CN105790946A - Method and system for building data channel and related devices - Google Patents
Method and system for building data channel and related devices Download PDFInfo
- Publication number
- CN105790946A CN105790946A CN201410806632.7A CN201410806632A CN105790946A CN 105790946 A CN105790946 A CN 105790946A CN 201410806632 A CN201410806632 A CN 201410806632A CN 105790946 A CN105790946 A CN 105790946A
- Authority
- CN
- China
- Prior art keywords
- data channel
- information
- secure authenticated
- card
- smart card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method for building a data channel. The method comprises an off-card entity obtains security authentication information for applying the data channel from an intelligent card management platform; the off-card entity sends an authentication registering message carrying the security authentication information to the intelligent card management platform; and after the intelligent card management platform verifies the security authentication information successfully, the intelligent card management platform builds the data channel with the off-card entity. The invention also discloses the off-card entity, the intelligent card management platform, an intelligent card device and a system for building the data channel.
Description
Technical field
The present invention relates to field of data service, particularly relate to and a kind of set up the method for data track, system and relevant device.
Background technology
Along with popularizing of mobile e-business, the data of smart cards for storage are more and more, more and more important.Smart card can store the sensitive informations such as subscriber identity information, bank card account information, bank card account remaining sum at present, and therefore the safety of smart card is more important.
At present, the outer entity of smart card product support card connects card reader, data wire (contact), the multiple physical connection form access of bluetooth by non-, and carries out data interaction with smart card.
The safety of smart card, depends on smart card hardware equipment on the one hand, then depends on smart card and the data channel security mechanism blocked between outer entity on the other hand.
As it is shown in figure 1, at present, block the outer entity (including the outer entity of card such as card reader, mobile phone) the access smart card in physical channel by setting up between smart card, such as: non-connect physical channel or bluetooth physical channel etc..But, the data channel set up between smart card and the outer entity of card does not have security authentication mechanism, so blocking outer entity can arbitrarily access smart card, so, smart card can be constituted and attack injury, thus the data etc. on the sensitive information (subscriber identity information, bank card information, bank account balances etc.) arbitrarily obtained on smart card, amendment smart card.
Summary of the invention
For solving the technical problem of existing existence, the embodiment of the present invention provides a kind of and sets up the method for data track, system and relevant device.
Embodiments provide a kind of method setting up data channel, including:
Block outer entity and obtain the secure authenticated information of request for data passage from intelligent card management platform;
The outer entity of described card sends the certification registration message carrying described secure authenticated information to smart card device;
After described smart card device verifies the success of described secure authenticated information, set up data channel with the outer entity of described card.
In such scheme, the outer entity of described card obtains the secure authenticated information of request for data passage from intelligent card management platform, including:
The outer entity of described card sends the data channel application for registration carrying corresponding application related information to described intelligent card management platform;
After described intelligent card management platform receives described data channel application for registration, utilize the key or certificate that self store, and according to described application related information, generate the secure authenticated information of described corresponding application;
The secure authenticated information of generation is sent to the outer entity of described card by described intelligent card management platform.
In such scheme, described smart card device verifies described secure authenticated information, including:
Described smart card device utilizes the key or certificate that self store, and according to corresponding application related information, generates the secure authenticated information of described corresponding application;
The secure authenticated information of the described corresponding application generated is mated with the secure authenticated information carried in described certification registration message.
In such scheme, after data channel is set up, described method also includes:
Described smart card device increases the information of described corresponding application in the application software registration table of self.
In such scheme, after data channel is set up, described method also includes:
After described smart card device receives Application Protocol Data Unit (APDU, the ApplicationProtocolDataUnit) instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, carry out corresponding transactional operation.
In such scheme, described determine that the data channel corresponding with described APDU is effective, for:
The information of the data channel that described smart card device is corresponding for APDU according to described application software registration table, it is determined that data channel corresponding for described APDU is effective.
In such scheme, described method also includes:
After transactional operation completes, described smart card device closes the data channel that described APDU is corresponding;And delete information corresponding in described application software registration table.
The embodiment of the present invention additionally provides the outer entity of a kind of card, including: acquiring unit, the first transmitting element and data channel set up unit;Wherein,
Described acquiring unit, for obtaining the secure authenticated information of request for data passage from intelligent card management platform;
Described first transmitting element, for sending the certification registration message carrying described secure authenticated information to smart card device;
Described data channel sets up unit, for, after described smart card device verifies the success of described secure authenticated information, setting up data channel with described smart card.
In such scheme, described acquiring unit also includes: the first sending module and the first receiver module;Wherein,
Described first sending module, for sending the data channel application for registration carrying corresponding application related information to described intelligent card management platform;
Described first receiver module, for receiving the secure authenticated information of the described corresponding application that described intelligent card management platform sends;Described secure authenticated information is utilized the key or certificate that self store by described intelligent card management platform, and generates according to described application related information.
The embodiment of the present invention provides again a kind of intelligent card management platform, including: second receives unit, information generating unit and the second transmitting element;Wherein,
Described second receives unit, for blocking the data channel application for registration carrying corresponding application related information that outer entity sends;
Described information generating unit, for utilizing the key or certificate that self store, and according to described application related information, generates the secure authenticated information of described corresponding application;
Described second transmitting element, for being sent to the outer entity of described card by the secure authenticated information of generation.
In such scheme, described information generating unit can also include: memory module and data channel security module;Wherein,
Described memory module, is used for storing key or certificate;
Described data channel security module, is used for according to the described key utilizing described memory module to store or certificate, and according to described application related information, generates the secure authenticated information of described corresponding application.
The embodiment of the present invention additionally provides a kind of smart card device, including: the 3rd reception unit and data channel set up unit;Wherein,
Described 3rd receives unit, for the certification registration message of the authentication information safe to carry that the outer entity of receiving card sends;
Described data channel sets up unit, after being used for verifying the success of described secure authenticated information, sets up data channel with the outer entity of described card.
In such scheme, described data channel is set up unit and is also included: information generating module, matching module and data channel set up module;Wherein,
Described information generating module, for utilizing the key or certificate that self store, and according to corresponding application related information, generates the secure authenticated information of described corresponding application;
Described matching module, for the secure authenticated information of the described corresponding application generated being mated with the secure authenticated information carried in described certification registration message, and triggers described data channel after coupling and sets up module;
Described data channel sets up module, after receiving the triggering of described matching module, sets up data channel with the outer entity of described card.
In such scheme, described equipment also includes: application software registration table administrative unit, after setting up for data channel, increases the information of described corresponding application in the application software registration table of self.
In such scheme, described equipment can also include: SE operating unit, sets up for data channel, and after receiving the APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, carry out corresponding transactional operation.
In such scheme, described data channel sets up unit, is additionally operable to after transactional operation completes, close data channel corresponding to described APDU;
Correspondingly, described application software registration table administrative unit, it is additionally operable to delete information corresponding in described application software registration table.
The embodiment of the present invention provides again a kind of system setting up data channel, including: intelligent card management platform, the outer entity of card and smart card device;Wherein,
The outer entity of described card, for obtaining the secure authenticated information of request for data passage from described intelligent card management platform;And the certification registration message carrying described secure authenticated information is sent to described smart card device;
Described smart card device, after being used for verifying the success of described secure authenticated information, sets up data channel with the outer entity of described card.
In such scheme, the outer entity of described card, for sending the data channel application for registration carrying corresponding application related information to described intelligent card management platform;And receive the full authentication information that described intelligent card management platform sends;
Described intelligent card management platform, after being used for receiving described data channel application for registration, utilizes the key or certificate that self store, and according to described application related information, generates the secure authenticated information of described corresponding application;And the secure authenticated information of generation is sent to the outer entity of described card.
In such scheme, described smart card device, after being additionally operable to data channel foundation, the application software registration table of self increases the information of described corresponding application.
In such scheme, described smart card device, it is additionally operable to after data channel sets up, and after receiving the APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, carry out corresponding transactional operation.
In such scheme, described smart card device, it is additionally operable to after transactional operation completes, close data channel corresponding to described APDU;And delete information corresponding in described application software registration table.
What the embodiment of the present invention provided sets up the method for data track, system and relevant device, blocks outer entity and obtains the secure authenticated information of request for data passage from intelligent card management platform;The outer entity of described card sends the certification registration message carrying described secure authenticated information to smart card device;After described smart card device verifies the success of described secure authenticated information, setting up data channel with the outer entity of described card, so, can guarantee that described smart card is not under fire and injury, thus ensureing the safety of smart card device.
Accompanying drawing explanation
In accompanying drawing (it is not necessarily drawn to scale), similar accompanying drawing labelling can at parts similar described in different views.The similar reference numerals with different letter suffix can represent the different examples of similar component.Accompanying drawing generally shows each embodiment discussed herein by way of example and not limitation.
Fig. 1 is the data channel schematic diagram of correlation technique smart card;
Fig. 2 is a kind of method flow schematic diagram setting up data channel in the embodiment of the present invention one;
Fig. 3 is the outer entity structural representation of card in the embodiment of the present invention two;
Fig. 4 is intelligent card management platform structural representation in the embodiment of the present invention two;
Fig. 5 is smart card device structural representation in the embodiment of the present invention two;
Fig. 6 is the system structure schematic diagram setting up data channel in the embodiment of the present invention two;
Fig. 7 is that the embodiment of the present invention three sets up the system architecture of data channel and mutual schematic diagram.
Detailed description of the invention
Below in conjunction with drawings and Examples, the present invention is described in further detail again.
In various embodiments of the present invention, block outer entity and obtain the secure authenticated information of request for data passage from intelligent card management platform;The outer entity of described card sends the certification registration message carrying described secure authenticated information to smart card device;After described smart card device verifies the success of described secure authenticated information, set up data channel with the outer entity of described card.
Embodiment one
The present embodiment provides a kind of method setting up data channel, is applied to the outer entity of card, comprises the following steps:
The secure authenticated information of request for data passage is obtained from intelligent card management platform;
The certification registration message carrying described secure authenticated information is sent to smart card device;
And after described smart card device verifies the success of described secure authenticated information, set up data channel with described smart card.
Wherein, the described secure authenticated information obtaining request for data passage from intelligent card management platform, particularly as follows:
The data channel application for registration carrying corresponding application related information is sent to described intelligent card management platform;
Receive the secure authenticated information of the described corresponding application that described intelligent card management platform sends;Described secure authenticated information is utilized the key or certificate that self store by described intelligent card management platform, and generates according to described application related information.
Here, described secure authenticated information can be signature or token (Token).
The present embodiment also provides for a kind of method setting up data channel, is applied to intelligent card management platform, comprises the following steps:
The data channel application for registration carrying corresponding application related information that the outer entity of receiving card sends;
Utilize the key or certificate that self store, and according to described application related information, generate the secure authenticated information of described corresponding application;
The secure authenticated information of generation is sent to the outer entity of described card.
Here, described secure authenticated information can be signature or make Token.
The present embodiment also provides for a kind of method setting up data channel, is applied to smart card device, comprises the following steps:
The certification registration message of the authentication information safe to carry that the outer entity of receiving card sends;
After verifying the success of described secure authenticated information, set up data channel with the outer entity of described card.
Here, the described secure authenticated information of described verification, specifically include:
Utilize the key or certificate that self store, and according to corresponding application related information, generate the secure authenticated information of described corresponding application;
The secure authenticated information of the described corresponding application generated is mated with the secure authenticated information carried in described certification registration message;If the two can mate, illustrate that described smart card device verifies the success of described secure authenticated information, if the two can not mate, illustrate that described smart card device verifies the failure of described secure authenticated information, now, described smart card device can return error message to entity outside described card.
Wherein, described secure authenticated information can be signature or Token etc..
After data channel is set up, the method can also include:
Described smart card device increases the information of described corresponding application in the application software registration table of self.Here, the information of described corresponding application may include that the authority of the described corresponding mark of application, the state of passage and distribution;Wherein, the authority of described distribution may include that registration, cancellation and security module (SE) operation etc. of correspondence.
After data channel is set up, the method can also include:
After described smart card device receives the APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, carry out corresponding transactional operation.
Wherein, described determine that the data channel corresponding with described APDU is effective, particularly as follows:
The information of data channel corresponding for APDU according to described application software registration table, it is determined that data channel corresponding for described APDU is effective.
Specifically, if in the information of data channel corresponding for APDU described in described application software registration table, the state of data channel is effectively, then illustrate that data channel corresponding for described APDU is effective;Correspondingly, if the state of data channel is invalid, then illustrate that data channel corresponding for described APDU is invalid.
Determining when data channel corresponding for described APDU is invalid, described smart card device refusal performs the operation relevant to described APDU instruction.
The method can also include:
After transactional operation completes, described smart card closes the data channel that described APDU is corresponding;And delete information corresponding in described application software registration table.
The method setting up data channel that the present embodiment provides, as in figure 2 it is shown, comprise the following steps:
Step 201: block outer entity and obtain the secure authenticated information of request for data passage from intelligent card management platform;
Specifically, the outer entity of described card sends the data channel application for registration carrying corresponding application related information to described intelligent card management platform;
After described intelligent card management platform receives described data channel application for registration, utilize the key or certificate that self store, and according to described application related information, generate the secure authenticated information of described corresponding application;
The secure authenticated information of generation is sent to the outer entity of described card by described intelligent card management platform.
Wherein, the physical aspect of the outer entity of described card can be multiple, can be such as contactless IC card, Contact Type Ic Card, bluetooth card etc..
Described secure authenticated information can be signature or Token etc..
Step 202: the outer entity of described card sends the certification registration message carrying described secure authenticated information to smart card device;
Step 203: after described smart card device verifies the success of described secure authenticated information, sets up data channel with the outer entity of described card.
Here, described smart card device verifies described secure authenticated information, specifically includes:
Described smart card device utilizes the key or certificate that self store, and according to corresponding application related information, generates the secure authenticated information of described corresponding application;
The secure authenticated information of the described corresponding application generated is mated with the secure authenticated information carried in described certification registration message;If the two can mate, illustrate that described smart card device verifies the success of described secure authenticated information, if the two can not mate, illustrate that described smart card device verifies the failure of described secure authenticated information, now, described smart card device can return error message to entity outside described card.
After data channel is set up, the method can also include:
Described smart card device increases the information of described corresponding application in the application software registration table of self.Here, the information of described corresponding application may include that the authority of the described corresponding mark of application, the state of passage and distribution;Wherein, the authority of described distribution may include that registration, cancellation and the SE operation etc. of correspondence.
After data channel is set up, the method can also include:
After described smart card device receives the APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, carry out corresponding transactional operation.
Wherein, described determine that the data channel corresponding with described APDU is effective, particularly as follows:
The information of the data channel that described smart card device is corresponding for APDU according to described application software registration table, it is determined that data channel corresponding for described APDU is effective.
Specifically, if in the information of data channel corresponding for APDU described in described application software registration table, the state of data channel is effectively, then illustrate that data channel corresponding for described APDU is effective;Correspondingly, if the state of data channel is invalid, then illustrate that data channel corresponding for described APDU is invalid.
Determining when data channel corresponding for described APDU is invalid, described smart card device refusal performs the operation relevant to described APDU instruction.
The method can also include:
After transactional operation completes, described smart card device closes the data channel that described APDU is corresponding;And delete information corresponding in described application software registration table.
The method setting up data channel that the present embodiment provides, blocks outer entity and obtains the secure authenticated information of request for data passage from intelligent card management platform;The outer entity of described card sends the certification registration message carrying described secure authenticated information to smart card device;After described smart card device verifies the success of described secure authenticated information, setting up data channel with the outer entity of described card, so, can guarantee that described smart card is not under fire and injury, thus ensureing the safety of smart card device.
It addition, after described smart card device receives the APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, just carry out corresponding transactional operation;So, the safety of smart card device is further ensured.
Embodiment two
For the method realizing embodiment one, the present embodiment provides one to block outer entity, as it is shown on figure 3, the outer entity of this card includes: acquiring unit the 31, first transmitting element 32 and data channel set up unit 33;Wherein,
Described acquiring unit 31, for obtaining the secure authenticated information of request for data passage from intelligent card management platform;
Described first transmitting element 32, for sending the certification registration message carrying described secure authenticated information to smart card device;
Described data channel sets up unit 33, for, after described smart card device verifies the success of described secure authenticated information, setting up data channel with described smart card.
Wherein, described acquiring unit 31 can also include: the first sending module and the first receiver module;Wherein,
Described first sending module, for sending the data channel application for registration carrying corresponding application related information to described intelligent card management platform;
Described first receiver module, for receiving the secure authenticated information of the described corresponding application that described intelligent card management platform sends;Described secure authenticated information is utilized the key or certificate that self store by described intelligent card management platform, and generates according to described application related information.
Here, described secure authenticated information can be signature or Token.
During practical application, acquiring unit 31 can by central processing unit (CPU, CentralProcessingUnit), microprocessor (MCU, MicroControlUnit), digital signal processor (DSP, DigitalSignalProcessor) or programmable logic array (FPGA, Field-ProgrammableGateArray) in conjunction with transceiver implementation;Described first transmitting element 32 first sending module can be realized by the transmitter in the outer entity of card, and described data channel sets up unit 33 can by CPU, MCU, DSP or FPGA of the outer entity of card in conjunction with transceiver implementation;Described first receiver module can be realized by the receiver in the outer entity of card.
For the method realizing embodiment one, the present embodiment also provides for a kind of intelligent card management platform, as shown in Figure 4, including: second receives unit 41, information generating unit 42 and the second transmitting element 43;Wherein,
Described second receives unit 41, for blocking the data channel application for registration carrying corresponding application related information that outer entity sends;
Described information generating unit 42, for utilizing the key or certificate that self store, and according to described application related information, generates the secure authenticated information of described corresponding application;
Described second transmitting element 43, for being sent to the outer entity of described card by the secure authenticated information of generation.
Here, described secure authenticated information can be signature or make Token.
Described information generating unit 42 can also include: memory module and data channel security module;Wherein,
Described memory module, is used for storing key or certificate;
Described data channel security module, is used for according to the described key utilizing described memory module to store or certificate, and according to described application related information, generates the secure authenticated information of described corresponding application.
During practical application, described second receives unit 41 can be realized by the receiver in intelligent card management platform;Described information generating unit can be realized in conjunction with memorizer by CPU, MCU, DSP or the FPGA in intelligent card management platform;Described second transmitting element 43 can be realized by the transmitter in intelligent card management platform;Described memory module can be realized by the memorizer in intelligent card management platform;Described data channel security module can be realized by CPU, MCU, DSP or the FPGA in intelligent card management platform.
For the method realizing embodiment one, the present embodiment also provides for a kind of smart card device, as it is shown in figure 5, include: the 3rd reception unit 51 and data channel set up unit 52;Wherein,
Described 3rd receives unit 51, for the certification registration message of the authentication information safe to carry that the outer entity of receiving card sends;
Described data channel sets up unit 52, after being used for verifying the success of described secure authenticated information, sets up data channel with the outer entity of described card.
Here, described data channel is set up unit 52 and can also be included: information generating module, matching module and data channel set up module;Wherein,
Described information generating module, for utilizing the key or certificate that self store, and according to corresponding application related information, generates the secure authenticated information of described corresponding application;
Described matching module, for the secure authenticated information of the described corresponding application generated being mated with the secure authenticated information carried in described certification registration message, and triggers described data channel after coupling and sets up module;
Described data channel sets up module, after receiving the triggering of described matching module, sets up data channel with the outer entity of described card.
Wherein, when the secure authenticated information of the described corresponding application generated is mated by described matching module with the secure authenticated information carried in described certification registration message, if the two can mate, illustrate to verify the success of described secure authenticated information, if the two can not mate, illustrating to verify the failure of described secure authenticated information, now, described matching module can return error message to entity outside described card.
Wherein, described secure authenticated information can be signature or Token etc..
This smart card device can also include: application software registration table administrative unit, after setting up for data channel, increases the information of described corresponding application in the application software registration table of self.Here, the information of described corresponding application may include that the authority of the described corresponding mark of application, the state of passage and distribution;Wherein, the authority of described distribution may include that the registration of correspondence, cancellation and peace SE operation etc..
This smart card device can also include: SE operating unit, sets up for data channel, and after receiving the APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, carry out corresponding transactional operation.
Wherein, described determine that the data channel corresponding with described APDU is effective, particularly as follows:
The information of data channel corresponding for APDU according to described application software registration table, it is determined that data channel corresponding for described APDU is effective.
Specifically, if in the information of data channel corresponding for APDU described in described application software registration table, the state of data channel is effectively, then illustrate that data channel corresponding for described APDU is effective;Correspondingly, if the state of data channel is invalid, then illustrate that data channel corresponding for described APDU is invalid.
Determining when data channel corresponding for described APDU is invalid, SE operating unit refusal performs the operation relevant to described APDU instruction.
Described data channel sets up unit 52, is additionally operable to after transactional operation completes, close data channel corresponding to described APDU;
Correspondingly, described application software registration table administrative unit, it is additionally operable to delete information corresponding in described application software registration table.
During practical application, the described 3rd receives unit 51 can be realized by the receiver in smart card device;Described data channel set up unit 52 and data channel set up module can by CPU, MCU, DSP or the FPGA in smart card device in conjunction with transceiver implementation;Described information generating module, matching module, application software registration table administrative unit and SE operating unit can be realized by CPU, MCU, DSP or the FPGA in smart card device.
For the method realizing embodiment one, the present embodiment also provides for a kind of system setting up data channel, and as shown in Figure 6, this system includes: intelligent card management platform 61, the outer entity 62 of card and smart card device 63;Wherein,
The outer entity 62 of described card, for obtaining the secure authenticated information of request for data passage from described intelligent card management platform 61;And the certification registration message carrying described secure authenticated information is sent to described smart card device 63;
Described smart card device 63, after being used for verifying the success of described secure authenticated information, sets up data channel with the outer entity 62 of described card.
Wherein, the outer entity 62 of described card, for sending the data channel application for registration carrying corresponding application related information to described intelligent card management platform 61;And receive the full authentication information that described intelligent card management platform 61 sends;
Described intelligent card management platform 61, after being used for receiving described data channel application for registration, utilizes the key or certificate that self store, and according to described application related information, generates the secure authenticated information of described corresponding application;And the secure authenticated information of generation is sent to the outer entity 62 of described card.
The physical aspect of the outer entity 62 of described card can be multiple, can be such as contactless IC card, Contact Type Ic Card, bluetooth card etc..
Described secure authenticated information can be signature or Token etc..
Here, described smart card device 63 verifies described secure authenticated information, specifically includes:
Key that described smart card device 63 utilizes self to store or certificate, and according to corresponding application related information, generate the secure authenticated information of described corresponding application;
The secure authenticated information of the described corresponding application generated is mated with the secure authenticated information carried in described certification registration message;If the two can mate, illustrate that described smart card device 63 verifies the success of described secure authenticated information, if the two can not mate, illustrate that described smart card device 63 verifies the failure of described secure authenticated information, now, described smart card device 63 can return error message to entity 62 outside described card.
Described smart card device 63, after being additionally operable to data channel foundation, increases the information of described corresponding application in the application software registration table of self.Here, the information of described corresponding application may include that the authority of the described corresponding mark of application, the state of passage and distribution;Wherein, the authority of described distribution may include that registration, cancellation and the SE operation etc. of correspondence.
Described smart card device 63, is additionally operable to after data channel sets up, and after receiving the APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, carry out corresponding transactional operation.
Wherein, described determine that the data channel corresponding with described APDU is effective, particularly as follows:
The information of the data channel that described smart card device 63 is corresponding for APDU according to described application software registration table, it is determined that data channel corresponding for described APDU is effective.
Specifically, if in the information of data channel corresponding for APDU described in described application software registration table, the state of data channel is effectively, then illustrate that data channel corresponding for described APDU is effective;Correspondingly, if the state of data channel is invalid, then illustrate that data channel corresponding for described APDU is invalid.
Determining when data channel corresponding for described APDU is invalid, described smart card device 63 refusal performs the operation relevant to described APDU instruction.
Described smart card device 63, is additionally operable to after transactional operation completes, close data channel corresponding to described APDU;And delete information corresponding in described application software registration table.
The system setting up data channel that the present embodiment provides, blocks outer entity 62 and obtains the secure authenticated information of request for data passage from intelligent card management platform 61;The outer entity 62 of described card sends the certification registration message carrying described secure authenticated information to smart card device 63;After described smart card device 63 verifies the success of described secure authenticated information, setting up data channel with the outer entity 62 of described card, so, can guarantee that described smart card is not under fire and injury, thus ensureing the safety of smart card device.
It addition, after described smart card device 63 receives the APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, just carry out corresponding transactional operation;So, the safety of smart card device is further ensured.
Embodiment three
The present embodiment sets up the system of data channel, as it is shown in fig. 7, comprises intelligent card management platform 71, the outer entity 72 of card and smart card 73;Wherein,
Intelligent card management platform 71 primary responsibility generates signature or the token (Token) of application software according to application software information, it is possible to include data channel key or certificate storage module 711 (its function is equivalent to the function of memory module in embodiment two) and data channel security module 712 (its function is equivalent to the second reception unit, the second transmitting element and data channel security module three's function sum in embodiment two).Here, data channel key or certificate storage module 711 are used for key or the certificate of memory data channel;Data channel security module 712 is for generating signature or the Token of application software.
Block outer entity 72, comprising smart card management software 721 (its function is equivalent to the first sending module in embodiment two, the first receiver module, the first transmitting element and data channel and sets up the function sum of unit), application software 722 and bottom chip 723, primary responsibility is by application software certification registration on smart card 73 of outer for card entity 72;Specifically, the application for registration of application software is sent to intelligent card management platform 71;Signature or Token that smart card manages the application software that 71 platforms return are sent to smart card 73 and are authenticated registration;And notify the application software certification registering result at smart card 73.During practical application, the physical aspect blocking outer entity 72 can be multiple, can be such as contactless IC card, Contact Type Ic Card, bluetooth card etc..
Smart card 73 be a kind of can the smart card device of safety management data channel, compared with existing smart card, the smart card of the present embodiment has additional data channel administrative unit 731, it specifically includes: key or certificate storage module 7311, (its function is equivalent to the 3rd reception unit in embodiment two to block outer entity application software authentication module 7312, the function sum of information generating module and matching module), block outer entity application software registration table management module 7313 (its function is equivalent to the function of application software registration table administrative unit in embodiment two), data channel life cycle management module 7314 and SE operate module 7315 (its function is equivalent to the function of SE operating unit in embodiment two).
Here, key or certificate storage module 7311 store the key for authentication application software or certificate.
Whether the secure authenticated information (signature or Token) blocking outer entity 72 application software of outer entity application software authentication module 7312 check card is effective.
Block application software mark and distribution application software authority that outer entity application software registration table management module 7313 authentication storage passes through;And after data channel is closed, application software mark is deleted from entity application software registration table card.The authority of application software includes: (this authority is assigned to only smart card management software), SE operation (this authority can distribute to smart card management software and application software) are nullified in software registration (this authority is assigned to only smart card management software), software.
Data channel life cycle management module 7314 is used for safeguarding the state of each data channel life cycle, including: the states such as the establishment of data channel, closedown;After data channel creates, for each data channel allocation identification.
SE operates module 7315 and the APDU instruction that legal effective application software sends is passed through SE732;And refuse the APDU instruction of invalid application software.
During practical application, the security requirement to the system setting up data channel, mainly include following some:
(1) the data channel administrative unit 731 of smart card 73 provides the registration ability of the certification to application software, it is possible to adopt signature scheme or Token mode to be authenticated.
(2) software registration information blocked in outer entity application software registration table of smart card 73 simply " temporarily " is effective, namely being effective in the effective life cycle of this data channel, application software only can allow to access smart card 73 in the effective life cycle of this data channel.
(3) for data channel key or certificate, smart card 73 and in intelligent card management platform 71 storage have key for setting up data channel or certificate;Specifically, intelligent card management platform 71 storage has private key or root key, during fabrication, smart card 73 storage has PKI or according to integrated circuit card identification code (ICCID, IntegrateCircuitCardIdentity) scattered sub-key, thus ensureing that the certificate of each SE or key are different.
(4) safety between smart card 73 and intelligent card management platform 71;Instruction interaction between each smart card and intelligent card management platform all has cryptographic key protection; intelligent card management platform storage private key or root key; by PKI or according in ICCID scattered sub-key write smart card during fabrication, and ensure that the key of each smart card is different.
The present embodiment sets up the process of data channel, as it is shown in fig. 7, comprises following steps:
Step 701: before setting up data channel with smart card, application software 722 manages software 721 to smart card and sends data channel application for registration;
Step 702: after smart card management software 722 receives data channel application for registration, the data channel application for registration sent by application software 522 is sent to intelligent card management platform 51;
Step 703: after intelligent card management platform 71 receives data channel application for registration, the key of data channel security module 712 read data channel from data channel key or certificate storage module 711 or certificate;
Step 704: data channel security module 712 utilizes the key or certificate that read, calculates signature or the Token of application software request for data passage according to the information of application software;
Step 705: intelligent card management platform 71 manages software 722 to smart card and sends the message of application software certification registration;
Here, the message of transmission is carried signature or the Token of application software request for data passage.
Step 706: smart card management software 722 sends the message of application software certification registration after receiving message to intelligent card data channel management unit 731;After intelligent card data channel management unit 731 receives message, application software carrying out data channel certification registration, certification performs step 707 after succeeding in registration;
Here, the message of transmission is carried signature or the Token of application software request for data passage.
Specifically, block outer entity application software authentication module 7312 and read key or the certificate of storage in key or certificate storage module 7311, information according to application software calculates signature or Token, and mate with signature or the Token of smart card management software 721 transmission, and after coupling, trigger card outer entity application software registration table management module 7313 increases the information of application software in the outer entity application software registration table of card, now illustrates that certification is succeeded in registration, and continues the operation of step 707;If can not mate, then intelligent card data channel management unit 731 manages software 521 to smart card and returns error message, and flow process terminates.
Step 707: smart card management software 721 returns, to application software 722, the result that data channel certification is succeeded in registration;
Step 708: after application software 722 receives result, sets up data channel with the data channel administrative unit 731 of smart card 73, and is safeguarded data channel life cycle by data channel life cycle management module 7314;
Here, whether data channel life cycle management module 7314 is dynamically determined data channel effective, and the state notifying of data channel is managed module 7313 to software registration table, in order to software registration table management module 7313 updates the relevant information of the state of data channel of correspondence.
Wherein, data channel life cycle management module 7314 can be set up according to data channel time length, whether the classification etc. of APDU instruction to be dynamically determined data channel effective.
Step 709: after data channel is set up, application software 722 can send application to smart card 73 and process the APDU instruction of logic, after the state of intelligent card data channel management unit verification Application software is effective, the APDU instruction sent by application software 722 is forwarded to SE, carries out application transaction.
Here, after having concluded the business, the data channel between application software and smart card is closed, and blocks outer entity application software registration table management module 7313 and deletes the relevant information blocked in outer entity application software registration table.
From the above description, it will be seen that the scheme that the present embodiment provides, it is possible to ensure that smart card is by the safety of the outer entity accessible with application software of card.
It addition, the security strategy between smart card management software 722 and intelligent card management platform 51 and between smart card management software 722 and intelligent card data channel management unit 731 can adjust flexibly and upgrade.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt the form of hardware embodiment, software implementation or the embodiment in conjunction with software and hardware aspect.And, the present invention can adopt the form at one or more upper computer programs implemented of computer-usable storage medium (including but not limited to disk memory and optical memory etc.) wherein including computer usable program code.
The present invention is that flow chart and/or block diagram with reference to method according to embodiments of the present invention, equipment (system) and computer program describe.It should be understood that can by the combination of the flow process in each flow process in computer program instructions flowchart and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can be provided to produce a machine to the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device so that the instruction performed by the processor of computer or other programmable data processing device is produced for realizing the device of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide in the computer-readable memory that computer or other programmable data processing device work in a specific way, the instruction making to be stored in this computer-readable memory produces to include the manufacture of command device, and this command device realizes the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices provides for realizing the step of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
The above, be only presently preferred embodiments of the present invention, is not intended to limit protection scope of the present invention.
Claims (21)
1. the method setting up data channel, it is characterised in that described method includes:
Block outer entity and obtain the secure authenticated information of request for data passage from intelligent card management platform;
The outer entity of described card sends the certification registration message carrying described secure authenticated information to smart card device;
After described smart card device verifies the success of described secure authenticated information, set up data channel with the outer entity of described card.
2. method according to claim 1, it is characterised in that the outer entity of described card obtains the secure authenticated information of request for data passage from intelligent card management platform, including:
The outer entity of described card sends the data channel application for registration carrying corresponding application related information to described intelligent card management platform;
After described intelligent card management platform receives described data channel application for registration, utilize the key or certificate that self store, and according to described application related information, generate the secure authenticated information of described corresponding application;
The secure authenticated information of generation is sent to the outer entity of described card by described intelligent card management platform.
3. method according to claim 2, it is characterised in that described smart card device verifies described secure authenticated information, including:
Described smart card device utilizes the key or certificate that self store, and according to corresponding application related information, generates the secure authenticated information of described corresponding application;
The secure authenticated information of the described corresponding application generated is mated with the secure authenticated information carried in described certification registration message.
4. method according to claim 1, it is characterised in that after data channel is set up, described method also includes:
Described smart card device increases the information of described corresponding application in the application software registration table of self.
5. method according to claim 4, it is characterised in that after data channel is set up, described method also includes:
After described smart card device receives the Application Protocol Data Unit APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, carry out corresponding transactional operation.
6. method according to claim 5, it is characterised in that described determine that the data channel corresponding with described APDU is effective, for:
The information of the data channel that described smart card device is corresponding for APDU according to described application software registration table, it is determined that data channel corresponding for described APDU is effective.
7. method according to claim 5, it is characterised in that described method also includes:
After transactional operation completes, described smart card device closes the data channel that described APDU is corresponding;And delete information corresponding in described application software registration table.
8. one kind is blocked outer entity, it is characterised in that the outer entity of described card includes: acquiring unit, the first transmitting element and data channel set up unit;Wherein,
Described acquiring unit, for obtaining the secure authenticated information of request for data passage from intelligent card management platform;
Described first transmitting element, for sending the certification registration message carrying described secure authenticated information to smart card device;
Described data channel sets up unit, for, after described smart card device verifies the success of described secure authenticated information, setting up data channel with described smart card.
9. the outer entity of card according to claim 8, it is characterised in that described acquiring unit also includes: the first sending module and the first receiver module;Wherein,
Described first sending module, for sending the data channel application for registration carrying corresponding application related information to described intelligent card management platform;
Described first receiver module, for receiving the secure authenticated information of the described corresponding application that described intelligent card management platform sends;Described secure authenticated information is utilized the key or certificate that self store by described intelligent card management platform, and generates according to described application related information.
10. an intelligent card management platform, it is characterised in that described platform includes: second receives unit, information generating unit and the second transmitting element;Wherein,
Described second receives unit, for blocking the data channel application for registration carrying corresponding application related information that outer entity sends;
Described information generating unit, for utilizing the key or certificate that self store, and according to described application related information, generates the secure authenticated information of described corresponding application;
Described second transmitting element, for being sent to the outer entity of described card by the secure authenticated information of generation.
11. platform according to claim 10, it is characterised in that described information generating unit can also include: memory module and data channel security module;Wherein,
Described memory module, is used for storing key or certificate;
Described data channel security module, is used for according to the described key utilizing described memory module to store or certificate, and according to described application related information, generates the secure authenticated information of described corresponding application.
12. a smart card device, it is characterised in that described equipment includes: the 3rd reception unit and data channel set up unit;Wherein,
Described 3rd receives unit, for the certification registration message of the authentication information safe to carry that the outer entity of receiving card sends;
Described data channel sets up unit, after being used for verifying the success of described secure authenticated information, sets up data channel with the outer entity of described card.
13. equipment according to claim 12, it is characterised in that described data channel is set up unit and also included: information generating module, matching module and data channel set up module;Wherein,
Described information generating module, for utilizing the key or certificate that self store, and according to corresponding application related information, generates the secure authenticated information of described corresponding application;
Described matching module, for the secure authenticated information of the described corresponding application generated being mated with the secure authenticated information carried in described certification registration message, and triggers described data channel after coupling and sets up module;
Described data channel sets up module, after receiving the triggering of described matching module, sets up data channel with the outer entity of described card.
14. equipment according to claim 12, it is characterised in that described equipment also includes: application software registration table administrative unit, after setting up for data channel, the application software registration table of self increases the information of described corresponding application.
15. equipment according to claim 14, it is characterised in that described equipment can also include: SE operating unit, set up for data channel, and after receiving the APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, carry out corresponding transactional operation.
16. equipment according to claim 15, it is characterised in that described data channel sets up unit, it is additionally operable to after transactional operation completes, close data channel corresponding to described APDU;
Correspondingly, described application software registration table administrative unit, it is additionally operable to delete information corresponding in described application software registration table.
17. the system setting up data channel, it is characterised in that described system includes: intelligent card management platform, the outer entity of card and smart card device;Wherein,
The outer entity of described card, for obtaining the secure authenticated information of request for data passage from described intelligent card management platform;And the certification registration message carrying described secure authenticated information is sent to described smart card device;
Described smart card device, after being used for verifying the success of described secure authenticated information, sets up data channel with the outer entity of described card.
18. system according to claim 17, it is characterised in that the outer entity of described card, for sending the data channel application for registration carrying corresponding application related information to described intelligent card management platform;And receive the full authentication information that described intelligent card management platform sends;
Described intelligent card management platform, after being used for receiving described data channel application for registration, utilizes the key or certificate that self store, and according to described application related information, generates the secure authenticated information of described corresponding application;And the secure authenticated information of generation is sent to the outer entity of described card.
19. system according to claim 17, it is characterised in that described smart card device, after being additionally operable to data channel foundation, the application software registration table of self increases the information of described corresponding application.
20. system according to claim 19, it is characterised in that described smart card device, it is additionally operable to after data channel sets up, and after receiving the APDU instruction of the outer entity of described card, it is determined that when the data channel corresponding with described APDU is effective, carry out corresponding transactional operation.
21. system according to claim 20, it is characterised in that described smart card device, it is additionally operable to after transactional operation completes, close data channel corresponding to described APDU;And delete information corresponding in described application software registration table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410806632.7A CN105790946B (en) | 2014-12-22 | 2014-12-22 | Method, system and related equipment for establishing data channel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410806632.7A CN105790946B (en) | 2014-12-22 | 2014-12-22 | Method, system and related equipment for establishing data channel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105790946A true CN105790946A (en) | 2016-07-20 |
| CN105790946B CN105790946B (en) | 2020-05-12 |
Family
ID=56385312
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410806632.7A Active CN105790946B (en) | 2014-12-22 | 2014-12-22 | Method, system and related equipment for establishing data channel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105790946B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110622536A (en) * | 2018-01-05 | 2019-12-27 | 深圳市大疆创新科技有限公司 | Communication method, device and system |
| CN113840274A (en) * | 2021-09-18 | 2021-12-24 | 中国联合网络通信集团有限公司 | BIP channel state management method, mobile equipment, UICC and user terminal |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257683A (en) * | 2008-02-01 | 2008-09-03 | 北京握奇数据系统有限公司 | Method for electric communication smart card signaling interactive with external non-contact card |
| CN101477607A (en) * | 2009-01-16 | 2009-07-08 | 北京海升天达科技有限公司 | Smart card and smart card user identity authentication process thereof |
| CN101488111A (en) * | 2009-02-17 | 2009-07-22 | 普天信息技术研究院有限公司 | Identification authentication method and system |
| CN101917216A (en) * | 2010-08-25 | 2010-12-15 | 罗正棣 | System and method for realizing safe mobile application by adopting Bluetooth intelligent card |
| CN102479089A (en) * | 2010-11-23 | 2012-05-30 | 天津中兴软件有限责任公司 | Software upgrading method for card reader |
| CN102547691A (en) * | 2010-12-22 | 2012-07-04 | 国民技术股份有限公司 | Security electronic control system and method based on 2.4G radio frequency identification (RFID) smart card system |
| CN103971149A (en) * | 2013-01-24 | 2014-08-06 | 国民技术股份有限公司 | Smart card device and authentication method of smart card device |
-
2014
- 2014-12-22 CN CN201410806632.7A patent/CN105790946B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257683A (en) * | 2008-02-01 | 2008-09-03 | 北京握奇数据系统有限公司 | Method for electric communication smart card signaling interactive with external non-contact card |
| CN101477607A (en) * | 2009-01-16 | 2009-07-08 | 北京海升天达科技有限公司 | Smart card and smart card user identity authentication process thereof |
| CN101488111A (en) * | 2009-02-17 | 2009-07-22 | 普天信息技术研究院有限公司 | Identification authentication method and system |
| CN101917216A (en) * | 2010-08-25 | 2010-12-15 | 罗正棣 | System and method for realizing safe mobile application by adopting Bluetooth intelligent card |
| CN102479089A (en) * | 2010-11-23 | 2012-05-30 | 天津中兴软件有限责任公司 | Software upgrading method for card reader |
| CN102547691A (en) * | 2010-12-22 | 2012-07-04 | 国民技术股份有限公司 | Security electronic control system and method based on 2.4G radio frequency identification (RFID) smart card system |
| CN103971149A (en) * | 2013-01-24 | 2014-08-06 | 国民技术股份有限公司 | Smart card device and authentication method of smart card device |
Non-Patent Citations (1)
| Title |
|---|
| 岳佩: "智能卡数据交互安全性的研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110622536A (en) * | 2018-01-05 | 2019-12-27 | 深圳市大疆创新科技有限公司 | Communication method, device and system |
| CN113840274A (en) * | 2021-09-18 | 2021-12-24 | 中国联合网络通信集团有限公司 | BIP channel state management method, mobile equipment, UICC and user terminal |
| CN113840274B (en) * | 2021-09-18 | 2023-06-02 | 中国联合网络通信集团有限公司 | BIP channel state management method, mobile device, UICC and user terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105790946B (en) | 2020-05-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10440575B2 (en) | Protection of a security element coupled to an NFC circuit | |
| KR102477453B1 (en) | Transaction messaging | |
| KR102221636B1 (en) | Cloud-based transactions methods and systems | |
| CA2980114C (en) | Authentication in ubiquitous environment | |
| CN105721413B (en) | Method for processing business and device | |
| RU2537795C2 (en) | Trusted remote attestation agent (traa) | |
| KR101330867B1 (en) | Authentication method for payment device | |
| US9118643B2 (en) | Authentication and data integrity protection of token | |
| US20190165947A1 (en) | Signatures for near field communications | |
| US11039293B2 (en) | Method and devices for transmitting a secured data package to a communication device | |
| CN104838398A (en) | System and method for secure remote access and remote payment using a mobile device and a powered display card | |
| US20170286873A1 (en) | Electronic ticket management | |
| CN113792561B (en) | NFC electronic tag verification method and terminal | |
| KR101499906B1 (en) | Smart card having OTP generation function and OTP authentication server | |
| JP6479514B2 (en) | IC card and IC card system | |
| CN105790946A (en) | Method and system for building data channel and related devices | |
| KR20170080576A (en) | Authentication system and method | |
| CN106779672A (en) | The method and device that mobile terminal safety pays | |
| KR101103189B1 (en) | System and Method for Issueing Public Certificate of Attestation using USIM Information and Recording Medium | |
| US10873575B2 (en) | Method for providing a personal identification code of a security module | |
| Huizinga et al. | Using NFC enabled Android devices to attack RFID systems | |
| CN104639566A (en) | Transaction authorizing method based on out-of-band identity authentication | |
| CN109690596A (en) | Dynamic security code for card transaction | |
| CN105103180B (en) | Method for handling the distribution of mobile credit card | |
| CN101499902A (en) | Identity authentication device and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |