于,所述所述操作终端还包括第四操作终端发送模块;第四操作终端发送模块用于当验证模块验证操作终端与服务器的双向认证合法时,操作终端将采集的P0S终端产生的传输密钥TK发送给服务器。 The terminal server and the mutual authentication operation system according to claim 5, wherein the operation further comprises a fourth terminal module transmits the operation terminal; a fourth module for transmitting the operation terminal when the authentication module verifies the operation when the mutual authentication terminal and a server method, the collected operation terminal P0S transmission key TK generated by the terminal to the server.
CN201310740244.9A 2013-03-15 2013-12-27 A server operation of the terminal mutual authentication method and system CN103701609B (en)

Priority Applications (9)

Application Number Priority Date Filing Date Title
CN2013100843972A CN103237004A (en) 2013-03-15 2013-03-15 Key download method, key management method, method, device and system for download management
CN2013100846735A CN103220271A (en) 2013-03-15 2013-03-15 Downloading method, management method, downloading management method, downloading management device and downloading management system for secret key
CN201310084653.8 2013-03-15
CN2013100846716A CN103220270A (en) 2013-03-15 2013-03-15 Downloading method, management method, downloading management method, downloading management device and downloading management system for secret key
CN201310084671.6 2013-03-15
CN201310084397.2 2013-03-15
CN2013100846538A CN103237005A (en) 2013-03-15 2013-03-15 Method and system for key management
CN201310084673.5 2013-03-15
CN201310740244.9A CN103701609B (en) 2013-03-15 2013-12-27 A server operation of the terminal mutual authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310740244.9A CN103701609B (en) 2013-03-15 2013-12-27 A server operation of the terminal mutual authentication method and system

Publications (2)

Publication Number Publication Date
CN103701609A CN103701609A (en) 2014-04-02
CN103701609B true CN103701609B (en) 2016-09-28

Family

ID=50363015

Family Applications (28)

Application Number Title Priority Date Filing Date
CN201310740231.1A CN103714635B (en) 2013-03-15 2013-12-27 One kind pos terminal and the terminal master key download mode to configure
CN201310740410.5A CN103729942B (en) 2013-03-15 2013-12-27 The transmission key transmitted from the key server to the terminal server system and a method
CN201310740158.8A CN103716320B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740308.5A CN103729941B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740642.0A CN103731259B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740226.0A CN103714634B (en) 2013-03-15 2013-12-27 A secure method of downloading the master key and terminal system
CN201310740360.0A CN103714636B (en) 2013-03-15 2013-12-27 In batch and collect and upload data transmission method and a key operation tk terminal
CN201310741948.8A CN103714639B (en) 2013-03-15 2013-12-27 A method to achieve the safe operation of the pos terminal and system
CN201310740540.9A CN103716154B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310742686.7A CN103745351B (en) 2013-03-15 2013-12-27 A transmission key acquisition method and system tk
CN201310740574.8A CN103729945B (en) 2013-03-15 2013-12-27 A secure method of downloading the master key and terminal system
CN201310742886.2A CN103716321B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310742661.7A CN103716167B (en) 2013-03-15 2013-12-27 A safe collection and distribution method and apparatus for transmission key
CN201310742648.1A CN103716155B (en) 2013-03-15 2013-12-27 An automated method for the maintenance and operation of the terminal pos terminal
CN201310740430.2A CN103729943B (en) 2013-03-15 2013-12-27 A method of transmitting the system key and the system introduced kms
CN201310741949.2A CN103731260B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740537.7A CN103746800B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740380.8A CN103714637B (en) 2013-03-15 2013-12-27 A transmission system and a transmission method key, the operation terminal
CN201310742681.4A CN103714640B (en) 2013-03-15 2013-12-27 Transmission method and system for transmitting key
CN201310742991.6A CN103714641B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740100.3A CN103714633B (en) 2013-03-15 2013-12-27 A method for generating a security key and a transmission terminal pos
CN201310740285.8A CN103729940B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740644.XA CN103714638B (en) 2013-03-15 2013-12-27 A rapid method for locating a terminal and a master key system failed downloads
CN201310740244.9A CN103701609B (en) 2013-03-15 2013-12-27 A server operation of the terminal mutual authentication method and system
CN201310740567.8A CN103729944B (en) 2013-03-15 2013-12-27 A secure method of downloading the master key and terminal system
CN201310740264.6A CN103701812B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310742713.0A CN103701610B (en) 2013-03-15 2013-12-27 A transmission key acquisition method and system tk
CN201310740188.9A CN103716153B (en) 2013-03-15 2013-12-27 Terminal master key method and system for secure download tmk

Family Applications Before (23)

Application Number Title Priority Date Filing Date
CN201310740231.1A CN103714635B (en) 2013-03-15 2013-12-27 One kind pos terminal and the terminal master key download mode to configure
CN201310740410.5A CN103729942B (en) 2013-03-15 2013-12-27 The transmission key transmitted from the key server to the terminal server system and a method
CN201310740158.8A CN103716320B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740308.5A CN103729941B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740642.0A CN103731259B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740226.0A CN103714634B (en) 2013-03-15 2013-12-27 A secure method of downloading the master key and terminal system
CN201310740360.0A CN103714636B (en) 2013-03-15 2013-12-27 In batch and collect and upload data transmission method and a key operation tk terminal
CN201310741948.8A CN103714639B (en) 2013-03-15 2013-12-27 A method to achieve the safe operation of the pos terminal and system
CN201310740540.9A CN103716154B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310742686.7A CN103745351B (en) 2013-03-15 2013-12-27 A transmission key acquisition method and system tk
CN201310740574.8A CN103729945B (en) 2013-03-15 2013-12-27 A secure method of downloading the master key and terminal system
CN201310742886.2A CN103716321B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310742661.7A CN103716167B (en) 2013-03-15 2013-12-27 A safe collection and distribution method and apparatus for transmission key
CN201310742648.1A CN103716155B (en) 2013-03-15 2013-12-27 An automated method for the maintenance and operation of the terminal pos terminal
CN201310740430.2A CN103729943B (en) 2013-03-15 2013-12-27 A method of transmitting the system key and the system introduced kms
CN201310741949.2A CN103731260B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740537.7A CN103746800B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740380.8A CN103714637B (en) 2013-03-15 2013-12-27 A transmission system and a transmission method key, the operation terminal
CN201310742681.4A CN103714640B (en) 2013-03-15 2013-12-27 Transmission method and system for transmitting key
CN201310742991.6A CN103714641B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740100.3A CN103714633B (en) 2013-03-15 2013-12-27 A method for generating a security key and a transmission terminal pos
CN201310740285.8A CN103729940B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310740644.XA CN103714638B (en) 2013-03-15 2013-12-27 A rapid method for locating a terminal and a master key system failed downloads

Family Applications After (4)

Application Number Title Priority Date Filing Date
CN201310740567.8A CN103729944B (en) 2013-03-15 2013-12-27 A secure method of downloading the master key and terminal system
CN201310740264.6A CN103701812B (en) 2013-03-15 2013-12-27 A terminal master key method and system for secure download tmk
CN201310742713.0A CN103701610B (en) 2013-03-15 2013-12-27 A transmission key acquisition method and system tk
CN201310740188.9A CN103716153B (en) 2013-03-15 2013-12-27 Terminal master key method and system for secure download tmk

Country Status (2)

Country Link
CN (28) CN103714635B (en)
WO (5) WO2014139403A1 (en)

Families Citing this family (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103714635B (en) * 2013-03-15 2015-11-11 福建联迪商用设备有限公司 One kind pos terminal and the terminal master key download mode to configure
CN105281896B (en) * 2014-07-17 2018-11-27 深圳华智融科技股份有限公司 A SECRET KEY pos machine activation method and system based on elliptic curve algorithm
CN104270346B (en) * 2014-09-12 2017-10-13 北京天行网安信息技术有限责任公司 Bidirectional authentication method, apparatus and system for
CN104363090A (en) * 2014-11-19 2015-02-18 成都卫士通信息产业股份有限公司 Secret key distribution device and method for enhancing safety of banking terminal equipment
CN105681263B (en) * 2014-11-20 2019-02-12 广东华大互联网股份有限公司 A kind of secrete key of smart card remote application method and application system
CN104410641B (en) * 2014-12-10 2017-12-08 福建联迪商用设备有限公司 One kind of a secure, controlled network terminal pos activation method and device
CN104486323B (en) * 2014-12-10 2017-10-31 福建联迪商用设备有限公司 One kind of a secure, controlled network terminal pos activation method and device
US9485250B2 (en) * 2015-01-30 2016-11-01 Ncr Corporation Authority trusted secure system component
CN105117665B (en) * 2015-07-16 2017-10-31 福建联迪商用设备有限公司 A method of end product development mode and the switching mode of the security system and
CN105260884A (en) * 2015-11-18 2016-01-20 北京微智全景信息技术有限公司 POS machine key distributing method and device
CN105530241B (en) * 2015-12-07 2018-12-28 咪付(广西)网络技术有限公司 The authentication method of mobile intelligent terminal and POS terminal
CN105574722A (en) * 2015-12-11 2016-05-11 福建新大陆支付技术有限公司 Authorization IC card based remote online authorization method for payment terminal
CN105930718A (en) * 2015-12-29 2016-09-07 中国银联股份有限公司 Method and apparatus for switching point-of-sale (POS) terminal modes
CN105656669B (en) * 2015-12-31 2019-01-01 福建联迪商用设备有限公司 The remote repairing method of electronic equipment, is repaired equipment and system at equipment
CN105681032B (en) * 2016-01-08 2017-09-12 腾讯科技(深圳)有限公司 Key storage methods, key management method and apparatus
CN105743654A (en) * 2016-02-02 2016-07-06 上海动联信息技术股份有限公司 POS machine secret key remote downloading service system and secret key downloading method
CN105790934B (en) * 2016-03-04 2019-03-15 中国银联股份有限公司 A kind of adaptive POS terminal configuration method configures power assignment method with it
CN105978856B (en) * 2016-04-18 2019-01-25 随行付支付有限公司 A kind of POS machine key downloading method, apparatus and system
CN106059771A (en) * 2016-05-06 2016-10-26 上海动联信息技术股份有限公司 Intelligent POS machine secret key management system and method
CN106097608B (en) * 2016-06-06 2018-07-27 福建联迪商用设备有限公司 Downloading method and system for remote key, acquirers and the target terminal pos
CN106127461A (en) * 2016-06-16 2016-11-16 中国银联股份有限公司 Bidirectional verification mobile payment method and system
CN106027247A (en) * 2016-07-29 2016-10-12 宁夏丝路通网络支付有限公司北京分公司 Method for remotely issuing POS key
CN106100854A (en) * 2016-08-16 2016-11-09 黄朝 Reverse authentication method and system of terminal equipment based on authority body
CN106571915A (en) * 2016-11-15 2017-04-19 中国银联股份有限公司 Terminal master key setting method and apparatus
CN106603496B (en) * 2016-11-18 2019-05-21 新智数字科技有限公司 A kind of guard method, smart card, server and the communication system of data transmission
CN106656488A (en) * 2016-12-07 2017-05-10 百富计算机技术(深圳)有限公司 Key downloading method and device of POS terminal
CN106712939A (en) * 2016-12-27 2017-05-24 百富计算机技术(深圳)有限公司 Offline key transmission method and device
CN106953731A (en) * 2017-02-17 2017-07-14 福建魔方电子科技有限公司 Terminal administrator authentication method and system
US10296477B2 (en) 2017-03-30 2019-05-21 United States of America as represented by the Secretary of the AirForce Data bus logger
CN107104795A (en) * 2017-04-25 2017-08-29 上海汇尔通信息技术有限公司 Injection method of RSA secret key pair and certificate, framework and system thereof
CN107301437A (en) * 2017-05-31 2017-10-27 江苏普世祥光电技术有限公司 Control system for square landscape lamp
CN107360652A (en) * 2017-05-31 2017-11-17 江苏普世祥光电技术有限公司 Square landscape lamp control method
CN107392591A (en) * 2017-08-31 2017-11-24 恒宝股份有限公司 On-line charging method and system of industry card and Bluetooth reading and writing device
WO2019080095A1 (en) * 2017-10-27 2019-05-02 福建联迪商用设备有限公司 Financial payment terminal activation method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101807994A (en) * 2009-12-18 2010-08-18 北京握奇数据系统有限公司 Method and system for application data transmission of IC card
CN101930644A (en) * 2009-06-25 2010-12-29 中国银联股份有限公司 Method for safely downloading master key automatically in bank card payment system and system thereof
CN102768744A (en) * 2012-05-11 2012-11-07 福建联迪商用设备有限公司 Remote safe payment method and system

Family Cites Families (63)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH033276B2 (en) * 1981-03-24 1991-01-18 Sharp Kk
JP2993833B2 (en) * 1993-11-29 1999-12-27 富士通株式会社 Pos system
JPH10112883A (en) * 1996-10-07 1998-04-28 Hitachi Ltd Radio communication exchange system, exchange, public key management device, mobile terminal and mobile terminal recognizing method
DK1163200T3 (en) * 1999-03-22 2004-11-01 Purac Biochem Bv Method of industrial-scale purification of lactic acid
CN1127033C (en) * 2000-07-20 2003-11-05 天津南开戈德集团有限公司 Radio mobile network sale point terminal system
US7110986B1 (en) * 2001-04-23 2006-09-19 Diebold, Incorporated Automated banking machine system and method
KR100641824B1 (en) * 2001-04-25 2006-11-06 주식회사 하렉스인포텍 A payment information input method and mobile commerce system using symmetric cipher system
JP2002366285A (en) * 2001-06-05 2002-12-20 Matsushita Electric Ind Co Ltd Pos terminal
GB2384402B (en) * 2002-01-17 2004-12-22 Toshiba Res Europ Ltd Data transmission links
JP2003217028A (en) * 2002-01-24 2003-07-31 Tonfuu:Kk Operation situation monitoring system for pos terminal device
US7395427B2 (en) * 2003-01-10 2008-07-01 Walker Jesse R Authenticated key exchange based on pairwise master key
JP2005117511A (en) * 2003-10-10 2005-04-28 Nec Corp Quantum cipher communication system and quantum cipher key distributing method used therefor
KR101282972B1 (en) * 2004-03-22 2013-07-08 삼성전자주식회사 Authentication between a device and a portable storage
US20060093149A1 (en) * 2004-10-30 2006-05-04 Shera International Ltd. Certified deployment of applications on terminals
DE102005022019A1 (en) * 2005-05-12 2007-02-01 Giesecke & Devrient Gmbh Secure processing of data
KR100652125B1 (en) * 2005-06-03 2006-11-23 삼성전자주식회사 Mutual authentication method for managing and authenticating between service provider, terminal and user identify module at one time and terminal, and the system thereof
CN100583743C (en) * 2005-07-22 2010-01-20 华为技术有限公司 Distributing method for transmission key
BRPI0708201A2 (en) * 2006-02-22 2012-01-17 Hypercom Corp method for processing transactions electronically
JP2007241351A (en) * 2006-03-06 2007-09-20 Cela System:Kk Customer/commodity integrated management system by customer/commodity/purchase management system (including pos) and mobile terminal
EP1833009B1 (en) * 2006-03-09 2019-05-08 First Data Corporation Secure transaction computer network
US7818264B2 (en) * 2006-06-19 2010-10-19 Visa U.S.A. Inc. Track data encryption
CN101064695A (en) * 2007-05-16 2007-10-31 杭州看吧科技有限公司 P2P(Peer to Peer) safe connection method
CN101145913B (en) * 2007-10-25 2010-06-16 东软集团股份有限公司 A method and system for network security communication
WO2009070041A2 (en) * 2007-11-30 2009-06-04 Electronic Transaction Services Limited Payment system and method of operation
CN101541002A (en) * 2008-03-21 2009-09-23 展讯通信(上海)有限公司 Web server-based method for downloading software license of mobile terminal
CN101615322B (en) * 2008-06-25 2012-09-05 上海富友金融网络技术有限公司 Mobile terminal payment method and mobile terminal payment system for realizing magnetic payment function
JP4666240B2 (en) * 2008-07-14 2011-04-06 ソニー株式会社 The information processing apparatus, information processing method, program, and information processing system,
CN101686225A (en) * 2008-09-28 2010-03-31 中国银联股份有限公司 Methods of data encryption and key generation for on-line payment
KR20100052668A (en) * 2008-11-11 2010-05-20 노틸러스효성 주식회사 Method for on-line sharing of tmk(terminal master key) between atm and host
JP5329184B2 (en) * 2008-11-12 2013-10-30 株式会社日立製作所 Of the public key certificate verification method and verification server
CN101425208B (en) * 2008-12-05 2010-11-10 浪潮齐鲁软件产业有限公司 Method for safely downloading cipher key of finance tax-controlling cashing machine
CN101527714B (en) * 2008-12-31 2012-09-05 飞天诚信科技股份有限公司 Method, device and system for accreditation
CN101719895A (en) * 2009-06-26 2010-06-02 中兴通讯股份有限公司 Data processing method and system for realizing secure communication of network
CN101593389B (en) * 2009-07-01 2012-04-18 中国建设银行股份有限公司 Key management method and key management system for POS terminal
CN101631305B (en) * 2009-07-28 2011-12-07 交通银行股份有限公司 An encryption method and system
CN101656007B (en) * 2009-08-14 2011-02-16 通联支付网络服务股份有限公司 Safe system realizing one machine with multiple ciphers on POS machine and method thereof
CN102064939B (en) * 2009-11-13 2013-06-12 福建联迪商用设备有限公司 Method for authenticating point of sail (POS) file and method for maintaining authentication certificate
CN101710436B (en) * 2009-12-01 2011-12-14 中国建设银行股份有限公司 Pos method of controlling a terminal, a system and a terminal management apparatus pos
CN102148799B (en) * 2010-02-05 2014-10-22 中国银联股份有限公司 Method and system for key download
CN201656997U (en) * 2010-04-28 2010-11-24 中国工商银行股份有限公司 Device for generating transmission key
CN101807997B (en) * 2010-04-28 2012-08-22 中国工商银行股份有限公司 Device and method for generating transmission key
CN102262760A (en) * 2010-05-28 2011-11-30 杨筑平 Trade secret method, reception device and submission software
EP2604017B1 (en) * 2010-08-10 2017-10-04 Google Technology Holdings LLC System and method for cognizant transport layer security
CN101938520B (en) * 2010-09-07 2015-01-28 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
CN101976403A (en) * 2010-10-29 2011-02-16 北京拉卡拉网络技术有限公司 Phone number payment platform, payment trading system and method thereof
CN102013982B (en) * 2010-12-01 2012-07-25 银联商务有限公司 Long-distance encryption method, management method, as well as encryption management method, device and system
CN102903189A (en) * 2011-07-25 2013-01-30 上海昂贝电子科技有限公司 Terminal transaction method and device
CN102394749B (en) * 2011-09-26 2014-03-05 深圳市文鼎创数据科技有限公司 Line protection method, system, information safety equipment and application equipment for data transmission
CN102521935B (en) * 2011-12-15 2013-12-11 福建联迪商用设备有限公司 Method and apparatus for state detection of POS machine
CN102592369A (en) * 2012-01-14 2012-07-18 福建联迪商用设备有限公司 Method for self-service terminal access to financial transaction center
CN102624710B (en) * 2012-02-27 2015-03-11 福建联迪商用设备有限公司 Sensitive information transmission method and sensitive information transmission system
CN102624711B (en) * 2012-02-27 2015-06-03 福建联迪商用设备有限公司 Sensitive information transmission method and sensitive information transmission system
CN102647274B (en) * 2012-04-12 2014-10-08 福建联迪商用设备有限公司 Pos terminal, terminal access preamble, the master key management system and method
CN102707972B (en) * 2012-05-02 2016-03-09 银联商务有限公司 One kind pos terminal program updating method and system
CN102868521B (en) * 2012-09-12 2015-03-04 成都卫士通信息产业股份有限公司 Method for enhancing secret key transmission of symmetrical secret key system
CN103116505B (en) * 2012-11-16 2016-05-25 福建联迪商用设备有限公司 A method of automatic matching downloads
CN103117855B (en) * 2012-12-19 2016-07-06 福建联迪商用设备有限公司 Methods and private key backup and recovery method for generating a digital certificate
CN103237005A (en) * 2013-03-15 2013-08-07 福建联迪商用设备有限公司 Method and system for key management
CN103220271A (en) * 2013-03-15 2013-07-24 福建联迪商用设备有限公司 Downloading method, management method, downloading management method, downloading management device and downloading management system for secret key
CN103220270A (en) * 2013-03-15 2013-07-24 福建联迪商用设备有限公司 Downloading method, management method, downloading management method, downloading management device and downloading management system for secret key
CN103714635B (en) * 2013-03-15 2015-11-11 福建联迪商用设备有限公司 One kind pos terminal and the terminal master key download mode to configure
CN103237004A (en) * 2013-03-15 2013-08-07 福建联迪商用设备有限公司 Key download method, key management method, method, device and system for download management
CN103269266B (en) * 2013-04-27 2016-07-06 北京宏基恒信科技有限责任公司 Dynamic password authentication method and system security

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101930644A (en) * 2009-06-25 2010-12-29 中国银联股份有限公司 Method for safely downloading master key automatically in bank card payment system and system thereof
CN101807994A (en) * 2009-12-18 2010-08-18 北京握奇数据系统有限公司 Method and system for application data transmission of IC card
CN102768744A (en) * 2012-05-11 2012-11-07 福建联迪商用设备有限公司 Remote safe payment method and system

Also Published As

Publication number Publication date
CN103714636A (en) 2014-04-09
CN103714637A (en) 2014-04-09
CN103714641A (en) 2014-04-09
CN103729943A (en) 2014-04-16
CN103701812B (en) 2017-01-25
CN103716154B (en) 2017-08-01
WO2014139406A1 (en) 2014-09-18
CN103731259A (en) 2014-04-16
CN103714638A (en) 2014-04-09
CN103716153A (en) 2014-04-09
WO2014139408A1 (en) 2014-09-18
CN103716155B (en) 2016-08-17
CN103714633B (en) 2016-05-04
WO2014139403A1 (en) 2014-09-18
CN103729942A (en) 2014-04-16
CN103746800B (en) 2017-05-03
CN103714634A (en) 2014-04-09
CN103729944B (en) 2015-09-30
CN103745351B (en) 2017-09-29
CN103729940A (en) 2014-04-16
CN103714637B (en) 2016-03-16
CN103716154A (en) 2014-04-09
CN103716320A (en) 2014-04-09
CN103716321A (en) 2014-04-09
CN103729945B (en) 2015-11-18
CN103701812A (en) 2014-04-02
CN103745351A (en) 2014-04-23
CN103714640B (en) 2016-02-03
CN103714634B (en) 2016-06-15
CN103731259B (en) 2017-08-01
CN103729941A (en) 2014-04-16
CN103716155A (en) 2014-04-09
WO2014139412A1 (en) 2014-09-18
CN103714638B (en) 2015-09-30
CN103714635B (en) 2015-11-11
CN103731260B (en) 2016-09-28
CN103729943B (en) 2015-12-30
CN103716320B (en) 2017-08-01
CN103716167B (en) 2017-01-11
CN103729941B (en) 2016-06-15
CN103714639A (en) 2014-04-09
CN103701610B (en) 2018-04-17
CN103729942B (en) 2016-01-13
CN103716167A (en) 2014-04-09
CN103731260A (en) 2014-04-16
CN103716321B (en) 2017-08-29
CN103729945A (en) 2014-04-16
CN103714640A (en) 2014-04-09
CN103701609A (en) 2014-04-02
CN103746800A (en) 2014-04-23
CN103714641B (en) 2016-03-30
CN103714639B (en) 2016-05-04
CN103701610A (en) 2014-04-02
CN103716153B (en) 2017-08-01
CN103729944A (en) 2014-04-16
CN103714633A (en) 2014-04-09
WO2014139411A1 (en) 2014-09-18
CN103714636B (en) 2015-12-02
CN103714635A (en) 2014-04-09
CN103729940B (en) 2016-06-15

Similar Documents

Publication Publication Date Title
US9813245B2 (en) Methods for secure cryptogram generation
US7028191B2 (en) Trusted authorization device
US9258296B2 (en) System and method for generating a strong multi factor personalized server key from a simple user password
US8943311B2 (en) System and methods for online authentication
US9083533B2 (en) System and methods for online authentication
US8689290B2 (en) System and method for securing a credential via user and server verification
EP2524471B1 (en) Anytime validation for verification tokens
US9344275B2 (en) System, device, and method of secure entry and handling of passwords
US20190005470A1 (en) Accredited certificate issuance system based on block chain and accredited certificate issuance method based on block chain using same, and accredited certificate authentication system based on block chain and accredited certificate authentication method based on block chain using same
US8132722B2 (en) System and method for binding a smartcard and a smartcard reader
US9537839B2 (en) Secure short message service (SMS) communications
US8640203B2 (en) Methods and systems for the authentication of a user
CN103716153B (en) Terminal master key method and system for secure download tmk
CN101373528B (en) Electronic payment system, device and method based on position authentication
JP2016525254A (en) Secure remote settlement transaction processing
CN105745678A (en) Secure remote payment transaction processing including consumer authentication
CN101340285A (en) Method and system for identity authentication by finger print USBkey
US8601268B2 (en) Methods for securing transactions by applying crytographic methods to assure mutual identity
CN103544599A (en) Embedded secure element for authentication, storage and transaction within a mobile terminal
US20160218875A1 (en) Methods for secure credential provisioning
US9858401B2 (en) Securing transactions against cyberattacks
CN105027153A (en) Methods, devices, and systems for secure provisioning, transmission, and authentication of payment data
CN101848090B (en) Authentication device and system and method using same for on-line identity authentication and transaction
CN101183456A (en) Encryption device, system and method for encryption, identification using the encryption device
EP2098985A2 (en) Secure financial reader architecture

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C53 Correction of patent for invention or patent application
COR Change of bibliographic data

Free format text: CORRECT: INVENTOR; FROM: SU WENLONG TO: HONG YIXUAN SU WENLONG

C14 Grant of patent or utility model