CN103746802B - A kind of data processing method and mobile phone based on arranging key - Google Patents
A kind of data processing method and mobile phone based on arranging key Download PDFInfo
- Publication number
- CN103746802B CN103746802B CN201410040326.7A CN201410040326A CN103746802B CN 103746802 B CN103746802 B CN 103746802B CN 201410040326 A CN201410040326 A CN 201410040326A CN 103746802 B CN103746802 B CN 103746802B
- Authority
- CN
- China
- Prior art keywords
- information
- mobile phone
- security module
- identification card
- phone security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 22
- 238000012795 verification Methods 0.000 claims abstract description 165
- 230000005540 biological transmission Effects 0.000 claims abstract description 49
- 238000000034 method Methods 0.000 claims abstract description 37
- 238000012545 processing Methods 0.000 claims description 264
- 238000012790 confirmation Methods 0.000 claims description 25
- 238000000605 extraction Methods 0.000 claims description 15
- 239000000284 extract Substances 0.000 claims description 8
- 230000001413 cellular effect Effects 0.000 claims 2
- 230000006870 function Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/127—Trusted platform modules [TPM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephone Function (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a kind of data processing method based on arranging key and mobile phone, method includes:The legitimacy of mobile phone safe module verification subscriber identification card certificate, it is legal that at least the first random factor and the second random factor are encrypted, and transmission of signing is to subscriber identification card, subscriber identification card verifies the legitimacy of mobile phone safe module certificate, and verify signature, correct decryption obtains the first random factor and the second random factor, verify the first random factor, properly generate the 3rd random factor, and generate the arranging key at subscriber identification card end, and at least the second random factor and the 3rd random factor are encrypted transmission to mobile phone safe module, mobile phone safe module is decrypted and generates the arranging key of mobile phone safe module end;Therebetween key enters the safe transmission of row information through consultation.Thus, it is possible to enable mobile phone to perform Internet-based banking services and/or confidential information transmission safely.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a data processing method based on a negotiation key and a mobile phone.
Background
With the great convenience brought to people by the rapid development of the network, people increasingly rely on the network to perform various activities, such as the transmission of network files and online banking transactions, which become indispensable parts in the life and work of people gradually. Since the network is a virtual environment and there are many unsafe factors, network activities of data interaction, especially network activities such as internet banking and transmission of confidential information, are inevitably performed in the network environment, which puts high demands on the security of the network, and people are beginning to vigorously develop network information security technologies.
However, with the rapid development of mobile phone technology, mobile phone terminals are increasingly used to replace computers, but there is no solution for mobile phone terminals to safely perform internet banking and/or confidential information transmission.
Disclosure of Invention
The invention aims to solve the problem that the mobile phone terminal cannot safely execute the online banking business and/or the confidential information transmission.
The invention mainly aims to provide a data processing method based on a negotiation key;
another object of the present invention is to provide a mobile phone.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
one aspect of the present invention provides a data processing method based on a negotiation key, including: the user identity identification card sends first authentication information to the mobile phone security module, wherein the first authentication information at least comprises: a first random factor and a user identification card certificate; after receiving the first authentication information, the mobile phone security module verifies the validity of the user identity identification card certificate; if the mobile phone security module verifies that the user identification card certificate is legal, the mobile phone security module encrypts at least the first random factor and the second random factor through a public key of the user identification card carried in the user identification card certificate to obtain first ciphertext information; the mobile phone security module signs the first ciphertext information to obtain first signature information; the mobile phone security module sends second authentication information to the user identity identification card, wherein the second authentication information at least comprises: the first ciphertext information, the first signature information and the mobile phone security module certificate; after receiving the second authentication information, the user identity identification card verifies the legality of the mobile phone security module certificate; if the user identity identification card verifies that the mobile phone security module certificate is legal, the user identity identification card verifies the correctness of the first signature information; if the user identification card verifies that the first signature information is correct, the user identification card decrypts the first ciphertext information to obtain the first random factor and the second random factor; after the user identity identification card obtains the first random factor and the second random factor, verifying the correctness of the first random factor; if the user identification card verifies that the first random factor is correct, the user identification card generates a third random factor, and generates a negotiation key of the user identification card end according to the second random factor and the third random factor; the user identity card encrypts at least the second random factor and the third random factor through a public key of the mobile phone security module carried in the mobile phone security module certificate to obtain second ciphertext information; the user identity identification card sends the second ciphertext information to the mobile phone security module; after receiving the second ciphertext information, the mobile phone security module decrypts the second ciphertext information to obtain the second random factor and the third random factor; the mobile phone security module generates a negotiation key of the mobile phone security module end according to the second random factor and the third random factor; and the mobile phone security module and the user identity identification card perform information secure transmission through the negotiation key of the mobile phone security module end and the negotiation key of the user identity identification card end.
One aspect of the present invention further provides a data processing method based on a negotiation key, including: the mobile phone security module sends first authentication information to the user identity identification card, wherein the first authentication information at least comprises: a first random factor and a mobile phone security module certificate; after receiving the first authentication information, the user identity identification card verifies the legality of the mobile phone security module certificate; if the user identity identification card verifies that the mobile phone security module certificate is legal, the user identity identification card encrypts at least the first random factor and the second random factor through a public key of the mobile phone security module carried in the mobile phone security module certificate to obtain first ciphertext information; the user identity identification card signs the first ciphertext information to obtain first signature information; the user identity identification card sends second authentication information to the mobile phone security module, wherein the second authentication information at least comprises: the first ciphertext information, the first signature information and the user identification card certificate; after receiving the second authentication information, the mobile phone security module verifies the validity of the user identity identification card certificate; if the mobile phone security module verifies that the user identification card certificate is legal, the mobile phone security module verifies the correctness of the first signature information; if the mobile phone security module verifies that the first signature information is correct, the mobile phone security module decrypts the first ciphertext information to obtain the first random factor and the second random factor; after the mobile phone security module obtains the first random factor and the second random factor, verifying the correctness of the first random factor; if the mobile phone security module verifies that the first random factor is correct, the mobile phone security module generates a third random factor, and generates a negotiation key of the mobile phone security module according to the second random factor and the third random factor; the mobile phone security module encrypts at least the second random factor and the third random factor through a public key of the user identification card carried in the user identification card certificate to obtain second ciphertext information; the mobile phone security module sends the second ciphertext information to the user identity identification card; after receiving the second ciphertext information, the user identity identification card decrypts the second ciphertext information to obtain the second random factor and the third random factor; the user identity identification card generates a negotiation key of the user identity identification card end according to the second random factor and the third random factor; and the mobile phone security module and the user identity identification card perform information secure transmission through the negotiation key of the mobile phone security module end and the negotiation key of the user identity identification card end.
In addition, the step of performing secure transmission of information between the mobile phone security module and the user identification card through the negotiation key of the mobile phone security module end and the negotiation key of the user identification card end includes: the mobile phone security module acquires information to be transmitted; the mobile phone security module encrypts the information to be transmitted through a negotiation key of the mobile phone security module end to obtain third ciphertext information; the mobile phone security module sends first processing information to the user identity identification card, wherein the first processing information at least comprises: the third ciphertext information; after receiving the first processing information, the user identity identification card decrypts the third ciphertext information through a negotiation key of the user identity identification card end to obtain information to be transmitted; the user identity identification card signs the information to be transmitted to obtain second signature information; the user identity identification card encrypts the second signature information through a negotiation key of the user identity identification card end to obtain fourth ciphertext information; the user identity identification card sends second processing information to the mobile phone security module, wherein the second processing information at least comprises: the fourth ciphertext information; after the mobile phone security module receives the second processing information, the fourth ciphertext information is decrypted through a negotiation key of the mobile phone security module end, and the second signature information is obtained; and the mobile phone security module at least sends out the second signature information.
In addition, the step of performing secure transmission of information between the mobile phone security module and the user identification card through the negotiation key of the mobile phone security module end and the negotiation key of the user identification card end includes: the mobile phone security module acquires information to be transmitted; the mobile phone security module carries out verification calculation on the information to be transmitted through a negotiation key of the mobile phone security module end to obtain first verification information; the mobile phone security module sends first processing information to the user identity identification card, wherein the first processing information at least comprises: the information to be transmitted and the first check information; after receiving the first processing information, the user identity identification card verifies the first processing information through a negotiation key of the user identity identification card end; if the user identity identification card passes the verification of the first processing information, the user identity identification card signs the information to be transmitted to obtain second signature information; the user identity identification card carries out verification calculation on the second signature information through a negotiation key of the user identity identification card end to obtain second verification information; the user identity identification card sends second processing information to the mobile phone security module, wherein the second processing information at least comprises: the second signature information and the second verification information; after the mobile phone security module receives the second processing information, the second processing information is verified through a negotiation key of the mobile phone security module end; and if the mobile phone security module verifies the second processing information, the mobile phone security module at least sends out the second signature information.
In addition, the step of performing secure transmission of information between the mobile phone security module and the user identification card through the negotiation key of the mobile phone security module end and the negotiation key of the user identification card end includes: the mobile phone security module acquires information to be transmitted; the mobile phone security module encrypts the information to be transmitted through a negotiation key of the mobile phone security module end to obtain third ciphertext information, and performs verification calculation on the third ciphertext information to obtain first verification information; the mobile phone security module sends first processing information to the user identity identification card, wherein the first processing information at least comprises: the third ciphertext information and the first check information; after receiving the first processing information, the user identity identification card verifies the first processing information through a negotiation key of the user identity identification card end; if the user identification card passes the verification of the first processing information, the user identification card decrypts the third ciphertext information through a negotiation key of the user identification card end to obtain the information to be transmitted; the user identity identification card signs the information to be transmitted to obtain second signature information; the user identity identification card encrypts the second signature information through a negotiation key of the user identity identification card end to obtain fourth ciphertext information, and performs verification calculation on the fourth ciphertext information to obtain second verification information; the user identity identification card sends second processing information to the mobile phone security module, wherein the second processing information at least comprises: the fourth ciphertext information and the second check-up information; after the mobile phone security module receives the second processing information, the second processing information is verified through a negotiation key of the mobile phone security module end; if the mobile phone security module passes the verification of the second processing information, decrypting the fourth ciphertext information through a negotiation key of the mobile phone security module end to obtain second signature information; and the mobile phone security module at least sends out the second signature information.
In addition, after the step of obtaining the information to be transmitted by the mobile phone security module, and before the step of sending the first processing information to the user identification card by the mobile phone security module, the method further includes: the mobile phone security module extracts key information in the information to be transmitted; the mobile phone security module controls a mobile phone display screen to display key information in the extracted information to be transmitted; the mobile phone security module receives a confirmation instruction output by a mobile phone keyboard; and after the mobile phone security module receives a confirmation instruction output by the mobile phone keyboard, executing the step that the mobile phone security module sends first processing information to the user identity identification card.
In addition, the third random factor is generated by the user identification card according to the first random factor and the second random factor, or the third random factor is generated by the user identification card randomly.
In addition, the mobile phone security module is a module independent of the mobile phone CPU, or the mobile phone security module is arranged in a security area of the mobile phone CPU.
Another aspect of the present invention provides a mobile phone, including: the mobile phone comprises a user identity identification card and a mobile phone security module; the second transceiving unit in the user identity identification card is used for sending first authentication information to the mobile phone security module, wherein the first authentication information at least comprises: a first random factor and a user identification card certificate; the first transceiving unit in the mobile phone security module is used for receiving the first authentication information; the first verification unit in the mobile phone security module is used for verifying the legality of the user identity card certificate after the first transceiving unit receives the first authentication information; the first encryption unit in the mobile phone security module is used for encrypting at least the first random factor and the second random factor through a public key of the user identification card carried in the user identification card certificate after the first verification unit verifies that the user identification card certificate is legal, so as to obtain first ciphertext information; the first signature unit in the mobile phone security module is used for signing the first ciphertext information obtained by the first encryption unit to obtain first signature information; the first transceiving unit in the mobile phone security module is further configured to send second authentication information to the user identity card, where the second authentication information at least includes: the first ciphertext information, the first signature information and the mobile phone security module certificate; the second transceiving unit in the user identity identification card is further configured to receive the second authentication information; the second verification unit in the user identity identification card is used for verifying the legality of the mobile phone security module certificate after the second transceiving unit receives the second authentication information; the second verification unit in the user identity identification card is also used for verifying the correctness of the first signature information after verifying that the mobile phone security module certificate is legal; the second decryption unit in the user identification card is configured to decrypt the first ciphertext information to obtain the first random factor and the second random factor after the second verification unit verifies that the first signature information is correct; the second verification unit in the user identification card is further configured to verify the correctness of the first random factor after the second decryption unit obtains the first random factor and the second random factor; the second generating unit in the user identity identification card is used for generating a third random factor after the second verifying unit verifies that the first random factor is correct, and generating a negotiation key of the user identity identification card end according to the second random factor and the third random factor; the second encryption unit in the user identity identification card is used for encrypting at least the second random factor and the third random factor through a public key of the mobile phone security module carried in the mobile phone security module certificate after the second generation unit generates the third random factor, so as to obtain second ciphertext information; the second transceiving unit in the user identity identification card is used for sending the second ciphertext information to the mobile phone security module after the second encryption unit obtains the second ciphertext information; the first transceiving unit in the mobile phone security module is further configured to receive the second ciphertext information; the first decryption unit in the mobile phone security module is configured to decrypt the second ciphertext information after the first transceiver unit receives the second ciphertext information, so as to obtain the second random factor and the third random factor; the first generating unit in the mobile phone security module is configured to generate a negotiation key of the mobile phone security module according to the second random factor and the third random factor after the first decryption unit obtains the second random factor and the third random factor; and the first transceiving unit of the mobile phone security module and the second transceiving unit of the user identity identification card perform secure information transmission through the mobile phone security module end negotiation key generated by the first generating unit and the user identity identification card end negotiation key generated by the second generating unit.
Another aspect of the present invention further provides a mobile phone, including: the mobile phone comprises a user identity identification card and a mobile phone security module; the first transceiving unit in the mobile phone security module is configured to send first authentication information to a user identity card, where the first authentication information at least includes: a first random factor and a mobile phone security module certificate; the second transceiving unit in the user identity identification card is used for receiving the first authentication information; the second verification unit in the user identity identification card is used for verifying the legality of the mobile phone security module certificate after the second transceiving unit receives the first authentication information; the second encryption unit in the user identity identification card is used for encrypting at least the first random factor and the second random factor through a public key of the mobile phone security module carried in the mobile phone security module certificate after the second verification module verifies that the mobile phone security module certificate is legal, so as to obtain first ciphertext information; the second signature unit in the user identity identification card is used for signing the first ciphertext information after the second encryption unit obtains the first ciphertext information to obtain first signature information; the second transceiving unit in the user identity identification card is further configured to send second authentication information to the mobile phone security module, where the second authentication information at least includes: the first ciphertext information, the first signature information and the user identification card certificate; the first transceiving unit in the mobile phone security module is used for receiving the second authentication information; the first verification unit in the mobile phone security module is used for verifying the legality of the user identity card certificate after the first transceiver unit receives the second authentication information; the first verification unit in the mobile phone security module is further configured to verify the correctness of the first signature information after verifying that the user identification card certificate is legal; the first decryption unit in the mobile phone security module is configured to decrypt the first ciphertext information to obtain the first random factor and the second random factor after the first verification unit verifies that the first signature information is correct; the first verification unit in the mobile phone security module is further configured to verify correctness of the first random factor after the first decryption unit obtains the first random factor and the second random factor; the first generating unit in the mobile phone security module is configured to generate a third random factor after the first verifying unit verifies that the first random factor is correct, and generate a negotiation key of the mobile phone security module according to the second random factor and the third random factor; the first encryption unit in the mobile phone security module is further configured to encrypt at least the second random factor and the third random factor through a public key of the user identification card carried in the user identification card certificate after the third random factor is generated by the first generation unit, so as to obtain second ciphertext information; the first transceiving unit in the mobile phone security module is further configured to send the second ciphertext information obtained by the first encryption unit to the subscriber identity module; the second transceiving unit in the user identity identification card is further configured to receive the second ciphertext information; the second decryption unit in the user identity identification card is configured to decrypt the second ciphertext information after the second transceiver unit receives the second ciphertext information, so as to obtain the second random factor and the third random factor; a second generating unit in the user identity identification card, configured to generate a negotiation key of the user identity identification card end according to the second random factor and the third random factor; and the first transceiving unit in the mobile phone security module and the second transceiving unit in the user identity identification card perform secure information transmission through the negotiation key of the mobile phone security module terminal generated by the first generating unit and the negotiation key of the user identity identification card terminal generated by the second generating unit.
In addition, the acquisition unit in the mobile phone security module is used for acquiring information to be transmitted; the second signature unit in the user identity identification card is used for signing the information to be transmitted to obtain second signature information; and the outward sending unit in the mobile phone security module is used for at least externally sending the second signature information.
In addition, the acquisition unit in the mobile phone security module is used for acquiring information to be transmitted; the second signature unit in the user identity identification card is also used for signing the information to be transmitted to obtain second signature information; and the outward sending unit in the mobile phone security module is used for at least externally sending the second signature information.
In addition, the first encryption unit in the mobile phone security module is further configured to encrypt the information to be transmitted, which is acquired by the acquisition unit, by using a negotiation key of the mobile phone security module terminal, so as to acquire third ciphertext information; the first transceiving unit in the mobile phone security module is further configured to send first processing information to the user identification card, where the first processing information at least includes: the third ciphertext information; the second transceiving unit in the user identity identification card is used for receiving the first processing information; the second decryption unit in the user identification card is further configured to decrypt the third ciphertext information through a negotiation key of the user identification card end after the second transceiving unit receives the first processing information, so as to obtain information to be transmitted; the second signature unit in the user identity identification card is further configured to sign the information to be transmitted after the second decryption unit obtains the information to be transmitted, so as to obtain second signature information; the second encryption unit in the user identification card is further configured to encrypt the second signature information through a negotiation key at the user identification card end to obtain fourth ciphertext information; the second transceiving unit in the user identity card is further configured to send second processing information to the mobile phone security module after the second encryption unit obtains the fourth ciphertext, where the second processing information at least includes: the fourth ciphertext information; the first transceiving unit in the mobile phone security module is further configured to receive the second processing information; the first decryption unit in the mobile phone security module is further configured to decrypt the fourth ciphertext information through a negotiation key of the mobile phone security module end after the first transceiver unit receives the second processing information, so as to obtain the second signature information; and the sending-out unit in the mobile phone security module is used for sending out at least the second signature information after the first decryption unit obtains the second signature information.
In addition, the first verification calculation unit in the mobile phone security module is configured to perform verification calculation on the information to be transmitted, which is acquired by the acquisition unit, through a negotiation key of the mobile phone security module end, so as to acquire first verification information; the first transceiving unit in the mobile phone security module is configured to send first processing information to the user identification card, where the first processing information at least includes: the information to be transmitted and the first check information; the second transceiving unit in the user identity identification card is further configured to receive the first processing information; the second verification unit in the user identification card is further configured to verify the first processing information through a negotiation key of the user identification card end after the second transceiver unit receives the first processing information; the second signature unit in the user identity identification card is further configured to sign the information to be transmitted to obtain second signature information after the second verification unit verifies the first processing information; the second check calculation unit in the user identification card is used for carrying out check calculation on the second signature information through a negotiation key of the user identification card end to obtain second check information; the second transceiving unit in the user identification card is further configured to send second processing information to the mobile phone security module, where the second processing information at least includes: the second signature information and the second verification information; the first transceiving unit in the mobile phone security module is further configured to receive the second processing information; the first verification unit in the mobile phone security module is further configured to verify the second processing information through a negotiation key of the mobile phone security module after the first transceiver unit receives the second processing information; and the outgoing unit in the mobile phone security module is used for at least outgoing the second signature information after the first verification unit passes the verification of the second processing information.
In addition, the first encryption unit in the mobile phone security module is further configured to encrypt the to-be-transmitted information acquired by the acquisition unit through a negotiation key of the mobile phone security module to acquire third ciphertext information, and the first check calculation unit in the mobile phone security module is configured to perform check calculation on the third ciphertext information to acquire first check information; the first transceiving unit in the mobile phone security module is further configured to send first processing information to the user identification card, where the first processing information at least includes: the third ciphertext information and the first check information; the second transceiving unit in the user identity identification card is also used for receiving the first processing information; the second verification unit in the user identification card is further configured to verify the first processing information through a negotiation key of the user identification card end after the second transceiver unit receives the first processing information; the second decryption unit in the user identification card is further configured to decrypt the third ciphertext information through a negotiation key of the user identification card end after the second verification unit passes verification of the first processing information, so as to obtain the information to be transmitted; the second signature unit in the user identity identification card is further configured to sign the information to be transmitted after the second decryption unit obtains the information to be transmitted, so as to obtain second signature information; the second encryption unit in the user identification card is further configured to encrypt the second signature information through a negotiation key at the user identification card end after the second signature information is obtained by the second signature unit, so as to obtain fourth ciphertext information, and the second check calculation unit in the user identification card is configured to perform check calculation on the fourth ciphertext information, so as to obtain second check information; the second transceiving unit in the user identification card is further configured to send second processing information to the mobile phone security module, where the second processing information at least includes: the fourth ciphertext information and the second check-up information; the first transceiving unit in the mobile phone security module is further configured to receive the second processing information; the first verification unit in the mobile phone security module is further configured to verify the second processing information through a negotiation key of the mobile phone security module after the first transceiver unit receives the second processing information; the first decryption unit in the mobile phone security module is further configured to decrypt the fourth ciphertext information through a negotiation key of the mobile phone security module end after the first verification unit passes verification of the second processing information, so as to obtain the second signature information; the sending-out unit in the mobile phone security module is further configured to send out at least the second signature information after the first decryption unit obtains the second signature information.
In addition, the extraction unit in the mobile phone security module is used for extracting key information in the information to be transmitted; the control unit in the mobile phone security module is used for controlling a mobile phone display screen to display key information in the information to be transmitted, which is extracted by the extraction unit; and the receiving unit in the mobile phone security module is used for receiving a confirmation instruction output by a mobile phone keyboard and informing the first receiving and sending unit to execute the mobile phone security module and send first processing information to the user identity identification card after receiving the confirmation instruction output by the mobile phone keyboard.
In addition, the third random factor is generated by the second generation unit of the user identification card according to the first random factor and the second random factor, or the third random factor is randomly generated by the second generation unit in the user identification card.
In addition, the mobile phone security module is a module independent of the mobile phone CPU, or the mobile phone security module is arranged in a security area of the mobile phone CPU.
The technical scheme provided by the invention can show that the mobile phone can safely execute the online banking business and/or confidential information transmission through the data processing method based on the negotiation key and the mobile phone of the invention.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a flowchart of a data processing method based on a negotiation key according to embodiment 1 of the present invention;
fig. 2 is a schematic structural diagram of a mobile phone provided in embodiment 1 of the present invention;
fig. 3 is a flowchart of a data processing method based on a negotiation key according to embodiment 2 of the present invention;
fig. 4 is a schematic structural diagram of a mobile phone provided in embodiment 2 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
The data processing method based on the negotiation key is realized based on a mobile phone, and the mobile phone at least comprises a user identity identification card with a safety function and a mobile phone safety module. Wherein:
the user identification card can be any one of the following cards: SIM (Subscriber Identity Module) card, UIM (user Identity Module) card, USIM card, PIM card and the like, wherein the cards expand the safety function on the basis of the existing functions so as to realize the functions of the invention by matching with the mobile phone safety Module.
The mobile phone security module may be set as an independent module independent of the mobile phone CPU, or may be set as a security area in the mobile phone CPU, so as to ensure an independent security function that the mobile phone security module can implement, for example: the mobile phone security module can independently perform a secure identity authentication function, perform security control of display, and ensure authenticity of display contents and the like.
In addition, the third party CA also issues a certificate which is authenticated by the CA to the user identity identification card, and simultaneously, the third party CA also issues a certificate which is authenticated by the CA to the mobile phone security module, so that the legality of the identity of the two parties can be verified, and the security is improved.
Example 1
Fig. 1 is a flowchart illustrating a data processing method based on a negotiation key according to embodiment 1 of the present invention, and referring to fig. 1, the data processing method based on a negotiation key according to the present invention includes:
step S101, the user identity identification card sends first authentication information to a mobile phone security module, wherein the first authentication information at least comprises: a first random factor and a user identification card certificate;
specifically, the user identification card generates a first random factor in advance, and sends the generated random factor and a first certificate issued by a CA to the user identification card to the mobile phone security module. And sending the first random factor to ensure that the information sent each time is different, preventing replay attack and improving safety. The first random factor may be a random number generated by the user identification card.
Step S102, after the mobile phone security module receives the first authentication information, the validity of the user identity identification card certificate is verified;
specifically, after receiving the user identification card certificate, the mobile phone security module verifies the validity of the certificate. For example: and verifying the signature of the part signed by the CA private key in the user identification card certificate by adopting the CA public key issued by the CA, and verifying that the user identification card certificate is legal only after the signature verification is passed.
Step S103, if the mobile phone security module verifies that the user identification card certificate is legal, the mobile phone security module encrypts at least a first random factor and a second random factor through a public key of the user identification card carried in the user identification card certificate to obtain first ciphertext information;
specifically, after the mobile phone security module verifies that the user identification card certificate is legal, a second random factor is generated, and after the second random factor is generated, the first random factor and the second random factor are encrypted through a public key of the user identification card carried in the user identification card certificate sent by the user identification card, so that the transmission security of the first random factor and the second random factor is ensured.
Wherein the second random factor may be a random number.
Step S104, the mobile phone security module signs the first ciphertext information to obtain first signature information;
specifically, after the mobile phone security module encrypts the first random factor and the second random factor to obtain the first ciphertext information, the private key of the mobile phone security module is at least used for signing the first ciphertext information, so that the integrity and the non-repudiation of the transmission of the first ciphertext information are ensured.
Certainly, the invention is not limited to the mobile phone security module signing the first ciphertext information, and the mobile phone security module can also directly sign the first random factor and the second random factor to obtain the first signature information, so that the integrity and the non-repudiation of the first random factor and the second random factor can be ensured.
In the invention, a scheme that the mobile phone security module signs the first ciphertext message is preferably selected to ensure the opaque transmission of the first random factor and the second random factor.
Step S105, the mobile phone security module sends second authentication information to the user identity identification card, wherein the second authentication information at least comprises: the mobile phone security module comprises first ciphertext information, first signature information and a mobile phone security module certificate;
step S106, after the user identity identification card receives the second authentication information, the legality of the mobile phone security module certificate is verified;
specifically, after the user identification card receives the mobile phone security module certificate, the validity of the certificate is verified. For example: and verifying the signature of the part signed by the CA private key in the mobile phone security module certificate by adopting the CA public key issued by the CA, and verifying that the mobile phone security module certificate is legal only after the signature verification is passed.
Step S107, if the user identification card verifies that the mobile phone security module certificate is legal, the user identification card verifies the correctness of the first signature information;
specifically, after the user identification card verifies that the mobile phone security module certificate is legal, the correctness of the first signature information is also verified. At the moment, the user identity identification card directly verifies the correctness of the first signature information according to the received first ciphertext information and the public key of the mobile phone security module in the mobile phone security module certificate.
Certainly, if the mobile phone security module signs the first random factor and the second random factor, the user identity identification card first decrypts the first ciphertext to obtain the first random factor and the second random factor, and then verifies the correctness of the first signature information according to the decrypted first random factor and the decrypted second random factor and the public key of the mobile phone security module in the mobile phone security module certificate.
In the invention, the correctness of the first signature information is preferably verified by adopting the public key according to the first ciphertext information and the mobile phone security module.
Step S108, if the user identification card verifies that the first signature information is correct, the user identification card decrypts the first ciphertext information to obtain a first random factor and a second random factor;
specifically, after the user identification card verifies that the first signature information is correct, the first ciphertext information is decrypted through a private key of the user identification card, and a first random factor and a second random factor are obtained. Therefore, the first ciphertext information can be decrypted on the premise that the first ciphertext information is not tampered, and therefore the fact that the first random factor and the second random factor are obtained is guaranteed.
Step S109, after the user identification card obtains the first random factor and the second random factor, the correctness of the first random factor is verified;
specifically, only after the user identification card decrypts the real first random factor and the second random factor, whether the first random factor is consistent with the first random factor generated before the user identification card is verified, and if so, the first random factor is verified to be correct.
Step S110, if the user identification card verifies that the first random factor is correct, the user identification card generates a third random factor, and generates a negotiation key of the user identification card end according to the second random factor and the third random factor;
specifically, after the user identification card verifies that the first random factor is correct, a third random factor is generated, and a negotiation key of the user identification card end is generated together according to the second random factor and the third random factor. The third random factor may be generated by the user identification card according to the first random factor and the second random factor, or the third random factor is generated by the user identification card randomly. The third random factor may also be a random number. Therefore, a negotiation key of the user identity identification card end is generated, so that information can be safely transmitted with the mobile phone security module according to the negotiation key.
Step S111, the user identity card encrypts at least a second random factor and a third random factor through a public key of a mobile phone security module carried in a mobile phone security module certificate to obtain second ciphertext information;
specifically, the user identity card encrypts the second random factor and the third random factor through a public key of the mobile phone security module carried in the mobile phone security module certificate, so as to securely transmit the second random factor and the third random factor which are subsequently used for generating a negotiation key of the mobile phone security module.
Step S112, the user identity identification card sends the second ciphertext information to the mobile phone security module;
step S113, after the mobile phone security module receives the second ciphertext information, decrypting the second ciphertext information to obtain a second random factor and a third random factor;
specifically, the mobile phone security module decrypts the second ciphertext information through a private key of the mobile phone security module to obtain a real second random factor and a real third random factor.
Step S114, the mobile phone security module generates a negotiation key of the mobile phone security module end according to the second random factor and the third random factor;
specifically, after obtaining the real second random factor and the real third random factor, the mobile phone security module generates a negotiation key of the mobile phone security module according to the second random factor and the real third random factor, so as to perform secure transmission of information with the user identity card according to the negotiation key.
Step S115, the mobile phone security module and the user identity identification card perform secure transmission of information through the negotiation key of the mobile phone security module end and the negotiation key of the user identity identification card end.
Specifically, after the mobile phone security module generates a negotiation key of the mobile phone security module end and the user identification card generates a negotiation key of the user identification card end, the mobile phone security module and the user identification card perform secure transmission of information through the negotiation keys at the two ends.
At this time, the secure transmission of information may be achieved by one of the following:
the first method is as follows:
step S116a, the mobile phone security module obtains the information to be transmitted;
specifically, the mobile phone security module obtains information to be transmitted, where the information to be transmitted may be confidential information that needs to be transmitted safely, or may also be transaction information to be transacted in the internet bank.
If the invention is applied to the security transmission of the confidential information, the information to be transmitted can be the confidential information which needs to be output by the mobile phone, such as: confidential information and the like acquired by the mobile phone from the security storage area of the mobile phone;
if the invention is applied to the online banking business, the information to be transmitted can be the transaction information of the transaction to be executed, such as: and the mobile phone acquires transaction information such as a transaction account number, a transaction amount and the like through the online banking client.
Step S117a, the mobile phone security module encrypts the information to be transmitted through the negotiation key of the mobile phone security module, to obtain a third ciphertext information;
specifically, the mobile phone security module encrypts the information to be transmitted through the generated negotiation key of the mobile phone security module, so that the information to be transmitted is transmitted in an opaque manner, and the transmission security is ensured. At this time, the negotiation key includes at least one encryption key.
Step S118a, the mobile phone security module sends the first processing information to the user identification card, where the first processing information at least includes: third ciphertext information;
step S119a, after the user identification card receives the first processing information, decrypting the third ciphertext information by the negotiation key of the user identification card end to obtain the information to be transmitted;
specifically, since the information to be transmitted is encrypted by the negotiation key of the security module of the mobile phone, at this time, after the user identification card receives the third ciphertext information, the user identification card decrypts the information to be transmitted by the negotiation key in the user identification card, thereby obtaining the real information to be transmitted.
Step S120a, the user identity identification card signs the information to be transmitted to obtain second signature information;
specifically, after the user identification card obtains the real information to be transmitted, the user identification card signs the information to be transmitted so as to ensure the integrity and non-repudiation of the information to be transmitted.
Step S121a, the user identification card encrypts the second signature information through the negotiation key of the user identification card end to obtain a fourth ciphertext information;
specifically, the user identification card encrypts the second signature information through a negotiation key of the user identification card end, so that opaque transmission of the second signature information is ensured, and the security is improved.
Step S122a, the user id card sends the second processing information to the mobile phone security module, where the second processing information at least includes: a fourth ciphertext message;
step S123a, after the mobile phone security module receives the second processing information, the mobile phone security module decrypts the fourth ciphertext information by using the negotiation key of the mobile phone security module, so as to obtain second signature information;
specifically, after receiving the fourth ciphertext information, the mobile phone security module further decrypts the fourth ciphertext information through the negotiation key of the mobile phone security module, so as to obtain the real second signature information. Therefore, one-time safe information interaction is completed between the mobile phone safety module and the user identity identification card.
And step S124a, the mobile phone security module at least sends out the second signature information.
Specifically, the mobile phone security module sends out the second signature information obtained by signing the information to be transmitted.
If the invention is applied to the secure transmission of the confidential information, the signed confidential information is sent out to a confidential information extraction device, and the like;
if the invention is applied to the online banking business, the signed transaction information is sent to an online banking server and the like.
The second method comprises the following steps:
step S116b, the mobile phone security module obtains the information to be transmitted;
specifically, the mobile phone security module obtains information to be transmitted, where the information to be transmitted may be confidential information that needs to be transmitted safely, or may also be transaction information to be transacted in the internet bank.
If the invention is applied to the security transmission of the confidential information, the information to be transmitted can be the confidential information which needs to be output by the mobile phone, such as: confidential information and the like acquired by the mobile phone from the security storage area of the mobile phone;
if the invention is applied to the online banking business, the information to be transmitted can be the transaction information of the transaction to be executed, such as: and the mobile phone acquires transaction information such as a transaction account number, a transaction amount and the like through the online banking client.
Step S117b, the mobile phone security module performs verification calculation on the information to be transmitted through the negotiation key of the mobile phone security module, so as to obtain first verification information;
specifically, the mobile phone security module performs verification calculation on the information to be transmitted through the generated negotiation key of the mobile phone security module, so as to ensure the integrity of the information to be transmitted. At this time, the negotiation key at least includes a check calculation key, and the check calculation may be any check manner such as calculating a MAC value.
Step S118b, the mobile phone security module sends the first processing information to the user identification card, where the first processing information at least includes: information to be transmitted and first check information;
step S119b, after the user identification card receives the first processing information, the first processing information is verified through the negotiation key of the user identification card end;
specifically, since the information to be transmitted is verified and calculated through the negotiation key of the mobile phone security module, at this time, after the user identification card receives the information to be transmitted and the first verification information, the user identification card performs the same verification and calculation on the information to be transmitted through the negotiation key in the user identification card, compares the information to be transmitted with the first verification information, and after the comparison is consistent, passes the verification, thereby ensuring that the obtained information to be transmitted is not tampered.
Step S120b, if the user identification card passes the verification of the first processing information, the user identification card signs the information to be transmitted to obtain second signature information;
specifically, after the user identification card obtains the real information to be transmitted, the user identification card signs the information to be transmitted so as to ensure the integrity and non-repudiation of the information to be transmitted.
Step S121b, the user identification card performs verification calculation on the second signature information through the negotiation key of the user identification card end to obtain second verification information;
specifically, the user identification card also performs verification calculation on the second signature information through a negotiation key of the user identification card end, so as to ensure the integrity of the second signature information.
Step S122b, the user id card sends the second processing information to the mobile phone security module, where the second processing information at least includes: second signature information and second check information;
step S123b, after the mobile phone security module receives the second processing information, the second processing information is verified through the negotiation key of the mobile phone security module;
specifically, after the mobile phone security module receives the second signature information and the second check information, the second signature information is checked and calculated through a negotiation key of the mobile phone security module, the second signature information is compared with the second check information, and after the comparison is consistent, the verification is passed, so that the obtained second signature information is ensured to be not tampered. Therefore, one-time safe information interaction is completed between the mobile phone safety module and the user identity identification card.
In step S124b, if the mobile phone security module verifies the second processed information, the mobile phone security module at least sends out the second signature information.
Specifically, the mobile phone security module sends out the second signature information obtained by signing the information to be transmitted.
If the invention is applied to the secure transmission of the confidential information, the signed confidential information is sent out to a confidential information extraction device, and the like;
if the invention is applied to the online banking business, the signed transaction information is sent to an online banking server and the like.
The third method comprises the following steps:
step S116c, the mobile phone security module obtains the information to be transmitted;
specifically, the mobile phone security module obtains information to be transmitted, where the information to be transmitted may be confidential information that needs to be transmitted safely, or may also be transaction information to be transacted in the internet bank.
If the invention is applied to the security transmission of the confidential information, the information to be transmitted can be the confidential information which needs to be output by the mobile phone, such as: confidential information and the like acquired by the mobile phone from the security storage area of the mobile phone;
if the invention is applied to the online banking business, the information to be transmitted can be the transaction information of the transaction to be executed, such as: and the mobile phone acquires transaction information such as a transaction account number, a transaction amount and the like through the online banking client.
Step S117c, the mobile phone security module encrypts the information to be transmitted through the negotiation key of the mobile phone security module end to obtain third ciphertext information, and performs verification calculation on the third ciphertext information to obtain first verification information;
specifically, the mobile phone security module encrypts the information to be transmitted through the generated negotiation key of the mobile phone security module, so that the information to be transmitted is transmitted in an opaque manner, and the transmission security is ensured.
And the mobile phone security module performs verification calculation on the third ciphertext information through the generated negotiation key of the mobile phone security module, so that the integrity of the third ciphertext information is ensured. The check calculation may be any check method such as calculating a MAC value.
In this case, the negotiation key includes at least one encryption key and one verification calculation key.
Step S118c, the mobile phone security module sends the first processing information to the user identification card, where the first processing information at least includes: the third ciphertext information and the first check information;
step S119c, after the user identification card receives the first processing information, the first processing information is verified through the negotiation key of the user identification card end;
specifically, since the third ciphertext information is subjected to verification calculation through the negotiation key of the mobile phone security module, at this time, after the user identification card receives the third ciphertext information and the first verification information, the third ciphertext information is subjected to the same verification calculation through the negotiation key in the user identification card, and is compared with the first verification information, and after the comparison is consistent, the verification is passed, so that the obtained third ciphertext information is ensured not to be falsified.
Step S120c, if the user identification card passes the verification of the first processing information, the user identification card decrypts the third ciphertext information through the negotiation key of the user identification card end to obtain the information to be transmitted;
specifically, since the information to be transmitted is encrypted by the negotiation key of the security module of the mobile phone, at this time, after the user identification card receives the real third ciphertext information, the user identification card decrypts the information to be transmitted by the negotiation key in the user identification card, thereby obtaining the real information to be transmitted.
Step S121c, the user identity identification card signs the information to be transmitted to obtain second signature information;
specifically, after the user identification card obtains the real information to be transmitted, the user identification card signs the information to be transmitted so as to ensure the integrity and non-repudiation of the information to be transmitted.
Step S122c, the user identification card encrypts the second signature information through the negotiation key of the user identification card end to obtain fourth ciphertext information, and performs check calculation on the fourth ciphertext information to obtain second check information;
specifically, the user identification card encrypts the second signature information through a negotiation key of the user identification card end, so that opaque transmission of the second signature information is ensured, and the security is improved.
The user identity identification card also carries out check calculation on the fourth ciphertext information through a negotiation key of the user identity identification card end, so that the integrity of the fourth ciphertext information is ensured.
Step S123c, the user id card sends the second processing information to the mobile phone security module, where the second processing information at least includes: the fourth ciphertext information and the second check information;
step S124c, after the mobile phone security module receives the second processing information, the second processing information is verified through the negotiation key of the mobile phone security module;
specifically, after the mobile phone security module receives the fourth ciphertext information and the second check information, the fourth ciphertext information is checked and calculated through a negotiation key of the mobile phone security module, the fourth ciphertext information is compared with the second check information, and after the fourth ciphertext information is consistent with the second check information, the verification is passed, so that the fourth ciphertext information is ensured not to be tampered.
Step S125c, if the mobile phone security module passes the verification of the second processing information, the fourth ciphertext information is decrypted by the negotiation key of the mobile phone security module, and second signature information is obtained;
specifically, after obtaining the real fourth ciphertext information, the mobile phone security module further decrypts the fourth ciphertext information through the negotiation key of the mobile phone security module, so as to obtain the real second signature information.
Therefore, one-time safe information interaction is completed between the mobile phone safety module and the user identity identification card.
And step S126c, the mobile phone security module at least sends out the second signature information.
Specifically, the mobile phone security module sends out the second signature information obtained by signing the information to be transmitted.
If the invention is applied to the secure transmission of the confidential information, the signed confidential information is sent out to a confidential information extraction device, and the like;
if the invention is applied to the online banking business, the signed transaction information is sent to an online banking server and the like.
The method is as follows:
step S116d, the mobile phone security module obtains the information to be transmitted;
step S117d, the mobile phone security module encrypts the information to be transmitted through the negotiation key of the mobile phone security module end to obtain third ciphertext information, and performs verification calculation on the third ciphertext information to obtain first verification information;
step S118d, the mobile phone security module sends the first processing information to the user identification card, where the first processing information at least includes: the third ciphertext information and the first check information;
step S119d, after the user identification card receives the first processing information, the first processing information is verified through the negotiation key of the user identification card end;
step S120d, if the user identification card passes the verification of the first processing information, the user identification card decrypts the third ciphertext information through the negotiation key of the user identification card end to obtain the information to be transmitted;
step S121d, the user identity identification card signs the information to be transmitted to obtain second signature information;
step S122d, the user identification card encrypts the second signature information through the negotiation key of the user identification card end to obtain a fourth ciphertext information;
step S123d, the user id card sends the second processing information to the mobile phone security module, where the second processing information at least includes: a fourth ciphertext message;
step S124d, the mobile phone security module decrypts the fourth ciphertext information by using the negotiation key of the mobile phone security module, so as to obtain second signature information;
and step S125d, the mobile phone security module at least sends out the second signature information.
The fifth mode is as follows:
step S116e, the mobile phone security module obtains the information to be transmitted;
step S117d, the mobile phone security module encrypts the information to be transmitted through the negotiation key of the mobile phone security module end to obtain third ciphertext information, and performs verification calculation on the third ciphertext information to obtain first verification information;
step S118d, the mobile phone security module sends the first processing information to the user identification card, where the first processing information at least includes: the third ciphertext information and the first check information;
step S119e, after the user identification card receives the first processing information, the first processing information is verified through the negotiation key of the user identification card end;
step S120e, if the user identification card passes the verification of the first processing information, the user identification card decrypts the third ciphertext information through the negotiation key of the user identification card end to obtain the information to be transmitted;
step S121e, the user identity identification card signs the information to be transmitted to obtain second signature information;
step S122e, the user identification card performs verification calculation on the second signature information through the negotiation key of the user identification card end to obtain second verification information;
step S123e, the user id card sends the second processing information to the mobile phone security module, where the second processing information at least includes: second signature information and second check information;
step S124e, after the mobile phone security module receives the second processing information, the second processing information is verified through the negotiation key of the mobile phone security module;
in step S125e, if the mobile phone security module verifies the second processed information, the mobile phone security module at least sends out the second signature information.
The method six:
step S116f, the mobile phone security module obtains the information to be transmitted;
step S117f, the mobile phone security module encrypts the information to be transmitted through the negotiation key of the mobile phone security module, to obtain a third ciphertext information;
step S118f, the mobile phone security module sends the first processing information to the user identification card, where the first processing information at least includes: third ciphertext information;
step S119f, after the user identification card receives the first processing information, decrypting the third ciphertext information by the negotiation key of the user identification card end to obtain the information to be transmitted;
step S120f, the user identity identification card signs the information to be transmitted to obtain second signature information;
step S121f, the user identification card encrypts the second signature information through the negotiation key of the user identification card end to obtain fourth ciphertext information, and performs check calculation on the fourth ciphertext information to obtain second check information;
step S122f, the user id card sends the second processing information to the mobile phone security module, where the second processing information at least includes: the fourth ciphertext information and the second check information;
step S123f, after the mobile phone security module receives the second processing information, the second processing information is verified through the negotiation key of the mobile phone security module;
step S124f, if the mobile phone security module passes the verification of the second processing information, decrypting the fourth ciphertext information by using the negotiation key of the mobile phone security module, to obtain a second signature information;
and step S125f, the mobile phone security module at least sends out the second signature information.
The method is as follows:
step S116g, the mobile phone security module obtains the information to be transmitted;
step S117g, the mobile phone security module performs verification calculation on the information to be transmitted through the negotiation key of the mobile phone security module, so as to obtain first verification information;
step S118g, the mobile phone security module sends the first processing information to the user identification card, where the first processing information at least includes: information to be transmitted and first check information;
step S119g, after the user identification card receives the first processing information, the first processing information is verified through the negotiation key of the user identification card end;
step S120g, if the user identification card passes the verification of the first processing information, the user identification card signs the information to be transmitted to obtain second signature information;
step S121g, the user identification card encrypts the second signature information through the negotiation key of the user identification card end to obtain fourth ciphertext information, and performs check calculation on the fourth ciphertext information to obtain second check information;
step S122g, the user id card sends the second processing information to the mobile phone security module, where the second processing information at least includes: the fourth ciphertext information and the second check information;
step S123g, after the mobile phone security module receives the second processing information, the second processing information is verified through the negotiation key of the mobile phone security module;
step S124g, if the mobile phone security module passes the verification of the second processing information, decrypting the fourth ciphertext information by using the negotiation key of the mobile phone security module, to obtain a second signature information;
and step S125g, the mobile phone security module at least sends out the second signature information.
Of course, in the first to seventh modes, for each step of performing the check calculation on the ciphertext information, the check calculation on the original text of the ciphertext information may be adopted instead, and after the check information and the ciphertext information are obtained, the original text of the ciphertext information is obtained by decryption, and then the check information is verified. As long as the ciphertext information or the original text of the ciphertext information cannot be tampered.
Therefore, the data processing method based on the negotiation key can ensure that the mobile phone can safely execute the online banking business and/or the confidential information transmission.
In addition, in any of the above manners, after the step of obtaining the information to be transmitted by the mobile phone security module, and before the step of sending the first processing information to the user identification card by the mobile phone security module, the data processing method based on the negotiation key further includes the following steps:
step S1161, the mobile phone security module extracts key information in the information to be transmitted;
specifically, the mobile phone security module extracts key information in the information to be transmitted so as to display the key information to the user to confirm whether the key information is the information. For example:
if the invention is applied to the security transmission of confidential information, the security module of the mobile phone can extract key information such as file names and the like in the confidential information, so that a user can conveniently confirm whether the confidential file needs to be extracted for security output;
if the invention is applied to the online banking business, the mobile phone security module can extract key information in the transaction information, such as the transaction account number, the transaction amount and the like, so that a user can confirm whether the transaction is real.
Step S1162, the mobile phone security module controls a mobile phone display screen to display key information in the extracted information to be transmitted;
specifically, the mobile phone security module controls the display screen of the mobile phone to display the extracted key information, so that the user can confirm the authenticity of the key information, and the authenticity of the information to be transmitted is guaranteed. In addition, the mobile phone security module controls the display screen of the mobile phone to display the extracted key information, the problem that the key information displayed by the mobile phone display screen controlled by the mobile phone CPU is possibly tampered can be prevented, the content displayed by the mobile phone security module is guaranteed to be real, and the security is improved.
Step S1163, the mobile phone security module receives a confirmation instruction output by the mobile phone keyboard;
specifically, after a user confirms that key information displayed on a display screen of the mobile phone is correct, the user presses a confirmation key on the mobile phone, wherein the confirmation key can be a hardware key arranged on the mobile phone or a virtual key of the touch screen mobile phone, and after a mobile phone security module receives a confirmation instruction output by a mobile phone keyboard, the authenticity of the information to be transmitted is confirmed, and preparation for subsequent secure transmission is made.
And step S1164, after the mobile phone security module receives the confirmation instruction output by the mobile phone keyboard, executing the step that the mobile phone security module sends the first processing information to the user identity identification card.
Specifically, only the information to be transmitted which is confirmed by the user key is considered as the real information to be transmitted, so that the authenticity of the information to be transmitted is ensured, and the authenticity of confidential information output and the safety of transaction information output are improved.
Fig. 2 is a schematic structural diagram of a mobile phone according to embodiment 1 of the present invention, and the mobile phone according to embodiment 1 of the present invention and the data processing method based on a negotiation key according to embodiment 1 are used, so that details are not repeated here.
It should be understood that the mobile phone of the present invention is not limited to the structure division shown in fig. 2, and other similar structure divisions shall fall within the scope of the present invention.
Referring to fig. 2, a mobile phone provided in embodiment 1 of the present invention includes: a mobile phone security module 10 and a user identification card 20; wherein,
the second transceiving unit 201 in the user identity identification card 20 is configured to send first authentication information to the mobile phone security module 10, where the first authentication information at least includes: a first random factor and a user identification card 20 certificate;
the first transceiving unit 101 in the mobile phone security module 10 is configured to receive first authentication information;
the first verification unit 102 in the mobile phone security module 10 is configured to verify the validity of the certificate of the user identification card 20 after the first transceiving unit 101 receives the first authentication information;
the first encryption unit 103 in the mobile phone security module 10 is configured to encrypt at least the first random factor and the second random factor by using the public key of the user identification card 20 carried in the certificate of the user identification card 20 after the first verification unit 102 verifies that the certificate of the user identification card 20 is legal, so as to obtain first ciphertext information;
a first signature unit 105 in the mobile phone security module 10, configured to sign the first ciphertext information obtained by the first encryption unit 103, so as to obtain first signature information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to send second authentication information to the user identification card 20, where the second authentication information at least includes: the mobile phone security module 10 certificate comprises first ciphertext information, first signature information and a mobile phone security module 10 certificate;
the second transceiving unit 201 in the user identification card 20 is further configured to receive second authentication information;
the second verification unit 202 in the user identification card 20 is configured to verify the validity of the certificate of the mobile phone security module 10 after the second transceiving unit 201 receives the second authentication information;
the second verification unit 202 in the user identification card 20 is further configured to verify the correctness of the first signature information after verifying that the certificate of the mobile phone security module 10 is legal;
the second decryption unit 204 in the user identification card 20 is configured to decrypt the first ciphertext information to obtain a first random factor and a second random factor after the second verification unit 202 verifies that the first signature information is correct;
the second verification unit 202 in the user identification card 20 is further configured to verify the correctness of the first random factor after the second decryption unit 204 obtains the first random factor and the second random factor;
the second generating unit 206 in the user identification card 20 is configured to generate a third random factor after the second verifying unit 202 verifies that the first random factor is correct, and generate a negotiation key at the user identification card 20 end according to the second random factor and the third random factor;
the second encryption unit 203 in the user identification card 20 is configured to encrypt at least the second random factor and the third random factor through the public key of the mobile phone security module 10 carried in the certificate of the mobile phone security module 10 after the second generation unit 206 generates the third random factor, so as to obtain second ciphertext information;
the second transceiving unit 201 in the user identity card 20 is configured to send the second ciphertext information to the mobile phone security module 10 after the second encryption unit 203 obtains the second ciphertext information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to receive second ciphertext information;
the first decryption unit 104 in the mobile phone security module 10 is configured to decrypt the second ciphertext information after the first transceiver unit 101 receives the second ciphertext information, so as to obtain a second random factor and a third random factor;
a first generating unit 106 in the mobile phone security module 10, configured to generate a negotiation key at the mobile phone security module 10 end according to the second random factor and the third random factor after the first decryption unit 104 obtains the second random factor and the third random factor;
the first transceiving unit 101 of the mobile phone security module 10 and the second transceiving unit 201 of the user identification card 20 perform secure transmission of information through the negotiation key of the mobile phone security module 10 generated by the first generating unit 106 and the negotiation key of the user identification card 20 generated by the second generating unit 206.
Therefore, the mobile phone can safely carry out online banking and/or confidential information transmission.
In addition, the obtaining unit 107 in the mobile phone security module 10 is configured to obtain information to be transmitted;
the second signature unit 205 in the user identification card 20 is configured to sign the information to be transmitted, so as to obtain second signature information;
and the sending-out unit 107 in the mobile phone security module 10 is used for sending out at least the second signature information.
At this time, the secure transmission of information may be achieved by one of the following:
the first method is as follows:
the first encryption unit 103 in the mobile phone security module 10 is further configured to encrypt the information to be transmitted, which is acquired by the acquisition unit 107, by using a negotiation key at the mobile phone security module 10 side, so as to obtain third ciphertext information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to send first processing information to the user identification card 20, where the first processing information at least includes: third ciphertext information;
a second transceiving unit 201 in the user identification card 20, configured to receive the first processing information;
the second decryption unit 204 in the user identification card 20 is further configured to decrypt the third ciphertext information through the negotiation key at the user identification card 20 end after the second transceiving unit 201 receives the first processing information, so as to obtain information to be transmitted;
the second signature unit 205 in the user identification card 20 is further configured to sign the information to be transmitted after the second decryption unit 204 obtains the information to be transmitted, so as to obtain second signature information;
the second encryption unit 203 in the user identification card 20 is further configured to encrypt the second signature information through a negotiation key at the user identification card 20 end, so as to obtain fourth ciphertext information;
the second transceiving unit 201 in the user identification card 20 is further configured to send second processing information to the mobile phone security module 10 after the second encryption unit 203 obtains the fourth ciphertext, where the second processing information at least includes: a fourth ciphertext message;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to receive second processing information;
the first decryption unit 104 in the mobile phone security module 10 is further configured to decrypt the fourth ciphertext information through the negotiation key at the mobile phone security module 10 side after the first transceiving unit 101 receives the second processing information, so as to obtain second signature information;
the sending-out unit 108 in the mobile phone security module 10 is configured to send out at least the second signature information after the first decryption unit 104 obtains the second signature information.
The second method comprises the following steps:
a first verification calculation unit 107 in the mobile phone security module 10, configured to perform verification calculation on the to-be-transmitted information acquired by the acquisition unit 107 through a negotiation key at the mobile phone security module 10, so as to obtain first verification information;
the first transceiver 101 in the mobile phone security module 10 is configured to send first processing information to the user identification card 20, where the first processing information at least includes: information to be transmitted and first check information;
the second transceiving unit 201 in the user identification card 20 is further configured to receive the first processing information;
the second verification unit 202 in the user identification card 20 is further configured to verify the first processing information through a negotiation key at the user identification card 20 end after the second transceiver unit 201 receives the first processing information;
the second signature unit 205 in the user identification card 20 is further configured to sign the information to be transmitted to obtain second signature information after the second verification unit 202 verifies the first processed information;
the second verification calculation unit 207 in the user identification card 20 is configured to perform verification calculation on the second signature information through the negotiation key at the user identification card 20 end to obtain second verification information;
the second transceiving unit 201 in the user identification card 20 is further configured to send second processing information to the mobile phone security module 10, where the second processing information at least includes: second signature information and second check information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to receive second processing information;
the first verification unit 102 in the mobile phone security module 10 is further configured to verify the second processing information through a negotiation key at the mobile phone security module 10 after the first transceiver unit 101 receives the second processing information;
the sending-out unit 108 in the mobile phone security module 10 is configured to send out at least the second signature information after the first verification unit 102 verifies the second processed information.
The third method comprises the following steps:
the first encryption unit 103 in the mobile phone security module 10 is further configured to encrypt the information to be transmitted, which is acquired by the acquisition unit 107, by using a negotiation key at the mobile phone security module 10 end to obtain third ciphertext information, and the first check calculation unit 107 in the mobile phone security module 10 is configured to perform check calculation on the third ciphertext information to obtain first check information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to send first processing information to the user identification card 20, where the first processing information at least includes: the third ciphertext information and the first check information;
the second transceiving unit 201 in the user identification card 20 is further configured to receive the first processing information;
the second verification unit 202 in the user identification card 20 is further configured to verify the first processing information through a negotiation key at the user identification card 20 end after the second transceiver unit 201 receives the first processing information;
the second decryption unit 204 in the user identification card 20 is further configured to decrypt the third ciphertext information through the negotiation key at the user identification card 20 end after the second verification unit 202 passes the verification of the first processing information, so as to obtain information to be transmitted;
the second signature unit 205 in the user identification card 20 is further configured to sign the information to be transmitted after the second decryption unit 204 obtains the information to be transmitted, so as to obtain second signature information;
the second encryption unit 203 in the user identification card 20 is further configured to encrypt the second signature information through the negotiation key at the user identification card 20 end after the second signature unit 205 obtains the second signature information, so as to obtain fourth ciphertext information, and the second check calculation unit 207 in the user identification card 20 is configured to perform check calculation on the fourth ciphertext information, so as to obtain second check information;
the second transceiving unit 201 in the user identification card 20 is further configured to send second processing information to the mobile phone security module 10, where the second processing information at least includes: the fourth ciphertext information and the second check information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to receive second processing information;
the first verification unit 102 in the mobile phone security module 10 is further configured to verify the second processing information through a negotiation key at the mobile phone security module 10 after the first transceiver unit 101 receives the second processing information;
the first decryption unit 104 in the mobile phone security module 10 is further configured to decrypt the fourth ciphertext information through the negotiation key at the mobile phone security module 10 side after the first verification unit 102 verifies the second processing information, so as to obtain second signature information;
the sending-out unit 108 in the mobile phone security module 10 is further configured to send out at least the second signature information after the first decryption unit 104 obtains the second signature information.
The method is as follows:
the first encryption unit 103 in the mobile phone security module 10 is further configured to encrypt the information to be transmitted, which is acquired by the acquisition unit 107, by using a negotiation key at the mobile phone security module 10 end to obtain third ciphertext information, and the first check calculation unit 107 in the mobile phone security module 10 is configured to perform check calculation on the third ciphertext information to obtain first check information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to send first processing information to the user identification card 20, where the first processing information at least includes: the third ciphertext information and the first check information;
the second transceiving unit 201 in the user identification card 20 is further configured to receive the first processing information;
the second verification unit 202 in the user identification card 20 is further configured to verify the first processing information through a negotiation key at the user identification card 20 end after the second transceiver unit 201 receives the first processing information;
the second decryption unit 204 in the user identification card 20 is further configured to decrypt the third ciphertext information through the negotiation key at the user identification card 20 end after the second verification unit 202 passes the verification of the first processing information, so as to obtain information to be transmitted;
the second signature unit 205 in the user identification card 20 is further configured to sign the information to be transmitted after the second decryption unit 204 obtains the information to be transmitted, so as to obtain second signature information;
the second encryption unit 203 in the user identification card 20 is further configured to encrypt the second signature information through a negotiation key at the user identification card 20 end after the second signature unit 205 obtains the second signature information, so as to obtain fourth ciphertext information;
the second transceiving unit 201 in the user identification card 20 is further configured to send second processing information to the mobile phone security module 10, where the second processing information at least includes: a fourth ciphertext message;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to receive second processing information;
the first decryption unit 104 in the mobile phone security module 10 is further configured to decrypt the fourth ciphertext information through the negotiation key at the mobile phone security module 10 side after the first transceiving unit 101 receives the second processing information, so as to obtain second signature information;
the sending-out unit 108 in the mobile phone security module 10 is further configured to send out at least the second signature information after the first decryption unit 104 obtains the second signature information.
The fifth mode is as follows:
the first encryption unit 103 in the mobile phone security module 10 is further configured to encrypt the information to be transmitted, which is acquired by the acquisition unit 107, by using a negotiation key at the mobile phone security module 10 end to obtain third ciphertext information, and the first check calculation unit 107 in the mobile phone security module 10 is configured to perform check calculation on the third ciphertext information to obtain first check information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to send first processing information to the user identification card 20, where the first processing information at least includes: the third ciphertext information and the first check information;
the second transceiving unit 201 in the user identification card 20 is further configured to receive the first processing information;
the second verification unit 202 in the user identification card 20 is further configured to verify the first processing information through a negotiation key at the user identification card 20 end after the second transceiver unit 201 receives the first processing information;
the second decryption unit 204 in the user identification card 20 is further configured to decrypt the third ciphertext information through the negotiation key at the user identification card 20 end after the second verification unit 202 passes the verification of the first processing information, so as to obtain information to be transmitted;
the second signature unit 205 in the user identification card 20 is further configured to sign the information to be transmitted after the second decryption unit 204 obtains the information to be transmitted, so as to obtain second signature information;
the second verification calculation unit 207 in the user identification card 20 is configured to perform verification calculation on the second signature information after the second signature unit 205 obtains the second signature information, so as to obtain second verification information;
the second transceiving unit 201 in the user identification card 20 is further configured to send second processing information to the mobile phone security module 10, where the second processing information at least includes: second signature information and second check information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to receive second processing information;
the first verification unit 102 in the mobile phone security module 10 is further configured to verify the second processing information through a negotiation key at the mobile phone security module 10 after the first transceiver unit 101 receives the second processing information;
the sending-out unit 108 in the mobile phone security module 10 is further configured to send out at least the second signature information after the first verification unit 102 verifies the second processed information.
The method six:
the first encryption unit 103 in the mobile phone security module 10 is further configured to encrypt the information to be transmitted, which is acquired by the acquisition unit 107, by using a negotiation key at the mobile phone security module 10 side, so as to obtain third ciphertext information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to send first processing information to the user identification card 20, where the first processing information at least includes: third ciphertext information;
the second transceiving unit 201 in the user identification card 20 is further configured to receive the first processing information;
the second decryption unit 204 in the user identification card 20 is further configured to decrypt the third ciphertext information through the negotiation key at the user identification card 20 end after the second transceiving unit 201 receives the first processing information, so as to obtain information to be transmitted;
the second signature unit 205 in the user identification card 20 is further configured to sign the information to be transmitted after the second decryption unit 204 obtains the information to be transmitted, so as to obtain second signature information;
the second encryption unit 203 in the user identification card 20 is further configured to encrypt the second signature information through the negotiation key at the user identification card 20 end after the second signature unit 205 obtains the second signature information, so as to obtain fourth ciphertext information, and the second check calculation unit 207 in the user identification card 20 is configured to perform check calculation on the fourth ciphertext information, so as to obtain second check information;
the second transceiving unit 201 in the user identification card 20 is further configured to send second processing information to the mobile phone security module 10, where the second processing information at least includes: the fourth ciphertext information and the second check information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to receive second processing information;
the first verification unit 102 in the mobile phone security module 10 is further configured to verify the second processing information through a negotiation key at the mobile phone security module 10 after the first transceiver unit 101 receives the second processing information;
the first decryption unit 104 in the mobile phone security module 10 is further configured to decrypt the fourth ciphertext information through the negotiation key at the mobile phone security module 10 side after the first verification unit 102 verifies the second processing information, so as to obtain second signature information;
the sending-out unit 108 in the mobile phone security module 10 is further configured to send out at least the second signature information after the first decryption unit 104 obtains the second signature information.
The method is as follows:
a first verification calculation unit 107 in the mobile phone security module 10, configured to perform verification calculation on the to-be-transmitted information acquired by the acquisition unit 107 through a negotiation key at the mobile phone security module 10, so as to obtain first verification information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to send first processing information to the user identification card 20, where the first processing information at least includes: information to be transmitted and first check information;
the second transceiving unit 201 in the user identification card 20 is further configured to receive the first processing information;
the second verification unit 202 in the user identification card 20 is further configured to verify the first processing information through a negotiation key at the user identification card 20 end after the second transceiver unit 201 receives the first processing information;
the second signature unit 205 in the user identification card 20 is further configured to sign the information to be transmitted to obtain second signature information after the second verification unit 202 verifies the first processed information;
the second encryption unit 203 in the user identification card 20 is further configured to encrypt the second signature information through the negotiation key at the user identification card 20 end after the second signature unit 205 obtains the second signature information, so as to obtain fourth ciphertext information, and the second check calculation unit 207 in the user identification card 20 is configured to perform check calculation on the fourth ciphertext information, so as to obtain second check information;
the second transceiving unit 201 in the user identification card 20 is further configured to send second processing information to the mobile phone security module 10, where the second processing information at least includes: the fourth ciphertext information and the second check information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to receive second processing information;
the first verification unit 102 in the mobile phone security module 10 is further configured to verify the second processing information through a negotiation key at the mobile phone security module 10 after the first transceiver unit 101 receives the second processing information;
the first decryption unit 104 in the mobile phone security module 10 is further configured to decrypt the fourth ciphertext information through the negotiation key at the mobile phone security module 10 side after the first verification unit 102 verifies the second processing information, so as to obtain second signature information;
the sending-out unit 108 in the mobile phone security module 10 is further configured to send out at least the second signature information after the first decryption unit 104 obtains the second signature information.
Of course, in the first to seventh modes, when each pair of ciphertext information is subjected to the check calculation, the original text of the ciphertext information may be subjected to the check calculation instead, and after the check information and the ciphertext information are obtained, the original text of the ciphertext information is obtained by decryption, and then the check information is verified. As long as the ciphertext information or the original text of the ciphertext information cannot be tampered.
In addition, the mobile phone security module 10 may also display key information in the information to be transmitted, so that the user can confirm the authenticity of the information to be transmitted.
The extraction unit 109 in the mobile phone security module 10 is configured to extract key information in the information to be transmitted;
the control unit 110 in the mobile phone security module 10 is configured to control a mobile phone display screen to display key information in the information to be transmitted extracted by the extraction unit;
the receiving unit 111 in the mobile phone security module 10 is configured to receive a confirmation instruction output by the mobile phone keypad, and after receiving the confirmation instruction output by the mobile phone keypad, notify the first transceiver 101 to execute the mobile phone security module 10 to send the first processing information to the user identification card 20.
In addition, the third random factor is generated by the second generating unit 206 of the user identification card 20 according to the first random factor and the second random factor, or the third random factor is randomly generated by the second generating unit 206 in the user identification card 20.
And, the mobile phone security module 10 may be a module independent of the mobile phone CPU, or the mobile phone security module 10 is provided in a secure area in the mobile phone CPU.
Example 2
The difference between this embodiment 2 and embodiment 1 is that the authentication process and the key generation process between the mobile phone security module and the user identification card are reverse processes, and details are not repeated here, and only the data processing method based on the negotiation key provided in this embodiment 2 and the mobile phone provided in this embodiment 2 are briefly described.
Fig. 3 is a flowchart illustrating a data processing method based on a negotiation key according to embodiment 2 of the present invention, and referring to fig. 2, the data processing method based on a negotiation key according to embodiment 2 of the present invention includes:
step S201, the mobile phone security module sends first authentication information to the user identity identification card, wherein the first authentication information at least comprises: a first random factor and a mobile phone security module certificate;
step S202, after the user identity identification card receives the first authentication information, the legality of the mobile phone security module certificate is verified;
step S203, if the user identity card verifies that the mobile phone security module certificate is legal, the user identity card encrypts at least a first random factor and a second random factor through a public key of the mobile phone security module carried in the mobile phone security module certificate to obtain first ciphertext information;
step S204, the user identity identification card signs the first ciphertext information to obtain first signature information;
step S205, the user id card sends second authentication information to the mobile phone security module, where the second authentication information at least includes: the first ciphertext information, the first signature information and the user identity identification card certificate;
step S206, after the mobile phone security module receives the second authentication information, the validity of the user identification card certificate is verified;
step S207, if the mobile phone security module verifies that the user identification card certificate is legal, the mobile phone security module verifies the correctness of the first signature information;
step S208, if the mobile phone security module verifies that the first signature information is correct, the mobile phone security module decrypts the first ciphertext information to obtain a first random factor and a second random factor;
step S209, after obtaining the first random factor and the second random factor, the mobile phone security module verifies the correctness of the first random factor;
step S210, if the mobile phone security module verifies that the first random factor is correct, the mobile phone security module generates a third random factor, and generates a negotiation key of the mobile phone security module end according to the second random factor and the third random factor;
step S211, the mobile phone security module encrypts at least a second random factor and a third random factor through a public key of the user identification card carried in the user identification card certificate to obtain second ciphertext information;
step S212, the mobile phone security module sends the second ciphertext information to the user identity identification card;
step S213, after receiving the second ciphertext information, the user identity identification card decrypts the second ciphertext information to obtain a second random factor and a third random factor;
step S214, the user identity identification card generates a negotiation key of the user identity identification card end according to the second random factor and the third random factor;
step S215, the secure transmission of information is performed between the mobile phone security module and the user id card through the negotiation key of the mobile phone security module and the negotiation key of the user id card.
Therefore, the data processing method based on the negotiation key can ensure that the mobile phone can safely execute the online banking business and/or the confidential information transmission.
In step S215, the process of performing secure transmission of information between the mobile phone security module and the user id card through the negotiation key of the mobile phone security module end and the negotiation key of the user id card end is the same as that in embodiment 1, and is not described herein again.
Fig. 4 shows a schematic structural diagram of a mobile phone provided in embodiment 2 of the present invention, and referring to fig. 2, the mobile phone provided in embodiment 2 of the present invention includes: a mobile phone security module 10 and a user identification card 20; wherein,
the first transceiving unit 101 in the mobile phone security module 10 is configured to send first authentication information to the user identification card 20, where the first authentication information at least includes: a first random factor and a mobile phone security module 10 certificate;
a second transceiving unit 201 in the user identification card 20, configured to receive the first authentication information;
the second verification unit 202 in the user identification card 20 is configured to verify the validity of the certificate of the mobile phone security module 10 after the second transceiving unit 201 receives the first authentication information;
the second encryption unit 203 in the user identification card 20 is configured to encrypt at least the first random factor and the second random factor by using the public key of the mobile phone security module 10 carried in the certificate of the mobile phone security module 10 after the certificate of the mobile phone security module 10 is verified to be legal by the second verification module, so as to obtain first ciphertext information;
the second signature unit 205 in the user identification card 20 is configured to sign the first ciphertext information after the second encryption unit 203 obtains the first ciphertext information, so as to obtain first signature information;
the second transceiving unit 201 in the user identification card 20 is further configured to send second authentication information to the mobile phone security module 10, where the second authentication information at least includes: the first ciphertext information, the first signature information and the user identity identification card 20 certificate;
the first transceiving unit 101 in the mobile phone security module 10 is configured to receive second authentication information;
the first verification unit 102 in the mobile phone security module 10 is configured to verify the validity of the certificate of the user identification card 20 after the first transceiving unit 101 receives the second authentication information;
the first verification unit 102 in the mobile phone security module 10 is further configured to verify the correctness of the first signature information after verifying that the certificate of the user identification card 20 is legal;
the first decryption unit 104 in the mobile phone security module 10 is configured to decrypt the first ciphertext information to obtain a first random factor and a second random factor after the first verification unit 102 verifies that the first signature information is correct;
the first verification unit 102 in the mobile phone security module 10 is further configured to verify the correctness of the first random factor after the first decryption unit 104 obtains the first random factor and the second random factor;
the first generating unit 106 in the mobile phone security module 10 is configured to generate a third random factor after the first verifying unit 102 verifies that the first random factor is correct, and generate a negotiation key at the mobile phone security module 10 end according to the second random factor and the third random factor;
the first encryption unit 103 in the mobile phone security module 10 is further configured to encrypt at least the second random factor and the third random factor by using the public key of the user identification card 20 carried in the certificate of the user identification card 20 after the first generation unit 106 generates the third random factor, so as to obtain second ciphertext information;
the first transceiving unit 101 in the mobile phone security module 10 is further configured to send the second ciphertext information obtained by the first encrypting unit 103 to the user identity card 20;
the second transceiving unit 201 in the user identification card 20 is further configured to receive second ciphertext information;
the second decryption unit 204 in the user identification card 20 is configured to decrypt the second ciphertext information after the second transceiving unit 201 receives the second ciphertext information, so as to obtain a second random factor and a third random factor;
a second generating unit 206 in the user identification card 20, configured to generate a negotiation key of the user identification card 20 according to the second random factor and the third random factor;
the first transceiver 101 in the mobile phone security module 10 and the second transceiver 201 in the user identification card 20 perform secure transmission of information through the negotiation key of the mobile phone security module 10 generated by the first generation unit 106 and the negotiation key of the user identification card 20 generated by the second generation unit 206.
Therefore, the mobile phone can safely execute the online banking business and/or the confidential information transmission.
The structure of the secure transmission of information between the mobile phone security module 10 and the user identification card 20 through the negotiation key of the mobile phone security module 10 end generated by the first generating unit 106 and the negotiation key of the user identification card end 20 generated by the second generating unit 206 is the same as that in embodiment 1, and is not described herein again.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (23)
1. A data processing method based on a negotiation key is characterized by comprising the following steps:
the user identity identification card sends first authentication information to the mobile phone security module, wherein the first authentication information at least comprises: a first random factor and a user identification card certificate;
after receiving the first authentication information, the mobile phone security module verifies the validity of the user identity identification card certificate;
if the mobile phone security module verifies that the user identification card certificate is legal, the mobile phone security module encrypts at least the first random factor and the second random factor through a public key of the user identification card carried in the user identification card certificate to obtain first ciphertext information;
the mobile phone security module signs the first ciphertext information to obtain first signature information;
the mobile phone security module sends second authentication information to the user identity identification card, wherein the second authentication information at least comprises: the first ciphertext information, the first signature information and a mobile phone security module certificate;
after receiving the second authentication information, the user identity identification card verifies the legality of the mobile phone security module certificate;
if the user identity identification card verifies that the mobile phone security module certificate is legal, the user identity identification card verifies the correctness of the first signature information;
if the user identification card verifies that the first signature information is correct, the user identification card decrypts the first ciphertext information by using a private key of the user identification card to obtain the first random factor and the second random factor;
after the user identity identification card obtains the first random factor and the second random factor, verifying the correctness of the first random factor;
if the user identification card verifies that the first random factor is correct, the user identification card generates a third random factor, and generates a negotiation key of the user identification card end according to the second random factor and the third random factor;
the user identity card encrypts at least the second random factor and the third random factor through a public key of the mobile phone security module carried in the mobile phone security module certificate to obtain second ciphertext information;
the user identity identification card sends the second ciphertext information to the mobile phone security module;
after receiving the second ciphertext information, the mobile phone security module decrypts the second ciphertext information to obtain the second random factor and the third random factor;
the mobile phone security module generates a negotiation key of the mobile phone security module end according to the second random factor and the third random factor;
and the mobile phone security module and the user identity identification card perform information secure transmission through the negotiation key of the mobile phone security module end and the negotiation key of the user identity identification card end.
2. A data processing method based on a negotiation key is characterized by comprising the following steps:
the mobile phone security module sends first authentication information to the user identity identification card, wherein the first authentication information at least comprises: a first random factor and a mobile phone security module certificate;
after receiving the first authentication information, the user identity identification card verifies the legality of the mobile phone security module certificate;
if the user identity identification card verifies that the mobile phone security module certificate is legal, the user identity identification card encrypts at least the first random factor and the second random factor through a public key of the mobile phone security module carried in the mobile phone security module certificate to obtain first ciphertext information;
the user identity identification card signs the first ciphertext information to obtain first signature information;
the user identity identification card sends second authentication information to the mobile phone security module, wherein the second authentication information at least comprises: the first ciphertext information, the first signature information and the user identity identification card certificate;
after receiving the second authentication information, the mobile phone security module verifies the validity of the user identity identification card certificate;
if the mobile phone security module verifies that the user identification card certificate is legal, the mobile phone security module verifies the correctness of the first signature information;
if the mobile phone security module verifies that the first signature information is correct, the mobile phone security module decrypts the first ciphertext information by using a private key of the mobile phone security module to obtain the first random factor and the second random factor;
after the mobile phone security module obtains the first random factor and the second random factor, verifying the correctness of the first random factor;
if the mobile phone security module verifies that the first random factor is correct, the mobile phone security module generates a third random factor, and generates a negotiation key of the mobile phone security module according to the second random factor and the third random factor;
the mobile phone security module encrypts at least the second random factor and the third random factor through a public key of the user identification card carried in the user identification card certificate to obtain second ciphertext information;
the mobile phone security module sends the second ciphertext information to the user identity identification card;
after receiving the second ciphertext information, the user identity identification card decrypts the second ciphertext information to obtain the second random factor and the third random factor;
the user identity identification card generates a negotiation key of the user identity identification card end according to the second random factor and the third random factor;
and the mobile phone security module and the user identity identification card perform information secure transmission through the negotiation key of the mobile phone security module end and the negotiation key of the user identity identification card end.
3. The method according to claim 1 or 2, wherein the step of securely transmitting information between the mobile phone security module and the subscriber identity module card through the negotiation key of the mobile phone security module side and the negotiation key of the subscriber identity module card side comprises:
the mobile phone security module acquires information to be transmitted;
the mobile phone security module encrypts the information to be transmitted through a negotiation key of the mobile phone security module end to obtain third ciphertext information;
the mobile phone security module sends first processing information to the user identity identification card, wherein the first processing information at least comprises: the third ciphertext information;
after receiving the first processing information, the user identity identification card decrypts the third ciphertext information through a negotiation key of the user identity identification card end to obtain information to be transmitted;
the user identity identification card signs the information to be transmitted to obtain second signature information;
the user identity identification card encrypts the second signature information through a negotiation key of the user identity identification card end to obtain fourth ciphertext information;
the user identity identification card sends second processing information to the mobile phone security module, wherein the second processing information at least comprises: the fourth ciphertext information;
after the mobile phone security module receives the second processing information, the fourth ciphertext information is decrypted through a negotiation key of the mobile phone security module end, and the second signature information is obtained;
and the mobile phone security module at least sends out the second signature information.
4. The method according to claim 1 or 2, wherein the step of securely transmitting information between the mobile phone security module and the subscriber identity module card through the negotiation key of the mobile phone security module side and the negotiation key of the subscriber identity module card side comprises:
the mobile phone security module acquires information to be transmitted;
the mobile phone security module carries out verification calculation on the information to be transmitted through a negotiation key of the mobile phone security module end to obtain first verification information;
the mobile phone security module sends first processing information to the user identity identification card, wherein the first processing information at least comprises: the information to be transmitted and the first check information;
after receiving the first processing information, the user identity identification card verifies the first processing information through a negotiation key of the user identity identification card end;
if the user identity identification card passes the verification of the first processing information, the user identity identification card signs the information to be transmitted to obtain second signature information;
the user identity identification card carries out verification calculation on the second signature information through a negotiation key of the user identity identification card end to obtain second verification information;
the user identity identification card sends second processing information to the mobile phone security module, wherein the second processing information at least comprises: the second signature information and the second verification information;
after the mobile phone security module receives the second processing information, the second processing information is verified through a negotiation key of the mobile phone security module end;
and if the mobile phone security module verifies the second processing information, the mobile phone security module at least sends out the second signature information.
5. The method according to claim 1 or 2, wherein the step of securely transmitting information between the mobile phone security module and the subscriber identity module card through the negotiation key of the mobile phone security module side and the negotiation key of the subscriber identity module card side comprises:
the mobile phone security module acquires information to be transmitted;
the mobile phone security module encrypts the information to be transmitted through a negotiation key of the mobile phone security module end to obtain third ciphertext information, and performs verification calculation on the third ciphertext information to obtain first verification information;
the mobile phone security module sends first processing information to the user identity identification card, wherein the first processing information at least comprises: the third ciphertext information and the first check information;
after receiving the first processing information, the user identity identification card verifies the first processing information through a negotiation key of the user identity identification card end;
if the user identification card passes the verification of the first processing information, the user identification card decrypts the third ciphertext information through a negotiation key of the user identification card end to obtain the information to be transmitted;
the user identity identification card signs the information to be transmitted to obtain second signature information;
the user identity identification card encrypts the second signature information through a negotiation key of the user identity identification card end to obtain fourth ciphertext information, and performs verification calculation on the fourth ciphertext information to obtain second verification information;
the user identity identification card sends second processing information to the mobile phone security module, wherein the second processing information at least comprises: the fourth ciphertext information and the second check-up information;
after the mobile phone security module receives the second processing information, the second processing information is verified through a negotiation key of the mobile phone security module end;
if the mobile phone security module passes the verification of the second processing information, decrypting the fourth ciphertext information through a negotiation key of the mobile phone security module end to obtain second signature information;
and the mobile phone security module at least sends out the second signature information.
6. The method according to claim 3, wherein after the step of the mobile phone security module obtaining the information to be transmitted and before the step of the mobile phone security module sending the first processing information to the subscriber identity module card, the method further comprises:
the mobile phone security module extracts key information in the information to be transmitted;
the mobile phone security module controls a mobile phone display screen to display key information in the extracted information to be transmitted;
the mobile phone security module receives a confirmation instruction output by a mobile phone keyboard;
and after the mobile phone security module receives a confirmation instruction output by the mobile phone keyboard, executing the step that the mobile phone security module sends first processing information to the user identity identification card.
7. The method according to claim 4, wherein after the step of obtaining the information to be transmitted by the mobile phone security module, and before the step of sending the first processing information to the subscriber identity module by the mobile phone security module, the method further comprises:
the mobile phone security module extracts key information in the information to be transmitted;
the mobile phone security module controls a mobile phone display screen to display key information in the extracted information to be transmitted;
the mobile phone security module receives a confirmation instruction output by a mobile phone keyboard;
and after the mobile phone security module receives a confirmation instruction output by the mobile phone keyboard, executing the step that the mobile phone security module sends first processing information to the user identity identification card.
8. The method according to claim 5, wherein after the step of obtaining the information to be transmitted by the mobile phone security module, and before the step of sending the first processing information to the subscriber identity module by the mobile phone security module, the method further comprises:
the mobile phone security module extracts key information in the information to be transmitted;
the mobile phone security module controls a mobile phone display screen to display key information in the extracted information to be transmitted;
the mobile phone security module receives a confirmation instruction output by a mobile phone keyboard;
and after the mobile phone security module receives a confirmation instruction output by the mobile phone keyboard, executing the step that the mobile phone security module sends first processing information to the user identity identification card.
9. The method according to any one of claims 1, 2, 6, 7 and 8,
when the third random factor is generated by the user identification card, the third random factor is generated by the user identification card according to the first random factor and the second random factor, or the third random factor is generated by the user identification card randomly;
when the third random factor is generated by the mobile phone security module, the third random factor is generated by the mobile phone security module according to the first random factor and the second random factor, or the third random factor is generated by the mobile phone security module randomly.
10. The method of any one of claims 1, 2, 6, 7 and 8, wherein the mobile phone security module is a module independent of a mobile phone CPU or is provided as a secure area in the mobile phone CPU.
11. A cellular phone, comprising: the mobile phone comprises a user identity identification card and a mobile phone security module; wherein,
the second transceiving unit in the user identity identification card is used for sending first authentication information to the mobile phone security module, wherein the first authentication information at least comprises: a first random factor and a user identification card certificate;
the first transceiving unit in the mobile phone security module is used for receiving the first authentication information;
the first verification unit in the mobile phone security module is used for verifying the legality of the user identity card certificate after the first transceiving unit receives the first authentication information;
the first encryption unit in the mobile phone security module is used for encrypting at least the first random factor and the second random factor through a public key of the user identification card carried in the user identification card certificate after the first verification unit verifies that the user identification card certificate is legal, so as to obtain first ciphertext information;
the first signature unit in the mobile phone security module is used for signing the first ciphertext information obtained by the first encryption unit to obtain first signature information;
the first transceiving unit in the mobile phone security module is further configured to send second authentication information to the user identity card, where the second authentication information at least includes: the first ciphertext information, the first signature information and a mobile phone security module certificate;
the second transceiving unit in the user identity identification card is further configured to receive the second authentication information;
the second verification unit in the user identity identification card is used for verifying the legality of the mobile phone security module certificate after the second transceiving unit receives the second authentication information;
the second verification unit in the user identity identification card is also used for verifying the correctness of the first signature information after verifying that the mobile phone security module certificate is legal;
the second decryption unit in the user identification card is used for decrypting the first ciphertext information by using a private key of the user identification card after the second verification unit verifies that the first signature information is correct, so as to obtain the first random factor and the second random factor;
the second verification unit in the user identification card is further configured to verify the correctness of the first random factor after the second decryption unit obtains the first random factor and the second random factor;
the second generating unit in the user identity identification card is used for generating a third random factor after the second verifying unit verifies that the first random factor is correct, and generating a negotiation key of the user identity identification card end according to the second random factor and the third random factor;
the second encryption unit in the user identity identification card is used for encrypting at least the second random factor and the third random factor through a public key of the mobile phone security module carried in the mobile phone security module certificate after the second generation unit generates the third random factor, so as to obtain second ciphertext information;
the second transceiving unit in the user identity identification card is used for sending the second ciphertext information to the mobile phone security module after the second encryption unit obtains the second ciphertext information;
the first transceiving unit in the mobile phone security module is further configured to receive the second ciphertext information;
the first decryption unit in the mobile phone security module is configured to decrypt the second ciphertext information after the first transceiver unit receives the second ciphertext information, so as to obtain the second random factor and the third random factor;
the first generating unit in the mobile phone security module is configured to generate a negotiation key of the mobile phone security module according to the second random factor and the third random factor after the first decryption unit obtains the second random factor and the third random factor;
and the first transceiving unit of the mobile phone security module and the second transceiving unit of the user identity identification card perform secure information transmission through the negotiation key of the mobile phone security module terminal generated by the first generating unit and the negotiation key of the user identity identification card terminal generated by the second generating unit.
12. A cellular phone, comprising: the mobile phone comprises a user identity identification card and a mobile phone security module; wherein,
the first transceiving unit in the mobile phone security module is configured to send first authentication information to the user identity card, where the first authentication information at least includes: a first random factor and a mobile phone security module certificate;
the second transceiving unit in the user identity identification card is used for receiving the first authentication information;
the second verification unit in the user identity identification card is used for verifying the legality of the mobile phone security module certificate after the second transceiving unit receives the first authentication information;
the second encryption unit in the user identity identification card is used for encrypting at least the first random factor and the second random factor through a public key of the mobile phone security module carried in the mobile phone security module certificate after the second verification module verifies that the mobile phone security module certificate is legal, so as to obtain first ciphertext information;
the second signature unit in the user identity identification card is used for signing the first ciphertext information after the second encryption unit obtains the first ciphertext information to obtain first signature information;
the second transceiving unit in the user identity identification card is further configured to send second authentication information to the mobile phone security module, where the second authentication information at least includes: the first ciphertext information, the first signature information and the user identity identification card certificate;
the first transceiving unit in the mobile phone security module is used for receiving the second authentication information;
the first verification unit in the mobile phone security module is used for verifying the legality of the user identity card certificate after the first transceiver unit receives the second authentication information;
the first verification unit in the mobile phone security module is further configured to verify the correctness of the first signature information after verifying that the user identification card certificate is legal;
the first decryption unit in the mobile phone security module is configured to decrypt the first ciphertext information by using a private key of the mobile phone security module after the first verification unit verifies that the first signature information is correct, so as to obtain the first random factor and the second random factor;
the first verification unit in the mobile phone security module is further configured to verify correctness of the first random factor after the first decryption unit obtains the first random factor and the second random factor;
the first generating unit in the mobile phone security module is configured to generate a third random factor after the first verifying unit verifies that the first random factor is correct, and generate a negotiation key of the mobile phone security module according to the second random factor and the third random factor;
the first encryption unit in the mobile phone security module is further configured to encrypt at least the second random factor and the third random factor through a public key of the user identification card carried in the user identification card certificate after the third random factor is generated by the first generation unit, so as to obtain second ciphertext information;
the first transceiving unit in the mobile phone security module is further configured to send the second ciphertext information obtained by the first encryption unit to the subscriber identity module;
the second transceiving unit in the user identity identification card is further configured to receive the second ciphertext information;
the second decryption unit in the user identity identification card is configured to decrypt the second ciphertext information after the second transceiver unit receives the second ciphertext information, so as to obtain the second random factor and the third random factor;
a second generating unit in the user identity identification card, configured to generate a negotiation key of the user identity identification card end according to the second random factor and the third random factor;
and the first transceiver unit in the mobile phone security module and the second transceiver unit in the user identity identification card perform secure information transmission through the negotiation key of the mobile phone security module terminal generated by the first generation unit and the negotiation key of the user identity identification card terminal generated by the second generation unit.
13. The handset according to claim 11,
the mobile phone security module comprises an acquisition unit used for acquiring information to be transmitted;
the second signature unit in the user identity identification card is used for signing the information to be transmitted to obtain second signature information;
and the outward sending unit in the mobile phone security module is used for at least externally sending the second signature information.
14. The handset according to claim 12,
the mobile phone security module comprises an acquisition unit used for acquiring information to be transmitted;
the second signature unit in the user identity identification card is also used for signing the information to be transmitted to obtain second signature information;
and the outward sending unit in the mobile phone security module is used for at least externally sending the second signature information.
15. The handset according to claim 13 or 14,
the first encryption unit in the mobile phone security module is further configured to encrypt the information to be transmitted, which is acquired by the acquisition unit, by using a negotiation key of the mobile phone security module end, so as to acquire third ciphertext information;
the first transceiving unit in the mobile phone security module is further configured to send first processing information to the user identification card, where the first processing information at least includes: the third ciphertext information;
the second transceiving unit in the user identity identification card is used for receiving the first processing information;
the second decryption unit in the user identification card is further configured to decrypt the third ciphertext information through a negotiation key of the user identification card end after the second transceiving unit receives the first processing information, so as to obtain information to be transmitted;
the second signature unit in the user identity identification card is further configured to sign the information to be transmitted after the second decryption unit obtains the information to be transmitted, so as to obtain second signature information;
the second encryption unit in the user identification card is further configured to encrypt the second signature information through a negotiation key at the user identification card end to obtain fourth ciphertext information;
the second transceiving unit in the user identity card is further configured to send second processing information to the mobile phone security module after the second encryption unit obtains the fourth ciphertext, where the second processing information at least includes: the fourth ciphertext information;
the first transceiving unit in the mobile phone security module is further configured to receive the second processing information;
the first decryption unit in the mobile phone security module is further configured to decrypt the fourth ciphertext information through a negotiation key of the mobile phone security module end after the first transceiver unit receives the second processing information, so as to obtain the second signature information;
and the sending-out unit in the mobile phone security module is used for sending out at least the second signature information after the first decryption unit obtains the second signature information.
16. The handset according to claim 13 or 14,
the first verification calculation unit in the mobile phone security module is used for performing verification calculation on the information to be transmitted acquired by the acquisition unit through a negotiation key of the mobile phone security module end to acquire first verification information;
the first transceiving unit in the mobile phone security module is configured to send first processing information to the user identification card, where the first processing information at least includes: the information to be transmitted and the first check information;
the second transceiving unit in the user identity identification card is further configured to receive the first processing information;
the second verification unit in the user identification card is further configured to verify the first processing information through a negotiation key of the user identification card end after the second transceiver unit receives the first processing information;
the second signature unit in the user identity identification card is further configured to sign the information to be transmitted to obtain second signature information after the second verification unit verifies the first processing information;
the second check calculation unit in the user identification card is used for carrying out check calculation on the second signature information through a negotiation key of the user identification card end to obtain second check information;
the second transceiving unit in the user identification card is further configured to send second processing information to the mobile phone security module, where the second processing information at least includes: the second signature information and the second verification information;
the first transceiving unit in the mobile phone security module is further configured to receive the second processing information;
the first verification unit in the mobile phone security module is further configured to verify the second processing information through a negotiation key of the mobile phone security module after the first transceiver unit receives the second processing information;
and the outgoing unit in the mobile phone security module is used for at least outgoing the second signature information after the first verification unit passes the verification of the second processing information.
17. The handset according to claim 13 or 14,
the first encryption unit in the mobile phone security module is further configured to encrypt the information to be transmitted, which is acquired by the acquisition unit, by using a negotiation key at the mobile phone security module end to acquire third ciphertext information, and the first check calculation unit in the mobile phone security module is configured to perform check calculation on the third ciphertext information to acquire first check information;
the first transceiving unit in the mobile phone security module is further configured to send first processing information to the user identification card, where the first processing information at least includes: the third ciphertext information and the first check information;
the second transceiving unit in the user identity identification card is also used for receiving the first processing information;
the second verification unit in the user identification card is further configured to verify the first processing information through a negotiation key of the user identification card end after the second transceiver unit receives the first processing information;
the second decryption unit in the user identification card is further configured to decrypt the third ciphertext information through a negotiation key of the user identification card end after the second verification unit passes verification of the first processing information, so as to obtain the information to be transmitted;
the second signature unit in the user identity identification card is further configured to sign the information to be transmitted after the second decryption unit obtains the information to be transmitted, so as to obtain second signature information;
the second encryption unit in the user identification card is further configured to encrypt the second signature information through a negotiation key at the user identification card end after the second signature information is obtained by the second signature unit, so as to obtain fourth ciphertext information, and the second check calculation unit in the user identification card is configured to perform check calculation on the fourth ciphertext information, so as to obtain second check information;
the second transceiving unit in the user identification card is further configured to send second processing information to the mobile phone security module, where the second processing information at least includes: the fourth ciphertext information and the second check-up information;
the first transceiving unit in the mobile phone security module is further configured to receive the second processing information;
the first verification unit in the mobile phone security module is further configured to verify the second processing information through a negotiation key of the mobile phone security module after the first transceiver unit receives the second processing information;
the first decryption unit in the mobile phone security module is further configured to decrypt the fourth ciphertext information through a negotiation key of the mobile phone security module end after the first verification unit passes verification of the second processing information, so as to obtain the second signature information;
the sending-out unit in the mobile phone security module is further configured to send out at least the second signature information after the first decryption unit obtains the second signature information.
18. The handset according to claim 13 or 14,
the extraction unit in the mobile phone security module is used for extracting key information in the information to be transmitted;
the control unit in the mobile phone security module is used for controlling a mobile phone display screen to display key information in the information to be transmitted, which is extracted by the extraction unit;
and the receiving unit in the mobile phone security module is used for receiving a confirmation instruction output by a mobile phone keyboard and informing the first receiving and sending unit to execute the mobile phone security module and send first processing information to the user identity identification card after receiving the confirmation instruction output by the mobile phone keyboard.
19. The handset according to claim 15,
the extraction unit in the mobile phone security module is used for extracting key information in the information to be transmitted;
the control unit in the mobile phone security module is used for controlling a mobile phone display screen to display key information in the information to be transmitted, which is extracted by the extraction unit;
and the receiving unit in the mobile phone security module is used for receiving a confirmation instruction output by a mobile phone keyboard and informing the first receiving and sending unit to execute the mobile phone security module and send first processing information to the user identity identification card after receiving the confirmation instruction output by the mobile phone keyboard.
20. The handset according to claim 16,
the extraction unit in the mobile phone security module is used for extracting key information in the information to be transmitted;
the control unit in the mobile phone security module is used for controlling a mobile phone display screen to display key information in the information to be transmitted, which is extracted by the extraction unit;
and the receiving unit in the mobile phone security module is used for receiving a confirmation instruction output by a mobile phone keyboard and informing the first receiving and sending unit to execute the mobile phone security module and send first processing information to the user identity identification card after receiving the confirmation instruction output by the mobile phone keyboard.
21. The handset according to claim 17,
the extraction unit in the mobile phone security module is used for extracting key information in the information to be transmitted;
the control unit in the mobile phone security module is used for controlling a mobile phone display screen to display key information in the information to be transmitted, which is extracted by the extraction unit;
and the receiving unit in the mobile phone security module is used for receiving a confirmation instruction output by a mobile phone keyboard and informing the first receiving and sending unit to execute the mobile phone security module and send first processing information to the user identity identification card after receiving the confirmation instruction output by the mobile phone keyboard.
22. The handset according to any one of claims 11 to 14, 19 to 21,
when the third random factor is generated by the user identification card, the third random factor is generated by the second generation unit of the user identification card according to the first random factor and the second random factor, or the third random factor is randomly generated by the second generation unit in the user identification card;
when the third random factor is generated by the mobile phone security module, the third random factor is generated by the first generation unit of the mobile phone security module according to the first random factor and the second random factor, or the third random factor is randomly generated by the first generation unit in the mobile phone security module.
23. The mobile phone of any one of claims 11 to 14 and 19 to 21, wherein the mobile phone security module is a module independent from the mobile phone CPU, or the mobile phone security module is provided in a secure area in the mobile phone CPU.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410040326.7A CN103746802B (en) | 2014-01-27 | 2014-01-27 | A kind of data processing method and mobile phone based on arranging key |
| PCT/CN2015/070554 WO2015109958A1 (en) | 2014-01-27 | 2015-01-12 | Data processing method based on negotiation key, and mobile phone |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410040326.7A CN103746802B (en) | 2014-01-27 | 2014-01-27 | A kind of data processing method and mobile phone based on arranging key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103746802A CN103746802A (en) | 2014-04-23 |
| CN103746802B true CN103746802B (en) | 2017-07-25 |
Family
ID=50503793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410040326.7A Active CN103746802B (en) | 2014-01-27 | 2014-01-27 | A kind of data processing method and mobile phone based on arranging key |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103746802B (en) |
| WO (1) | WO2015109958A1 (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746802B (en) * | 2014-01-27 | 2017-07-25 | 天地融科技股份有限公司 | A kind of data processing method and mobile phone based on arranging key |
| CN103944715B (en) * | 2014-04-25 | 2017-09-19 | 天地融科技股份有限公司 | A kind of data processing method based on arranging key |
| CN106156677B (en) * | 2015-11-10 | 2018-11-30 | 天地融科技股份有限公司 | Identity card card reading method and system |
| CN108243402B (en) * | 2015-12-09 | 2021-06-01 | Oppo广东移动通信有限公司 | Method and device for reading and writing smart card |
| CN111132154B (en) * | 2019-12-26 | 2022-10-21 | 飞天诚信科技股份有限公司 | Method and system for negotiating session key |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1925428A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Method for detecting network nonlicet nodes by adjacent supervise |
| CN101686127A (en) * | 2008-09-24 | 2010-03-31 | 北京创原天地科技有限公司 | Novel USBKey secure calling method and USBKey device |
| CN103002442A (en) * | 2012-12-20 | 2013-03-27 | 邱华 | Safe wireless local area network key distribution method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN203278851U (en) * | 2013-03-06 | 2013-11-06 | 上海阳扬电子科技有限公司 | Authenticated encryption device with wireless communication function |
| CN103746802B (en) * | 2014-01-27 | 2017-07-25 | 天地融科技股份有限公司 | A kind of data processing method and mobile phone based on arranging key |
-
2014
- 2014-01-27 CN CN201410040326.7A patent/CN103746802B/en active Active
-
2015
- 2015-01-12 WO PCT/CN2015/070554 patent/WO2015109958A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1925428A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Method for detecting network nonlicet nodes by adjacent supervise |
| CN101686127A (en) * | 2008-09-24 | 2010-03-31 | 北京创原天地科技有限公司 | Novel USBKey secure calling method and USBKey device |
| CN103002442A (en) * | 2012-12-20 | 2013-03-27 | 邱华 | Safe wireless local area network key distribution method |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2015109958A1 (en) | 2015-07-30 |
| CN103746802A (en) | 2014-04-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11588637B2 (en) | Methods for secure cryptogram generation | |
| US9838205B2 (en) | Network authentication method for secure electronic transactions | |
| CN103095456B (en) | The processing method of transaction message and system | |
| US9338163B2 (en) | Method using a single authentication device to authenticate a user to a service provider among a plurality of service providers and device for performing such a method | |
| CN103944724B (en) | A kind of subscriber identification card | |
| CN103067402B (en) | The generation method and system of digital certificate | |
| CN103532719B (en) | Dynamic password generation method, dynamic password generation system, as well as processing method and processing system of transaction request | |
| US10147092B2 (en) | System and method for signing and authenticating secure transactions through a communications network | |
| EP2961094A1 (en) | System and method for generating a random number | |
| CN103944715B (en) | A kind of data processing method based on arranging key | |
| CN103248491B (en) | A kind of backup method of electronic signature token private key and system | |
| CN107784499B (en) | Secure payment system and method of near field communication mobile terminal | |
| JP2012530311A5 (en) | ||
| CN106022081B (en) | A kind of card reading method of identity card card-reading terminal, identity card card-reading terminal and system | |
| US10547451B2 (en) | Method and device for authentication | |
| CN103746802B (en) | A kind of data processing method and mobile phone based on arranging key | |
| CN103078742A (en) | Generation method and system of digital certificate | |
| WO2015135398A1 (en) | Negotiation key based data processing method | |
| CN104462949A (en) | Method and device for calling plug-in | |
| CN106469370A (en) | A kind of method of commerce, system and electronic signature equipment | |
| CN106056419A (en) | Method, system and device for realizing independent transaction by using electronic signature equipment | |
| CN103813321B (en) | Agreement key based data processing method and mobile phone | |
| Pratama et al. | 2FMA-NetBank: A proposed two factor and mutual authentication scheme for efficient and secure internet banking | |
| WO2015158173A1 (en) | Agreement key-based data processing method | |
| CN103888259B (en) | A kind of subscriber identification card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1192805 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: GR Ref document number: 1192805 Country of ref document: HK |