CN104463016A - Data safety storing method suitable for IC cards and two-dimension codes - Google Patents

Data safety storing method suitable for IC cards and two-dimension codes Download PDF

Info

Publication number
CN104463016A
CN104463016A CN201410804342.9A CN201410804342A CN104463016A CN 104463016 A CN104463016 A CN 104463016A CN 201410804342 A CN201410804342 A CN 201410804342A CN 104463016 A CN104463016 A CN 104463016A
Authority
CN
China
Prior art keywords
code
card
key
fabrication
cipher key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410804342.9A
Other languages
Chinese (zh)
Other versions
CN104463016B (en
Inventor
郭东辉
姜林美
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen University
Original Assignee
Xiamen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen University filed Critical Xiamen University
Priority to CN201410804342.9A priority Critical patent/CN104463016B/en
Publication of CN104463016A publication Critical patent/CN104463016A/en
Application granted granted Critical
Publication of CN104463016B publication Critical patent/CN104463016B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K17/00Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
    • G06K17/0003Automatic card files incorporating selecting, conveying and possibly reading and/or writing operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/06009Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking
    • G06K19/06037Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking multi-dimensional coding
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to IC cards and two-dimension codes and discloses a data safety storing method suitable for IC cards and two-dimension codes. The method comprises the steps of (1) terminal registering, (2) authentication, (3) card/code generating and (4) card/code reading. A symmetric key and an asymmetrical key are combined for use, only the data storing function of the IC cards and the two-dimension codes is used, a data encryption function is completely completed by an upper layer software system, accordingly, limiting from the types and inner achieving of the IC cards is avoided, and limiting from the types of the two-dimension codes is avoided. Each card/code generator and each card/code reader are provided with unique identity keys, a key center is used for distributing different encryption keys during each-time encryption, and the key center carries out decryption authorization on the card/code reader. The forward safety of the keys can be well guaranteed, right control particle size is well refined, and accordingly data safety is enhanced.

Description

A kind of secure storage method of data being applicable to IC-card and Quick Response Code
Technical field
The present invention relates to IC-card and Quick Response Code, especially relate to a kind of secure storage method of data being applicable to IC-card and Quick Response Code.
Background technology
((Integrated Circuit Card) also claims smart card (Smart card), smart card (Intelligent card), microcircuit card (Microcircuit card) or chip card etc. for IC-card and integrated circuit card.It is embedded by a microelectronic chip to meet in the card base of ISO7816 standard, makes card form, store information by the integrated circuit in card.Communication modes between IC-card and read write line can be contact, also can be contactless.According to communication interface IC-card be divided into Contact Type Ic Card, non-contact IC and double-interface card (1. goldenrain tree man brightness, the present situation of Yang Fang, Zhou Xiuli .IC card technique and application [J]. agricultural research, 2003,03:189-190; 2. poplar starts quick .IC card development new trend [J]. the electronic product world, 1999,12:42-43.).
Quick Response Code (2-dimensional bar code) on the basis of bar code, expands another dimension have readable bar code, it uses black and white rectangular patterns to represent binary data symbols information, word numerical information is represented with several geometrical bodies corresponding with scale-of-two, by image input device or photoelectric scanning device automatically identifying and reading automatically process to realize information (3. Xing Ping stand, Bai Huiyan. Quick Response Code general introduction and application [J]. wire mark industry, 2013,07:47-50; 4. Xiao Quan admires, Liu Mingjun, Liu Yue. the research [J] of mobile phone two-dimension code. and Chinese new traffic, 2008,03:66-69).
The general character of IC-card and Quick Response Code is, both can represent a large amount of data messages, is all the information carrier of important automatic identification technology.Although comparatively speaking, IC-card is more difficult to be copied, and the two all exists information security issue.What the security for IC-card application threatened mainly contains: 1. use the IC-card of forgery to entering certain system; 2. falsely use the IC-card that other people lose or illegally obtain, attempt to pretend to be legal user to enter system; 3. active attack is adopted, directly the information exchanged when IC-card and read-write equipment communication modified, delete, the unwarranted information such as increase change and operate (5. Wang Li ripple .IC card apply in key management system research and development [D]. Shandong University, 2005.).Equally, Quick Response Code be also faced with the security threat such as information leakage and information correction (6. a high man of virtue and ability is subject to, Xu Chungen. safe and practical Quick Response Code research and implementation [J]. information network security, 2012,10:47-50.).In addition, mobile phone two-dimension code user often suffers Quick Response Code sensing malicious websites deduct fees or in the unwitting situation of user, download to attack (the 7. Lin Jiahua of bogusware, Yang Yong, appoint attack method and the defensive measure [J] of big .QR Quick Response Code. information network security, 2013,05:29-32.).
In order to prevent in IC-card or Quick Response Code internal information reveal and information distort, suitable Data Encryption Scheme must be adopted to carry out safeguard protection to the data of wherein preserving.By carrying out packaging protection, chip protection, electric charge protection to IC-card sheet, preventing from intercepting and chip locking; IC-card substantially can accomplish safety physically (the 8. safety technique [J] of Wu Sheng .IC card and card. Kunming University of Science and Technology's journal; 1997,03:65-70.).But, by carry out in the communication port of IC-card and card reader information intercepting still can intercept data wherein (the 9. information security Journal of Sex Research [D] of the beautiful .IC card of pair will. Lanzhou University of Science & Technology, 2008.).Quick Response Code does not then have the characteristic of physical security completely.
At present, the data safe processing for IC-card is generally encrypted protection in card inside, as Chinese patent CN1088223 C proposes a kind of IC-card that can encrypt; Or while card internal cryptographic, take into account the safety of card reader, as Chinese patent CN1337803 A proposes encryption method and circuit that a kind of data security for IC-card communicates.The production of these methods to card has special requirement, IC-card that cannot be compatible all.In addition, at present for two-dimension code safe process, general also just simple encryption is carried out to data after the information after encrypting be printed as Quick Response Code carry out false proof, a kind ofly utilize existing two dimension code reading equipment to carry out decoding to obtain the antiforging printing method of Quick Response Code internal information to encrypted content to two-dimensional code multi-enciphering to prevent other people as Chinese patent CN101295343 proposes; Or Quick Response Code and digest algorithm combined do anti-tamper application, as Chinese patent CN 102546174 A proposes a kind of MD5 algorithm that uses to after document content calculating summary, summary is saved in two-dimension code image, then uses two-dimension code image to carry out the method for tamper Detection.
Summary of the invention
The object of the invention is to depend on for existing IC-card encryption method the problem that IC-card inside realizes and the encryption method being applied to Quick Response Code too simply causes the problems such as data security is not high, a kind of secure storage method of data being applicable to IC-card and Quick Response Code that the access of user data can be made to concentrate the safeguard protection of controlled, data and concrete storage medium have nothing to do is provided.
The present invention includes following steps:
1) endpoint registration;
2) certification;
3) fabrication/code processed;
4) Card Reader/reading code.
In step 1) in, described terminal comprises fabrication/code device processed and Card Reader/code reader; Described registration is to cipher key center registration, to obtain respective numbering and private key, and identifies the identity of oneself with numbering and private key; The concrete steps of described endpoint registration are as follows:
(1) terminal (managerial personnel) selects one for the protection of the password of the private key of oneself;
(2) terminal (managerial personnel) initiates registration request to cipher key center, the password that input step (1) is selected;
(2) cipher key center generates terminal number and RSA public private key pair, and protects private key with the password that terminal is selected;
(4) cipher key center PKI that terminal number and step (3) are generated, also have other relevant information of terminal to be stored in database, other relevant information described includes but not limited to the model, date of manufacture, MAC Address etc. of terminal;
(5) PKI of the private key that terminal number and step (3) generated of cipher key center and security centre is stored in USB-Key and gives terminal (managerial personnel), registers complete.
In step 2) in, described certification is the identity confirming oneself to cipher key center, and the concrete steps of described certification are as follows:
(1) its USB-Key is inserted the USB interface of terminal by terminal, then inputs the password of the private key in USB-Key;
(2) terminal reads in numbering and the private key of terminal from USB-Key, and the PKI of cipher key center, and produces a random number R a;
(3) the public key encryption Ra generating ciphertext SRa of terminal cipher key center;
(4) terminal connects cipher key center initiation authentication request, transmitting terminal numbering and SRa;
(5) cipher key center obtains the PKI of terminal from database by the terminal number received, and produces random number R b;
(6) the public key encryption Rb of cipher key center terminal generates SRb, and generates DRa with the private key deciphering SRa of cipher key center;
(7) cipher key center sends DRa and SRb to terminal;
(8) terminal compares Ra and DRa, illustrates that cipher key center is counterfeiting if different, and verification process failure also stops;
(9) the terminal private key deciphering SRb of oneself generates DRb, and sends to cipher key center;
(10) cipher key center compares Rb and DRb, if identical, then and authentication success; If different, then illustrate that terminal is the terminal of personation, verification process failure.
In step 3) in, the fabrication/code device processed of described fabrication/code processed, before each card of system and each Quick Response Code, all needs cipher key center to be that its distribution privacy key is with the data in encrypted card or in Quick Response Code; The concrete grammar of described fabrication/code processed is as follows:
(1) fabrication/code device processed reads in its private key PRIw and numbering IDwt from USB-Key;
(2) fabrication/code device processed to cipher key center request privacy key, for encryption;
(3) cipher key center verifies its authority whether having fabrication according to the numbering IDwt of fabrication/code device processed and current date, if do not have authority, then fabrication/code process processed is with failed end; Otherwise the PKI PUBw of fabrication/code device processed is read from database;
(4) cipher key center produces random privacy key Rk and is stored in database, thus obtains cipher key number IDk;
(5) the PKI PUBw secret encryption key Rk of cipher key center fabrication/code device processed generates SRk;
(6) cipher key center sends the privacy key SRk after cipher key number IDk and encryption to fabrication/code device processed;
(7) fabrication/code device processed uses its private key PRIw to decipher SRk and obtains Rk, is then Sm with Rk encrypting plaintext M;
(8) IDwt, IDk, current time of day and Sm are write IC-card or are encoded into Quick Response Code and print by fabrication/code device processed.
In step 4) in, Card Reader/the code reader of described Card Reader/reading code, before each card of reading and each Quick Response Code, need first to obtain to cipher key center the privacy key being used for (or in Quick Response Code) ciphertext in decryption card, the concrete grammar of described Card Reader/reading code is as follows:
(1) Card Reader/code reader reads in its private key PRIr and numbering IDrt from USB-Key;
(2) Card Reader/code reader read in from IC-card or scan Quick Response Code decoding obtain: fabrication/numbering IDt, the cipher key number IDk of code device processed, fabrication date-time TIMEw and ciphertext Sm;
(3) Card Reader/code reader sends numbering IDt, the cipher key number IDk of fabrication/code device processed and fabrication date-time TIMEw to ask decruption key to cipher key center;
(4) according to numbering IDt, the cipher key number IDk of fabrication/code device processed and fabrication date-time TIMEw, cipher key center verifies whether fabrication/code device processed has the authority reading this IC-card or Quick Response Code, if lack of competence, Card Reader/reading code procedure failure also stops; Otherwise cipher key center reads the PKI PUBr of privacy key Rk and Card Reader/code reader from database;
(5) the PKI PUBr secret encryption key Rk of cipher key center Card Reader/code reader generates SRk;
(6) cipher key center sends the privacy key SRk after encryption to Card Reader/code reader;
(7) Card Reader/code reader uses its private key PRIr to decipher SRk and obtains privacy key Rk;
(8) Card Reader/code reader uses privacy key Rk decrypting ciphertext Sm to recover plaintext M.
The invention provides a kind of cipher key center device, be responsible for the generation of Certificate Authority and key, distribution and management.Described cipher key center device comprises:
1) authentication module, for receiving the authentication request of fabrication/code device processed and Card Reader/code reader, and verifies its legitimacy.
2) authorization module, for authorizing for fabrication/code device processed and Card Reader/code reader, determines the authority of its fabrication/code processed, and the authority of Card Reader/reading code.
3) key management module, for generating key, distributed key and managing keys database.
The invention provides a kind of fabrication/code apparatus processed, write IC-card or be printed as Quick Response Code after being responsible for that clear data is encrypted to ciphertext.Described fabrication/code apparatus processed comprises:
1) card/write a yard module is write, for by ciphertext and related data write IC-card or be printed as Quick Response Code.Write card/write yard module comprise again write clamp module, Quick Response Code seals module and Quick Response Code encoding submodule.
2) encrypting module, for being encrypted clear data.
3) communication module, communicates for same cipher key center, differentiates the legitimacy of fabrication/code device processed in a secured manner, and obtains encryption key.
The present invention also provides a kind of Card Reader/code reader device, is responsible for reading ciphertext from IC-card or Quick Response Code and is become expressly by its decryption restoration.Described Card Reader/code reader device comprises:
1) Card Reader/barcode scanning module.For the ciphertext that stores in IC-card or in Quick Response Code and related control data.Card Reader/barcode scanning module comprises again Card Reader submodule, Quick Response Code barcode scanning submodule and Quick Response Code decoding sub-module.
2) deciphering module, for being decrypted encrypt data and reverting to expressly.
3) communication module, communicates for same cipher key center, differentiates the legitimacy of Card Reader/code reader in a secured manner, and obtains decruption key.
The present invention is combined symmetric key and unsymmetrical key, only utilize the data storage function of IC-card and Quick Response Code, transferred to by data encryption feature upper layer software (applications) system completely, thus be not limited by the classification of IC-card and inner realization, be not also limited to the kind of Quick Response Code.
Each fabrication of the present invention/code device processed and Card Reader/code reader have unique identity key, the different encryption key that each encryption adopts cipher key center to distribute, and are decrypted mandate by cipher key center to Card Reader/code reader.Therefore, the present invention is of value to the forward security and refinement control of authority granularity that ensure key, thus strengthens the security of data.
The present invention proposes a kind of secure storage method of data based on key distribution system newly, for different keys distributed by each fabrication/code device processed, then by cipher key service center for Card Reader/code reader is decrypted mandate, realize the data security storage administration in IC-card and Quick Response Code with this.The work of data encrypting and deciphering transfers to upper layer software (applications) by the method completely, is applicable to any IC-card and Quick Response Code.
Accompanying drawing explanation
Fig. 1 is integral module of the present invention and mutual schematic diagram thereof.
Embodiment
For making the object, technical solutions and advantages of the present invention more clear, below in conjunction with accompanying drawing, the specific embodiment of the present invention is further elaborated.
Integral module of the present invention form and mutual as shown in Figure 1.
Cipher key center 110 is Core servers of system, is also the security centre of whole system, is made up of authentication module 111, key management module 112 and authorization module 113.Fabrication/code device 101 processed and Card Reader/code reader 131 are called the terminal of system, cipher key center 110 is the unique numbering of all terminal distribution one, then a pair public and private key of RSA is produced, using Private key distribution to terminal as its unique identity key, PKI is stored in the database of cipher key center simultaneously.The public and private key of this pair RSA is used for the safety identification authentication that terminal uses the service of cipher key center.In addition, be responsible in the key management module 112 of cipher key center the privacy key generating, store and obtain terminal encryption and decryption data, namely privacy key is stored in the database of cipher key center after generating, and each privacy key is by a unique numeral index.Cryptographic algorithm can be then any symmetric encipherment algorithm, as AES, 3DES, DES, RC4 etc.The authorization module 113 of cipher key center is for rights management, namely manage the license whether any fabrication/code device 101 processed when phase in office has fabrication or code processed, and whether any Card Reader/code reader 131 has the license of the data reading any fabrication/code device 101 processed when phase made IC-card in office or Quick Response Code.
Fabrication/code device 101 processed, by writing card/write yard module 102, encrypting module 106 and communication module 107 to form, is wherein write card/write yard module 102 and is formed by writing clamp module 103, Quick Response Code encoding submodule 104 and Quick Response Code module 105 of sealing again.IC-card 120 and two-dimension code image 121 are data storage mediums.Fabrication/code device 101 processed writes data by writing clamp module 103 to IC-card 120, by data-printing being become Quick Response Code through Quick Response Code module 105 of sealing after Quick Response Code encoding submodule 104 pairs of data encodings.Wherein, the data of IC-card 120 and two-dimension code image are stored in primarily of following four partial information compositions: the numbering of 1. fabrication/code device processed; 2. for the numbering of the key of encryption and decryption data; 3. date of fabrication or code processed, the time; 4. the secret data after encrypting module 106 is encrypted.Encrypting module 106 is obtained by communication module 107 for the privacy key of enciphered data after cipher key center 110 initiates key request.
Card Reader/code reader 131 is made up of Card Reader/barcode scanning module 132, deciphering module 136 and communication module 137, and Card Reader/barcode scanning module 132 is made up of Card Reader submodule 133, Quick Response Code decoding sub-module 134 and Quick Response Code barcode scanning submodule 135 again.Card Reader/code reader 131 reads data by Card Reader submodule 133 from IC-card 120, transfers to Quick Response Code decoding sub-module 134 to decode to it after the data stored in Quick Response Code being read in calculator memory by Quick Response Code barcode scanning submodule 135.Obtain after decoding: the numbering of 1. fabrication/code device processed; 2. for the numbering of the key of encryption and decryption data; 3. date of Card Reader or reading code, the time; 4. the secret data after encrypting module 106 is encrypted.Deciphering module 136 by communication module 137 to the privacy key obtaining data decryption after cipher key center 110 initiates key request, afterwards, to secret data deciphering to recover plaintext.
Specific embodiment of the invention can be divided into Four processes, i.e. terminal registration process, verification process, fabrication/code process processed and Card Reader/reading code process.
The present invention includes two Terminal Types, i.e. fabrication/code device processed and Card Reader/code reader, they all need to cipher key center registration to obtain respective numbering and private key, and identify the identity of oneself with numbering and private key.Terminal should complete at escape way to the flow process of cipher key center registration process, such as in the aspectant mode of operating personnel.Concrete steps are as follows:
1, terminal (managerial personnel) selects one for the protection of the password of the private key of oneself;
2, terminal (managerial personnel) initiates registration request to cipher key center, the password that input previous step is selected;
3, cipher key center generates terminal number and RSA public private key pair, and protects private key with the password that terminal is selected;
4, the PKI that terminal number and previous step generate by cipher key center, also have other relevant information of terminal, the information such as model, date of manufacture, MAC Address as terminal is stored in database;
5, the PKI of the private key that terminal number and the 3rd step generate by cipher key center and security centre is stored in USB-Key and gives terminal (managerial personnel), registers complete.
Terminal of the present invention, before fabrication/code processed or Card Reader/reading code, first must confirm the identity of oneself to cipher key center.The concrete steps of the authentication procedures of terminal are as follows:
1, its USB-Key is inserted the USB interface of terminal by terminal management personnel, then inputs the password of the private key in USB-Key;
2, terminal reads in numbering and the private key of terminal from USB-Key, and the PKI of cipher key center, and produces a random number R a;
3, the public key encryption Ra generating ciphertext SRa of terminal cipher key center;
4, terminal connects cipher key center and initiates authentication request, transmitting terminal numbering and SRa;
5, cipher key center obtains the PKI of terminal by the terminal number received from database, and produces random number R b;
6, the public key encryption Rb of cipher key center terminal generates SRb, and generates DRa with the private key deciphering SRa of cipher key center;
7, cipher key center sends DRa and SRb to terminal;
8, terminal compares Ra and DRa, illustrates that cipher key center is counterfeiting if different, and verification process failure also stops;
9, the terminal private key deciphering SRb of oneself generates DRb, and sends to cipher key center;
10, cipher key center compares Rb and DRb, if identical, authentication success, if difference, illustrates that terminal is the terminal of personation, verification process failure.
Fabrication of the present invention/code device processed, before each card of system and each Quick Response Code, all needs cipher key center to be that its distribution privacy key is with the data in encrypted card or in Quick Response Code.Concrete fabrication/code stream journey processed is as follows:
1, fabrication/code device processed reads in its private key PRIw and numbering IDwt from USB-Key;
2, fabrication/code device processed to cipher key center request privacy key, for encryption;
3, cipher key center verifies its authority whether having fabrication according to the numbering IDwt of fabrication/code device processed and current date.If do not have authority, fabrication/code process processed is with failed end; Otherwise the PKI PUBw of fabrication/code device processed is read from database;
4, cipher key center produces random privacy key Rk and is stored in database, thus obtains cipher key number IDk;
5, the PKI PUBw secret encryption key Rk of cipher key center fabrication/code device processed generates SRk;
6, cipher key center sends the privacy key SRk after cipher key number IDk and encryption to fabrication/code device processed;
7, fabrication/code device processed uses its private key PRIw to decipher SRk and obtains Rk, is then Sm with Rk encrypting plaintext M;
8, IDwt, IDk, current time of day and Sm are write IC-card or are encoded into Quick Response Code and print by fabrication/code device processed.
Card Reader/code reader of the present invention, before each card of reading and each Quick Response Code, needs first to obtain to cipher key center the privacy key being used for (or in Quick Response Code) ciphertext in decryption card.Concrete Card Reader/reading code process is as follows:
1, Card Reader/code reader reads in its private key PRIr and numbering IDrt from USB-Key;
2, Card Reader/code reader reads in or scans Quick Response Code decoding and obtains from IC-card: fabrication/numbering IDt, the cipher key number IDk of code device processed, fabrication date-time TIMEw and ciphertext Sm;
3, Card Reader/code reader sends numbering IDt, the cipher key number IDk of fabrication/code device processed and fabrication date-time TIMEw to ask decruption key to cipher key center;
4, according to numbering IDt, the cipher key number IDk of fabrication/code device processed and fabrication date-time TIMEw, cipher key center verifies whether fabrication/code device processed has the authority of this IC-card of reading or Quick Response Code, if lack of competence, Card Reader or reading code procedure failure also stop; Otherwise cipher key center reads the PKI PUBr of privacy key Rk and Card Reader/code reader from database;
5, the PKI PUBr secret encryption key Rk of cipher key center Card Reader/code reader generates SRk;
6, cipher key center sends the privacy key SRk after encryption to Card Reader/code reader;
7, Card Reader/code reader uses its private key PRIr to decipher SRk and obtains privacy key Rk;
8, Card Reader/code reader uses privacy key Rk decrypting ciphertext Sm to recover plaintext M.
Framework of the present invention comprises: IC-card, Quick Response Code, fabrication/code device processed, Card Reader/code reader, USB-Key and cipher key center.Its effect is as follows respectively:
1) IC-card: the carrier that information stores, comprises all kinds of IC-cards such as Contact Type Ic Card, rfid card, serial transmission type IC-card, parallel transmission type IC-card, storage-type IC-card, cryptographic storage type IC-card, Intelligent IC card, also comprises general magnetic card.
2) Quick Response Code: the carrier that information stores, all kinds of Quick Response Codes such as PDF417, Datamatrix, Maxicode, QR Code, Code 49, Code 16K and Code one.
3) fabrication/code device processed: its effect to write IC-card after data encryption or to be printed as Quick Response Code.
4) Card Reader/code reader: its effect is read ciphertext and become expressly by its decryption restoration from IC-card or Quick Response Code.
5) USB-Key: its effect is the identity information preserving fabrication/code device processed and Card Reader/code reader, carries out double factor authentication for auxiliary Card Reader/code reader.
6) cipher key center: its effect carries out authentication and authorization to fabrication/code device processed and Card Reader/code reader, and generation, distribution and managing keys.

Claims (8)

1. be applicable to a secure storage method of data for IC-card and Quick Response Code, it is characterized in that comprising the following steps:
1) endpoint registration;
2) certification;
3) fabrication/code processed;
4) Card Reader/reading code.
2. a kind of secure storage method of data being applicable to IC-card and Quick Response Code as claimed in claim 1, is characterized in that in step 1) in, described terminal comprises fabrication/code device processed and Card Reader/code reader; Described registration is to cipher key center registration, to obtain respective numbering and private key, and identifies the identity of oneself with numbering and private key; The concrete steps of described endpoint registration are as follows:
(1) terminal selects one for the protection of the password of the private key of oneself;
(2) terminal initiates registration request to cipher key center, the password that input step (1) is selected;
(2) cipher key center generates terminal number and RSA public private key pair, and protects private key with the password that terminal is selected;
(4) PKI that terminal number and step (3) generated of cipher key center, also has other relevant information of terminal to be stored in database, and other relevant information described includes but not limited to the model of terminal, date of manufacture, MAC Address;
(5) PKI of the private key that terminal number and step (3) generated of cipher key center and security centre is stored in USB-Key and gives terminal, registers complete.
3. a kind of secure storage method of data being applicable to IC-card and Quick Response Code as claimed in claim 1, is characterized in that in step 2) in, described certification is the identity confirming oneself to cipher key center, and the concrete steps of described certification are as follows:
(1) its USB-Key is inserted the USB interface of terminal by terminal, then inputs the password of the private key in USB-Key;
(2) terminal reads in numbering and the private key of terminal from USB-Key, and the PKI of cipher key center, and produces a random number R a;
(3) the public key encryption Ra generating ciphertext SRa of terminal cipher key center;
(4) terminal connects cipher key center initiation authentication request, transmitting terminal numbering and SRa;
(5) cipher key center obtains the PKI of terminal from database by the terminal number received, and produces random number R b;
(6) the public key encryption Rb of cipher key center terminal generates SRb, and generates DRa with the private key deciphering SRa of cipher key center;
(7) cipher key center sends DRa and SRb to terminal;
(8) terminal compares Ra and DRa, illustrates that cipher key center is counterfeiting if different, and verification process failure also stops;
(9) the terminal private key deciphering SRb of oneself generates DRb, and sends to cipher key center;
(10) cipher key center compares Rb and DRb, if identical, then and authentication success; If different, then illustrate that terminal is the terminal of personation, verification process failure.
4. a kind of secure storage method of data being applicable to IC-card and Quick Response Code as claimed in claim 1, it is characterized in that in step 3) in, fabrication/code the device processed of described fabrication/code processed, before each card of system and each Quick Response Code, cipher key center is all needed to be that its distribution privacy key is with the data in encrypted card or in Quick Response Code; The concrete grammar of described fabrication/code processed is as follows:
(1) fabrication/code device processed reads in its private key PRIw and numbering IDwt from USB-Key;
(2) fabrication/code device processed to cipher key center request privacy key, for encryption;
(3) cipher key center verifies its authority whether having fabrication according to the numbering IDwt of fabrication/code device processed and current date, if do not have authority, then fabrication/code process processed is with failed end; Otherwise the PKI PUBw of fabrication/code device processed is read from database;
(4) cipher key center produces random privacy key Rk and is stored in database, thus obtains cipher key number IDk;
(5) the PKI PUBw secret encryption key Rk of cipher key center fabrication/code device processed generates SRk;
(6) cipher key center sends the privacy key SRk after cipher key number IDk and encryption to fabrication/code device processed;
(7) fabrication/code device processed uses its private key PRIw to decipher SRk and obtains Rk, is then Sm with Rk encrypting plaintext M;
(8) IDwt, IDk, current time of day and Sm are write IC-card or are encoded into Quick Response Code and print by fabrication/code device processed.
5. a kind of secure storage method of data being applicable to IC-card and Quick Response Code as claimed in claim 1, it is characterized in that in step 4) in, Card Reader/the code reader of described Card Reader/reading code, before each card of reading and each Quick Response Code, need first to obtain to cipher key center to be used in decryption card or the privacy key of ciphertext in Quick Response Code, the concrete grammar of described Card Reader/reading code is as follows:
(1) Card Reader/code reader reads in its private key PRIr and numbering IDrt from USB-Key;
(2) Card Reader/code reader read in from IC-card or scan Quick Response Code decoding obtain: fabrication/numbering IDt, the cipher key number IDk of code device processed, fabrication date-time TIMEw and ciphertext Sm;
(3) Card Reader/code reader sends numbering IDt, the cipher key number IDk of fabrication/code device processed and fabrication date-time TIMEw to ask decruption key to cipher key center;
(4) according to numbering IDt, the cipher key number IDk of fabrication/code device processed and fabrication date-time TIMEw, cipher key center verifies whether fabrication/code device processed has the authority reading this IC-card or Quick Response Code, if lack of competence, Card Reader/reading code procedure failure also stops; Otherwise cipher key center reads the PKI PUBr of privacy key Rk and Card Reader/code reader from database;
(5) the PKI PUBr secret encryption key Rk of cipher key center Card Reader/code reader generates SRk;
(6) cipher key center sends the privacy key SRk after encryption to Card Reader/code reader;
(7) Card Reader/code reader uses its private key PRIr to decipher SRk and obtains privacy key Rk;
(8) Card Reader/code reader uses privacy key Rk decrypting ciphertext Sm to recover plaintext M.
6. as a kind of secure storage method of data being applicable to IC-card and Quick Response Code as described in arbitrary in claim 2 ~ 5, it is characterized in that described cipher key center, be responsible for the generation of Certificate Authority and key, distribution and management, described cipher key center comprises:
1) authentication module, for receiving the authentication request of fabrication/code device processed and Card Reader/code reader, and verifies its legitimacy;
2) authorization module, for authorizing for fabrication/code device processed and Card Reader/code reader, determines the authority of its fabrication/code processed, and the authority of Card Reader/reading code;
3) key management module, for generating key, distributed key and managing keys database.
7. as a kind of secure storage method of data being applicable to IC-card and Quick Response Code as described in arbitrary in claim 2,4,5, it is characterized in that described fabrication/code device processed, write IC-card or be printed as Quick Response Code after being responsible for that clear data is encrypted to ciphertext, described fabrication/code device processed comprises:
1) write card/write a yard module, for by ciphertext and related data write IC-card or be printed as Quick Response Code, write card/write yard module comprise again write clamp module, Quick Response Code seals module and Quick Response Code encoding submodule;
2) encrypting module, for being encrypted clear data;
3) communication module, communicates for same cipher key center, differentiates the legitimacy of fabrication/code device processed in a secured manner, and obtains encryption key.
8. as a kind of secure storage method of data being applicable to IC-card and Quick Response Code as described in arbitrary in claim 2,5, it is characterized in that described Card Reader/code reader, be responsible for reading ciphertext from IC-card or Quick Response Code and become expressly by its decryption restoration, described Card Reader/code reader comprises:
1) Card Reader/barcode scanning module, for the ciphertext that stores in IC-card or in Quick Response Code and related control data, Card Reader/barcode scanning module comprises again Card Reader submodule, Quick Response Code barcode scanning submodule and Quick Response Code decoding sub-module;
2) deciphering module, for being decrypted encrypt data and reverting to expressly;
3) communication module, communicates for same cipher key center, differentiates the legitimacy of Card Reader/code reader in a secured manner, and obtains decruption key.
CN201410804342.9A 2014-12-22 2014-12-22 Data safety storing method suitable for IC cards and two-dimension codes Active CN104463016B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410804342.9A CN104463016B (en) 2014-12-22 2014-12-22 Data safety storing method suitable for IC cards and two-dimension codes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410804342.9A CN104463016B (en) 2014-12-22 2014-12-22 Data safety storing method suitable for IC cards and two-dimension codes

Publications (2)

Publication Number Publication Date
CN104463016A true CN104463016A (en) 2015-03-25
CN104463016B CN104463016B (en) 2017-05-24

Family

ID=52909036

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410804342.9A Active CN104463016B (en) 2014-12-22 2014-12-22 Data safety storing method suitable for IC cards and two-dimension codes

Country Status (1)

Country Link
CN (1) CN104463016B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656478A (en) * 2016-10-31 2017-05-10 用友网络科技股份有限公司 Communication encryption method between multiple nodes
CN109344654A (en) * 2018-11-12 2019-02-15 金思成 A kind of two dimensional code training clothes information encryption identifying system
CN109729046A (en) * 2017-10-31 2019-05-07 北京京东尚科信息技术有限公司 Two-dimensional code scanning method and terminal, authentication method and server and service system
CN109983733A (en) * 2016-08-18 2019-07-05 Trw有限公司 Control is to the access of key and the method for fuzzy message and electronic equipment
CN110400187A (en) * 2019-07-24 2019-11-01 国网河北省电力有限公司邢台供电分公司 A kind of billing method, billing device and terminal device
CN111209579A (en) * 2020-01-03 2020-05-29 玉溪市电子政务内网信息技术中心 Electronic analysis equipment and method for encrypting confidential files by utilizing two-dimensional code in multiple ways
CN114172649A (en) * 2022-02-11 2022-03-11 厚普智慧物联科技有限公司 Cloud key management method and system based on intelligent IC card security authentication
CN114897112A (en) * 2022-04-18 2022-08-12 上海美的茵信息技术有限公司 Diagnostic data transmission method and device for diagnostic equipment based on two-dimensional code mode, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101408970A (en) * 2008-11-21 2009-04-15 李东声 Method, system and apparatus for implementing batch electronic transaction, and electronic signing tool
WO2012035306A1 (en) * 2010-09-18 2012-03-22 Philip Wesby System and method for encoding and controlled authentication
CN102713922A (en) * 2010-01-12 2012-10-03 维萨国际服务协会 Anytime validation for verification tokens
CN103546781A (en) * 2012-07-16 2014-01-29 航天信息股份有限公司 Security control method and device of set-top box terminal
CN103701787A (en) * 2013-12-19 2014-04-02 上海格尔软件股份有限公司 User name password authentication method implemented on basis of public key algorithm

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101408970A (en) * 2008-11-21 2009-04-15 李东声 Method, system and apparatus for implementing batch electronic transaction, and electronic signing tool
CN102713922A (en) * 2010-01-12 2012-10-03 维萨国际服务协会 Anytime validation for verification tokens
WO2012035306A1 (en) * 2010-09-18 2012-03-22 Philip Wesby System and method for encoding and controlled authentication
CN103546781A (en) * 2012-07-16 2014-01-29 航天信息股份有限公司 Security control method and device of set-top box terminal
CN103701787A (en) * 2013-12-19 2014-04-02 上海格尔软件股份有限公司 User name password authentication method implemented on basis of public key algorithm

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109983733A (en) * 2016-08-18 2019-07-05 Trw有限公司 Control is to the access of key and the method for fuzzy message and electronic equipment
CN106656478A (en) * 2016-10-31 2017-05-10 用友网络科技股份有限公司 Communication encryption method between multiple nodes
CN109729046A (en) * 2017-10-31 2019-05-07 北京京东尚科信息技术有限公司 Two-dimensional code scanning method and terminal, authentication method and server and service system
CN109729046B (en) * 2017-10-31 2022-04-26 北京京东尚科信息技术有限公司 Two-dimensional code scanning method and terminal, authentication method and server and service system
CN109344654A (en) * 2018-11-12 2019-02-15 金思成 A kind of two dimensional code training clothes information encryption identifying system
CN109344654B (en) * 2018-11-12 2021-11-19 金成思 Two-dimensional code training clothes information encryption and identification system
CN110400187A (en) * 2019-07-24 2019-11-01 国网河北省电力有限公司邢台供电分公司 A kind of billing method, billing device and terminal device
CN111209579A (en) * 2020-01-03 2020-05-29 玉溪市电子政务内网信息技术中心 Electronic analysis equipment and method for encrypting confidential files by utilizing two-dimensional code in multiple ways
CN114172649A (en) * 2022-02-11 2022-03-11 厚普智慧物联科技有限公司 Cloud key management method and system based on intelligent IC card security authentication
CN114172649B (en) * 2022-02-11 2022-05-13 厚普智慧物联科技有限公司 Cloud key management method and system based on intelligent IC card security authentication
CN114897112A (en) * 2022-04-18 2022-08-12 上海美的茵信息技术有限公司 Diagnostic data transmission method and device for diagnostic equipment based on two-dimensional code mode, computer equipment and storage medium

Also Published As

Publication number Publication date
CN104463016B (en) 2017-05-24

Similar Documents

Publication Publication Date Title
CN104463016B (en) Data safety storing method suitable for IC cards and two-dimension codes
CN103198344B (en) Tax control secure two-dimensional code coding, decoding processing method
CN104217230B (en) The safety certifying method of hiding ultrahigh frequency electronic tag identifier
CN103413159B (en) A kind of RFID electronic certificate off-line false proof realization method and system of Jianzhen based on CPK
CN105024824A (en) Method for generating and verifying credible label based on asymmetrical encryption algorithm and system
CN106100850B (en) Intelligent and safe chip signing messages transmission method and system based on two dimensional code
CN102779263A (en) Credible two-dimensional code scheme based on public key infrastructure (PKI) and digital signature
CN101882197B (en) RFID (Radio Frequency Identification Device) inquiring-response safety certificate method based on grading key
CN102750510A (en) Credible two-dimensional code scheme based on public key infrastructure (PKI) and HASH algorithm
CN103326864B (en) A kind of electronic tag anti-fake authentication method
CN106067205B (en) A kind of gate inhibition's method for authenticating and device
CN104933793A (en) Two-dimension code electronic key implementation method based on digital signature
CN102236773A (en) Radio frequency identification (RFID) encryption verification system and method
CN106953732B (en) Key management system and method for chip card
CN104809490A (en) Card anti-counterfeiting system based on multidimensional code and authentication method based on card anti-counterfeiting system
Purnomo et al. Mutual authentication in securing mobile payment system using encrypted QR code based on public key infrastructure
CN104322003A (en) Cryptographic authentication and identification method using real-time encryption
CN104268610A (en) Method for generating and reading graded QR code
KR101561170B1 (en) A Safe Identification Card Method With Convergence of Fingerprint verification and Encrypted QR
CN103955664B (en) High-speed document scanner capable of safely decoding two-dimensional code of vehicle approval certificate and decoding method
CN104700125A (en) AES encryption and verification of ultra high frequency radio identification system
CN108694344A (en) A kind of cryptography electronic label
CN101588238A (en) Method for encrypting and decrypting certificate card in accreditation system
Rahnama et al. Securing RFID-based authentication systems using ParseKey+
CN101739593A (en) Safety certification method of medium access control codes of integrated circuit cards

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant