CN105790946B - Method, system and related equipment for establishing data channel - Google Patents
Method, system and related equipment for establishing data channel Download PDFInfo
- Publication number
- CN105790946B CN105790946B CN201410806632.7A CN201410806632A CN105790946B CN 105790946 B CN105790946 B CN 105790946B CN 201410806632 A CN201410806632 A CN 201410806632A CN 105790946 B CN105790946 B CN 105790946B
- Authority
- CN
- China
- Prior art keywords
- data channel
- smart card
- application
- information
- authentication information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000012795 verification Methods 0.000 claims description 4
- 230000006870 function Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 12
- 238000004590 computer program Methods 0.000 description 7
- 230000003993 interaction Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种建立数据通道的方法,包括:卡外实体从智能卡管理平台获取申请数据通道的安全认证信息;所述卡外实体向智能卡设备发送携带所述安全认证信息的认证注册消息;所述智能卡设备校验所述安全认证信息成功后,与所述卡外实体建立数据通道。本发明同时还公开了一种卡外实体、智能卡管理平台、智能卡设备及建立数据通道的系统。
The invention discloses a method for establishing a data channel, which includes: an off-card entity obtains safety authentication information for applying for a data channel from a smart card management platform; the off-card entity sends an authentication registration message carrying the security authentication information to a smart card device; After the smart card device successfully verifies the security authentication information, it establishes a data channel with the entity outside the card. The invention also discloses an off-card entity, a smart card management platform, a smart card device and a system for establishing a data channel.
Description
技术领域technical field
本发明涉及数据业务领域,尤其涉及一种建立数据道的方法、系统及相关设备。The invention relates to the field of data services, in particular to a method, a system and related equipment for establishing a data channel.
背景技术Background technique
随着移动电子商务的普及,智能卡存储的数据越来越多、越来越重要。智能卡目前可以存储用户身份信息、银行卡账户信息、银行卡账户余额等敏感信息,因此智能卡的安全性更加重要。With the popularization of mobile e-commerce, the data stored in smart cards is becoming more and more important. Smart cards can currently store sensitive information such as user identity information, bank card account information, and bank card account balances, so the security of smart cards is more important.
目前,智能卡产品支持卡外实体通过非接读卡器、数据线(接触式)、蓝牙多种物理连接形式访问,并与智能卡进行数据交互。At present, smart card products support entities outside the card to access through various physical connection forms such as contactless card readers, data lines (contact type), and Bluetooth, and to exchange data with smart cards.
智能卡的安全性,一方面依赖于智能卡硬件设备,而另一方面则依赖于智能卡与卡外实体之间的数据通道安全机制。The security of the smart card depends on the smart card hardware device on the one hand, and on the data channel security mechanism between the smart card and the entity outside the card on the other hand.
如图1所示,目前,卡外实体(包括读卡器、手机等卡外实体)通过与智能卡之间所建立的物理通道访问智能卡,比如:非接物理通道、或蓝牙物理通道等。然而,智能卡与卡外实体之间所建立的数据通道没有安全认证机制,所以卡外实体可以随意访问智能卡,这样,会对智能卡构成攻击伤害,从而任意获取智能卡上的敏感信息(用户身份信息、银行卡信息、银行账户余额等)、修改智能卡上的数据等。As shown in Figure 1, at present, off-card entities (including card readers, mobile phones and other off-card entities) access the smart card through a physical channel established with the smart card, such as a contactless physical channel or a Bluetooth physical channel. However, the data channel established between the smart card and the entity outside the card has no security authentication mechanism, so the entity outside the card can access the smart card at will, which will cause attack damage to the smart card, thereby arbitrarily obtaining the sensitive information (user identity information, bank card information, bank account balance, etc.), modify the data on the smart card, etc.
发明内容SUMMARY OF THE INVENTION
为解决现有存在的技术问题,本发明实施例提供一种建立数据道的方法、系统及相关设备。In order to solve the existing technical problems, the embodiments of the present invention provide a method, a system and related equipment for establishing a data channel.
本发明实施例提供了一种建立数据通道的方法,包括:An embodiment of the present invention provides a method for establishing a data channel, including:
卡外实体从智能卡管理平台获取申请数据通道的安全认证信息;The off-card entity obtains the security authentication information of the application data channel from the smart card management platform;
所述卡外实体向智能卡设备发送携带所述安全认证信息的认证注册消息;The off-card entity sends an authentication registration message carrying the security authentication information to the smart card device;
所述智能卡设备校验所述安全认证信息成功后,与所述卡外实体建立数据通道。After successfully verifying the security authentication information, the smart card device establishes a data channel with the entity outside the card.
上述方案中,所述卡外实体从智能卡管理平台获取申请数据通道的安全认证信息,包括:In the above solution, the off-card entity obtains the security authentication information for the application data channel from the smart card management platform, including:
所述卡外实体向所述智能卡管理平台发送携带对应应用相关信息的数据通道注册申请;The off-card entity sends a data channel registration application carrying the corresponding application-related information to the smart card management platform;
所述智能卡管理平台收到所述数据通道注册申请后,利用自身存储的密钥或证书,并根据所述应用相关信息,生成所述对应应用的安全认证信息;After receiving the data channel registration application, the smart card management platform generates the security authentication information of the corresponding application by using the key or certificate stored by itself and according to the application-related information;
所述智能卡管理平台将生成的安全认证信息发送给所述卡外实体。The smart card management platform sends the generated security authentication information to the off-card entity.
上述方案中,所述智能卡设备校验所述安全认证信息,包括:In the above solution, the smart card device verifies the security authentication information, including:
所述智能卡设备利用自身存储的密钥或证书,并根据对应应用相关信息,生成所述对应应用的安全认证信息;The smart card device generates the security authentication information of the corresponding application by using the key or certificate stored by itself and according to the relevant information of the corresponding application;
将生成的所述对应应用的安全认证信息与所述认证注册消息中携带的安全认证信息进行匹配。The generated security authentication information of the corresponding application is matched with the security authentication information carried in the authentication registration message.
上述方案中,数据通道建立后,所述方法还包括:In the above solution, after the data channel is established, the method further includes:
所述智能卡设备在自身的应用软件注册表中增加所述对应应用的信息。The smart card device adds the information of the corresponding application in its own application software registry.
上述方案中,数据通道建立后,所述方法还包括:In the above solution, after the data channel is established, the method further includes:
所述智能卡设备收到所述卡外实体的应用协议数据单元(APDU,ApplicationProtocol Data Unit)指令后,确定与所述APDU对应的数据通道有效时,进行相应的交易操作。After receiving the application protocol data unit (APDU, Application Protocol Data Unit) instruction of the off-card entity, the smart card device performs a corresponding transaction operation when it is determined that the data channel corresponding to the APDU is valid.
上述方案中,所述确定与所述APDU对应的数据通道有效,为:In the above solution, the determining that the data channel corresponding to the APDU is valid is:
所述智能卡设备根据所述应用软件注册表中所述APDU对应的数据通道的信息,确定所述APDU对应的数据通道有效。The smart card device determines that the data channel corresponding to the APDU is valid according to the information of the data channel corresponding to the APDU in the application software registry.
上述方案中,所述方法还包括:In the above scheme, the method also includes:
交易操作完成后,所述智能卡设备关闭所述APDU对应的数据通道;并删除所述应用软件注册表中对应的信息。After the transaction operation is completed, the smart card device closes the data channel corresponding to the APDU; and deletes the corresponding information in the application software registry.
本发明实施例还提供了一种卡外实体,包括:获取单元、第一发送单元及数据通道建立单元;其中,The embodiment of the present invention also provides an off-card entity, including: an acquisition unit, a first sending unit, and a data channel establishing unit; wherein,
所述获取单元,用于从智能卡管理平台获取申请数据通道的安全认证信息;The obtaining unit is used to obtain the security authentication information of the application data channel from the smart card management platform;
所述第一发送单元,用于向智能卡设备发送携带所述安全认证信息的认证注册消息;the first sending unit, configured to send an authentication registration message carrying the security authentication information to the smart card device;
所述数据通道建立单元,用于在所述智能卡设备校验所述安全认证信息成功后,与所述智能卡建立数据通道。The data channel establishing unit is configured to establish a data channel with the smart card after the smart card device successfully verifies the security authentication information.
上述方案中,所述获取单元还包括:第一发送模块及第一接收模块;其中,In the above solution, the obtaining unit further includes: a first sending module and a first receiving module; wherein,
所述第一发送模块,用于向所述智能卡管理平台发送携带对应应用相关信息的数据通道注册申请;The first sending module is configured to send a data channel registration application carrying relevant application-related information to the smart card management platform;
所述第一接收模块,用于接收所述智能卡管理平台发送的所述对应应用的安全认证信息;所述安全认证信息由所述智能卡管理平台利用自身存储的密钥或证书,并根据所述应用相关信息生成。The first receiving module is configured to receive the security authentication information of the corresponding application sent by the smart card management platform; the security authentication information is stored by the smart card management platform using the key or certificate stored by itself, and Application related information is generated.
本发明实施例又提供了一种智能卡管理平台,包括:第二接收单元、信息生成单元及第二发送单元;其中,An embodiment of the present invention further provides a smart card management platform, including: a second receiving unit, an information generating unit, and a second sending unit; wherein,
所述第二接收单元,用于卡外实体发送的携带对应应用相关信息的数据通道注册申请;The second receiving unit is used for the data channel registration application carrying the corresponding application-related information sent by the off-card entity;
所述信息生成单元,用于利用自身存储的密钥或证书,并根据所述应用相关信息,生成所述对应应用的安全认证信息;The information generating unit is configured to generate the security authentication information of the corresponding application according to the application-related information by using the key or certificate stored by itself;
所述第二发送单元,用于将生成的安全认证信息发送给所述卡外实体。The second sending unit is configured to send the generated security authentication information to the off-card entity.
上述方案中,所述信息生成单元还可以包括:存储模块及数据通道安全模块;其中,In the above solution, the information generating unit may further include: a storage module and a data channel security module; wherein,
所述存储模块,用于存储密钥或证书;the storage module for storing keys or certificates;
所述数据通道安全模块,用于根据所述利用所述存储模块存储的密钥或证书,并根据所述应用相关信息,生成所述对应应用的安全认证信息。The data channel security module is configured to generate security authentication information of the corresponding application according to the key or certificate stored by the storage module and according to the application-related information.
本发明实施例还提供了一种智能卡设备,包括:第三接收单元及数据通道建立单元;其中,An embodiment of the present invention further provides a smart card device, including: a third receiving unit and a data channel establishing unit; wherein,
所述第三接收单元,用于接收卡外实体发送的携带安全认证信息的认证注册消息;The third receiving unit is configured to receive an authentication registration message carrying security authentication information sent by an off-card entity;
所述数据通道建立单元,用于校验所述安全认证信息成功后,与所述卡外实体建立数据通道。The data channel establishment unit is configured to establish a data channel with the off-card entity after successfully verifying the security authentication information.
上述方案中,所述数据通道建立单元还包括:信息生成模块、匹配模块及数据通道建立模块;其中,In the above scheme, the data channel establishment unit further includes: an information generation module, a matching module and a data channel establishment module; wherein,
所述信息生成模块,用于利用自身存储的密钥或证书,并根据对应应用相关信息,生成所述对应应用的安全认证信息;The information generation module is used to generate the security authentication information of the corresponding application according to the relevant information of the corresponding application by using the key or certificate stored by itself;
所述匹配模块,用于将生成的所述对应应用的安全认证信息与所述认证注册消息中携带的安全认证信息进行匹配,并在匹配后触发所述数据通道建立模块;The matching module is configured to match the generated security authentication information of the corresponding application with the security authentication information carried in the authentication registration message, and trigger the data channel establishment module after matching;
所述数据通道建立模块,用于收到所述匹配模块的触发后,与所述卡外实体建立数据通道。The data channel establishment module is configured to establish a data channel with the off-card entity after receiving a trigger from the matching module.
上述方案中,所述设备还包括:应用软件注册表管理单元,用于数据通道建立后,在自身的应用软件注册表中增加所述对应应用的信息。In the above solution, the device further includes: an application software registry management unit, configured to add the information of the corresponding application in its own application software registry after the data channel is established.
上述方案中,所述设备还可以包括:SE操作单元,用于数据通道建立,且收到所述卡外实体的APDU指令后,确定与所述APDU对应的数据通道有效时,进行相应的交易操作。In the above solution, the device may further include: an SE operation unit for establishing a data channel, and after receiving the APDU instruction of the off-card entity, when it is determined that the data channel corresponding to the APDU is valid, a corresponding transaction is performed operate.
上述方案中,所述数据通道建立单元,还用于交易操作完成后,关闭所述APDU对应的数据通道;In the above solution, the data channel establishment unit is further configured to close the data channel corresponding to the APDU after the transaction operation is completed;
相应地,所述应用软件注册表管理单元,还用于删除所述应用软件注册表中对应的信息。Correspondingly, the application software registry management unit is further configured to delete the corresponding information in the application software registry.
本发明实施例又提供了一种建立数据通道的系统,包括:智能卡管理平台、卡外实体及智能卡设备;其中,An embodiment of the present invention further provides a system for establishing a data channel, including: a smart card management platform, an off-card entity, and a smart card device; wherein,
所述卡外实体,用于从所述智能卡管理平台获取申请数据通道的安全认证信息;并向所述智能卡设备发送携带所述安全认证信息的认证注册消息;The off-card entity is used to obtain the security authentication information of the application data channel from the smart card management platform; and send an authentication registration message carrying the security authentication information to the smart card device;
所述智能卡设备,用于校验所述安全认证信息成功后,与所述卡外实体建立数据通道。The smart card device is configured to establish a data channel with the entity outside the card after verifying the security authentication information successfully.
上述方案中,所述卡外实体,用于向所述智能卡管理平台发送携带对应应用相关信息的数据通道注册申请;并接收所述智能卡管理平台发送的全认证信息;In the above solution, the off-card entity is configured to send the data channel registration application carrying the corresponding application-related information to the smart card management platform; and receive the full authentication information sent by the smart card management platform;
所述智能卡管理平台,用于收到所述数据通道注册申请后,利用自身存储的密钥或证书,并根据所述应用相关信息,生成所述对应应用的安全认证信息;并将生成的安全认证信息发送给所述卡外实体。The smart card management platform is used to generate the security authentication information of the corresponding application according to the application-related information by using the key or certificate stored by itself after receiving the data channel registration application; The authentication information is sent to the off-card entity.
上述方案中,所述智能卡设备,还用于数据通道建立后,在自身的应用软件注册表中增加所述对应应用的信息。In the above solution, the smart card device is also used to add the information of the corresponding application in its own application software registry after the data channel is established.
上述方案中,所述智能卡设备,还用于数据通道建立后,且收到所述卡外实体的APDU指令后,确定与所述APDU对应的数据通道有效时,进行相应的交易操作。In the above solution, the smart card device is also used to perform a corresponding transaction operation when the data channel corresponding to the APDU is determined to be valid after the data channel is established and after receiving the APDU instruction from the off-card entity.
上述方案中,所述智能卡设备,还用于交易操作完成后,关闭所述APDU对应的数据通道;并删除所述应用软件注册表中对应的信息。In the above solution, the smart card device is further configured to close the data channel corresponding to the APDU after the transaction operation is completed; and delete the corresponding information in the application software registry.
本发明实施例提供的建立数据道的方法、系统及相关设备,卡外实体从智能卡管理平台获取申请数据通道的安全认证信息;所述卡外实体向智能卡设备发送携带所述安全认证信息的认证注册消息;所述智能卡设备校验所述安全认证信息成功后,与所述卡外实体建立数据通道,如此,能保证所述智能卡不受攻击和伤害,从而保证智能卡设备的安全性。In the method, system and related equipment for establishing a data channel provided by the embodiments of the present invention, the off-card entity obtains the security authentication information for applying for the data channel from the smart card management platform; the off-card entity sends the authentication carrying the security authentication information to the smart card device Registration message; after the smart card device successfully verifies the security authentication information, it establishes a data channel with the entity outside the card, so that the smart card can be protected from attack and damage, thereby ensuring the security of the smart card device.
附图说明Description of drawings
在附图(其不一定是按比例绘制的)中,相似的附图标记可在不同的视图中描述相似的部件。具有不同字母后缀的相似附图标记可表示相似部件的不同示例。附图以示例而非限制的方式大体示出了本文中所讨论的各个实施例。In the drawings, which are not necessarily to scale, like reference numerals may describe like parts in the different views. Similar reference numbers with different letter suffixes may denote different instances of similar components. The accompanying drawings generally illustrate, by way of example and not limitation, the various embodiments discussed herein.
图1为相关技术智能卡的数据通道示意图;1 is a schematic diagram of a data channel of a related art smart card;
图2为本发明实施例一中一种建立数据通道的方法流程示意图;2 is a schematic flowchart of a method for establishing a data channel in Embodiment 1 of the present invention;
图3为本发明实施例二中卡外实体结构示意图;FIG. 3 is a schematic structural diagram of an off-card entity in Embodiment 2 of the present invention;
图4为本发明实施例二中智能卡管理平台结构示意图;4 is a schematic structural diagram of a smart card management platform in Embodiment 2 of the present invention;
图5为本发明实施例二中智能卡设备结构示意图;5 is a schematic structural diagram of a smart card device in Embodiment 2 of the present invention;
图6为本发明实施例二中建立数据通道的系统结构示意图;6 is a schematic structural diagram of a system for establishing a data channel in Embodiment 2 of the present invention;
图7为本发明实施例三建立数据通道的系统架构及交互示意图。FIG. 7 is a schematic diagram of a system architecture and interaction for establishing a data channel according to Embodiment 3 of the present invention.
具体实施方式Detailed ways
下面结合附图及实施例对本发明再作进一步详细地描述。The present invention will be described in further detail below in conjunction with the accompanying drawings and embodiments.
在本发明的各种实施例中,卡外实体从智能卡管理平台获取申请数据通道的安全认证信息;所述卡外实体向智能卡设备发送携带所述安全认证信息的认证注册消息;所述智能卡设备校验所述安全认证信息成功后,与所述卡外实体建立数据通道。In various embodiments of the present invention, the off-card entity obtains the security authentication information of the application data channel from the smart card management platform; the off-card entity sends an authentication registration message carrying the security authentication information to the smart card device; the smart card device After verifying the security authentication information successfully, establish a data channel with the off-card entity.
实施例一Example 1
本实施例提供一种建立数据通道的方法,应用于卡外实体,包括以下步骤:This embodiment provides a method for establishing a data channel, which is applied to an off-card entity and includes the following steps:
从智能卡管理平台获取申请数据通道的安全认证信息;Obtain the security authentication information of the application data channel from the smart card management platform;
向智能卡设备发送携带所述安全认证信息的认证注册消息;sending an authentication registration message carrying the security authentication information to the smart card device;
并在所述智能卡设备校验所述安全认证信息成功后,与所述智能卡建立数据通道。And after the smart card device successfully verifies the security authentication information, it establishes a data channel with the smart card.
其中,所述从智能卡管理平台获取申请数据通道的安全认证信息,具体为:Wherein, the obtaining the security authentication information of the application data channel from the smart card management platform is specifically:
向所述智能卡管理平台发送携带对应应用相关信息的数据通道注册申请;sending a data channel registration application carrying relevant application-related information to the smart card management platform;
接收所述智能卡管理平台发送的所述对应应用的安全认证信息;所述安全认证信息由所述智能卡管理平台利用自身存储的密钥或证书,并根据所述应用相关信息生成。The security authentication information of the corresponding application sent by the smart card management platform is received; the security authentication information is generated by the smart card management platform using the key or certificate stored by itself and according to the application-related information.
这里,所述安全认证信息可以是签名或令牌(Token)。Here, the security authentication information may be a signature or a token (Token).
本实施例还提供一种建立数据通道的方法,应用于智能卡管理平台,包括以下步骤:This embodiment also provides a method for establishing a data channel, which is applied to the smart card management platform and includes the following steps:
接收卡外实体发送的携带对应应用相关信息的数据通道注册申请;Receive the data channel registration application that carries the corresponding application-related information sent by the entity outside the card;
利用自身存储的密钥或证书,并根据所述应用相关信息,生成所述对应应用的安全认证信息;Using the key or certificate stored by itself, and according to the application-related information, generate the security authentication information of the corresponding application;
将生成的安全认证信息发送给所述卡外实体。Send the generated security authentication information to the off-card entity.
这里,所述安全认证信息可以是签名或令Token。Here, the security authentication information may be a signature or a token.
本实施例还提供一种建立数据通道的方法,应用于智能卡设备,包括以下步骤:This embodiment also provides a method for establishing a data channel, which is applied to a smart card device and includes the following steps:
接收卡外实体发送的携带安全认证信息的认证注册消息;Receive an authentication registration message carrying security authentication information sent by an entity outside the card;
校验所述安全认证信息成功后,与所述卡外实体建立数据通道。After verifying the security authentication information successfully, establish a data channel with the off-card entity.
这里,所述校验所述安全认证信息,具体包括:Here, the verification of the security authentication information specifically includes:
利用自身存储的密钥或证书,并根据对应应用相关信息,生成所述对应应用的安全认证信息;Using the key or certificate stored by itself, and according to the relevant information of the corresponding application, generate the security authentication information of the corresponding application;
将生成的所述对应应用的安全认证信息与所述认证注册消息中携带的安全认证信息进行匹配;如果二者能够匹配,说明所述智能卡设备校验所述安全认证信息成功,如果二者不能匹配,说明所述智能卡设备校验所述安全认证信息失败,此时,所述智能卡设备会向所述卡外实体返回错误信息。Match the generated security authentication information of the corresponding application with the security authentication information carried in the authentication registration message; if the two can match, it means that the smart card device has successfully verified the security authentication information. If they match, it means that the smart card device fails to verify the security authentication information. In this case, the smart card device will return an error message to the off-card entity.
其中,所述安全认证信息可以是签名或Token等。The security authentication information may be a signature or a Token or the like.
数据通道建立后,该方法还可以包括:After the data channel is established, the method may further include:
所述智能卡设备在自身的应用软件注册表中增加所述对应应用的信息。这里,所述对应应用的信息可以包括:所述对应应用的标识、通道的状态以及分配的权限;其中,所述分配的权限可以包括:对应的注册、注销、以及安全模块(SE)操作等。The smart card device adds the information of the corresponding application in its own application software registry. Here, the information of the corresponding application may include: the identity of the corresponding application, the status of the channel, and the assigned authority; wherein, the assigned authority may include: corresponding registration, logout, and security module (SE) operations, etc. .
数据通道建立后,该方法还可以包括:After the data channel is established, the method may further include:
所述智能卡设备收到所述卡外实体的APDU指令后,确定与所述APDU对应的数据通道有效时,进行相应的交易操作。After the smart card device receives the APDU instruction from the off-card entity, and determines that the data channel corresponding to the APDU is valid, it performs a corresponding transaction operation.
其中,所述确定与所述APDU对应的数据通道有效,具体为:The determining that the data channel corresponding to the APDU is valid is specifically:
根据所述应用软件注册表中所述APDU对应的数据通道的信息,确定所述APDU对应的数据通道有效。According to the information of the data channel corresponding to the APDU in the application software registry, it is determined that the data channel corresponding to the APDU is valid.
具体地,如果所述应用软件注册表中所述APDU对应的数据通道的信息中,数据通道的状态为有效,则说明所述APDU对应的数据通道有效;相应地,如果数据通道的状态为无效,则说明所述APDU对应的数据通道无效。Specifically, if in the information of the data channel corresponding to the APDU in the application software registry, the status of the data channel is valid, it means that the data channel corresponding to the APDU is valid; correspondingly, if the status of the data channel is invalid , the data channel corresponding to the APDU is invalid.
确定所述APDU对应的数据通道无效时,所述智能卡设备拒绝执行与所述APDU指令相关的操作。When it is determined that the data channel corresponding to the APDU is invalid, the smart card device refuses to perform the operation related to the APDU instruction.
该方法还可以包括:The method may also include:
交易操作完成后,所述智能卡关闭所述APDU对应的数据通道;并删除所述应用软件注册表中对应的信息。After the transaction operation is completed, the smart card closes the data channel corresponding to the APDU; and deletes the corresponding information in the application software registry.
本实施例提供的建立数据通道的方法,如图2所示,包括以下步骤:The method for establishing a data channel provided by this embodiment, as shown in FIG. 2 , includes the following steps:
步骤201:卡外实体从智能卡管理平台获取申请数据通道的安全认证信息;Step 201: the off-card entity obtains the security authentication information of the application data channel from the smart card management platform;
具体地,所述卡外实体向所述智能卡管理平台发送携带对应应用相关信息的数据通道注册申请;Specifically, the off-card entity sends a data channel registration application carrying the corresponding application-related information to the smart card management platform;
所述智能卡管理平台收到所述数据通道注册申请后,利用自身存储的密钥或证书,并根据所述应用相关信息,生成所述对应应用的安全认证信息;After receiving the data channel registration application, the smart card management platform generates the security authentication information of the corresponding application by using the key or certificate stored by itself and according to the application-related information;
所述智能卡管理平台将生成的安全认证信息发送给所述卡外实体。The smart card management platform sends the generated security authentication information to the off-card entity.
其中,所述卡外实体的物理形态可以多种,比如可以为非接触IC卡、接触式IC卡、蓝牙卡等。Wherein, the physical form of the off-card entity may be various, for example, it may be a non-contact IC card, a contact IC card, a Bluetooth card, and the like.
所述安全认证信息可以是签名或Token等。The security authentication information may be a signature or a Token or the like.
步骤202:所述卡外实体向智能卡设备发送携带所述安全认证信息的认证注册消息;Step 202: the off-card entity sends an authentication registration message carrying the security authentication information to the smart card device;
步骤203:所述智能卡设备校验所述安全认证信息成功后,与所述卡外实体建立数据通道。Step 203: After the smart card device successfully verifies the security authentication information, it establishes a data channel with the entity outside the card.
这里,所述智能卡设备校验所述安全认证信息,具体包括:Here, the smart card device verifies the security authentication information, specifically including:
所述智能卡设备利用自身存储的密钥或证书,并根据对应应用相关信息,生成所述对应应用的安全认证信息;The smart card device generates the security authentication information of the corresponding application by using the key or certificate stored by itself and according to the relevant information of the corresponding application;
将生成的所述对应应用的安全认证信息与所述认证注册消息中携带的安全认证信息进行匹配;如果二者能够匹配,说明所述智能卡设备校验所述安全认证信息成功,如果二者不能匹配,说明所述智能卡设备校验所述安全认证信息失败,此时,所述智能卡设备会向所述卡外实体返回错误信息。Match the generated security authentication information of the corresponding application with the security authentication information carried in the authentication registration message; if the two can match, it means that the smart card device has successfully verified the security authentication information. If they match, it means that the smart card device fails to verify the security authentication information. In this case, the smart card device will return an error message to the off-card entity.
数据通道建立后,该方法还可以包括:After the data channel is established, the method may further include:
所述智能卡设备在自身的应用软件注册表中增加所述对应应用的信息。这里,所述对应应用的信息可以包括:所述对应应用的标识、通道的状态以及分配的权限;其中,所述分配的权限可以包括:对应的注册、注销、以及SE操作等。The smart card device adds the information of the corresponding application in its own application software registry. Here, the information of the corresponding application may include: the identifier of the corresponding application, the status of the channel, and the assigned authority; wherein, the assigned authority may include: corresponding registration, logout, and SE operation.
数据通道建立后,该方法还可以包括:After the data channel is established, the method may further include:
所述智能卡设备收到所述卡外实体的APDU指令后,确定与所述APDU对应的数据通道有效时,进行相应的交易操作。After the smart card device receives the APDU instruction from the off-card entity, and determines that the data channel corresponding to the APDU is valid, it performs a corresponding transaction operation.
其中,所述确定与所述APDU对应的数据通道有效,具体为:The determining that the data channel corresponding to the APDU is valid is specifically:
所述智能卡设备根据所述应用软件注册表中所述APDU对应的数据通道的信息,确定所述APDU对应的数据通道有效。The smart card device determines that the data channel corresponding to the APDU is valid according to the information of the data channel corresponding to the APDU in the application software registry.
具体地,如果所述应用软件注册表中所述APDU对应的数据通道的信息中,数据通道的状态为有效,则说明所述APDU对应的数据通道有效;相应地,如果数据通道的状态为无效,则说明所述APDU对应的数据通道无效。Specifically, if in the information of the data channel corresponding to the APDU in the application software registry, the status of the data channel is valid, it means that the data channel corresponding to the APDU is valid; correspondingly, if the status of the data channel is invalid , the data channel corresponding to the APDU is invalid.
确定所述APDU对应的数据通道无效时,所述智能卡设备拒绝执行与所述APDU指令相关的操作。When it is determined that the data channel corresponding to the APDU is invalid, the smart card device refuses to perform the operation related to the APDU instruction.
该方法还可以包括:The method may also include:
交易操作完成后,所述智能卡设备关闭所述APDU对应的数据通道;并删除所述应用软件注册表中对应的信息。After the transaction operation is completed, the smart card device closes the data channel corresponding to the APDU; and deletes the corresponding information in the application software registry.
本实施例提供的建立数据通道的方法,卡外实体从智能卡管理平台获取申请数据通道的安全认证信息;所述卡外实体向智能卡设备发送携带所述安全认证信息的认证注册消息;所述智能卡设备校验所述安全认证信息成功后,与所述卡外实体建立数据通道,如此,能保证所述智能卡不受攻击和伤害,从而保证智能卡设备的安全性。In the method for establishing a data channel provided in this embodiment, an off-card entity acquires the security authentication information for applying for a data channel from a smart card management platform; the off-card entity sends an authentication registration message carrying the security authentication information to a smart card device; the smart card After the device successfully verifies the security authentication information, it establishes a data channel with the entity outside the card. In this way, the smart card can be protected from attack and damage, thereby ensuring the security of the smart card device.
另外,所述智能卡设备收到所述卡外实体的APDU指令后,确定与所述APDU对应的数据通道有效时,才进行相应的交易操作;如此,进一步保证了智能卡设备的安全性。In addition, after the smart card device receives the APDU instruction from the off-card entity, and determines that the data channel corresponding to the APDU is valid, the corresponding transaction operation is performed; in this way, the security of the smart card device is further ensured.
实施例二Embodiment 2
为实现实施例一的方法,本实施例提供一种卡外实体,如图3所示,该卡外实体包括:获取单元31、第一发送单元32及数据通道建立单元33;其中,To implement the method of Embodiment 1, this embodiment provides an off-card entity. As shown in FIG. 3 , the off-card entity includes: an
所述获取单元31,用于从智能卡管理平台获取申请数据通道的安全认证信息;The obtaining
所述第一发送单元32,用于向智能卡设备发送携带所述安全认证信息的认证注册消息;The first sending
所述数据通道建立单元33,用于在所述智能卡设备校验所述安全认证信息成功后,与所述智能卡建立数据通道。The data channel establishing
其中,所述获取单元31还可以包括:第一发送模块及第一接收模块;其中,Wherein, the obtaining
所述第一发送模块,用于向所述智能卡管理平台发送携带对应应用相关信息的数据通道注册申请;The first sending module is configured to send a data channel registration application carrying relevant application-related information to the smart card management platform;
所述第一接收模块,用于接收所述智能卡管理平台发送的所述对应应用的安全认证信息;所述安全认证信息由所述智能卡管理平台利用自身存储的密钥或证书,并根据所述应用相关信息生成。The first receiving module is configured to receive the security authentication information of the corresponding application sent by the smart card management platform; the security authentication information is stored by the smart card management platform using the key or certificate stored by itself, and Application related information is generated.
这里,所述安全认证信息可以是签名或Token。Here, the security authentication information may be a signature or a Token.
实际应用时,获取单元31可由中央处理器(CPU,Central Processing Unit)、微处理器(MCU,Micro Control Unit)、数字信号处理器(DSP,Digital Signal Processor)或可编程逻辑阵列(FPGA,Field-Programmable Gate Array)结合收发机实现;所述第一发送单元32第一发送模块可由卡外实体中的发射机实现,所述数据通道建立单元33可由卡外实体的CPU、MCU、DSP或FPGA结合收发机实现;所述第一接收模块可由卡外实体中的接收机实现。In practical application, the
为实现实施例一的方法,本实施例还提供一种智能卡管理平台,如图4所示,包括:第二接收单元41、信息生成单元42及第二发送单元43;其中,To implement the method of the first embodiment, this embodiment further provides a smart card management platform, as shown in FIG. 4 , including: a
所述第二接收单元41,用于卡外实体发送的携带对应应用相关信息的数据通道注册申请;The
所述信息生成单元42,用于利用自身存储的密钥或证书,并根据所述应用相关信息,生成所述对应应用的安全认证信息;The
所述第二发送单元43,用于将生成的安全认证信息发送给所述卡外实体。The
这里,所述安全认证信息可以是签名或令Token。Here, the security authentication information may be a signature or a token.
所述信息生成单元42还可以包括:存储模块及数据通道安全模块;其中,The
所述存储模块,用于存储密钥或证书;the storage module for storing keys or certificates;
所述数据通道安全模块,用于根据所述利用所述存储模块存储的密钥或证书,并根据所述应用相关信息,生成所述对应应用的安全认证信息。The data channel security module is configured to generate security authentication information of the corresponding application according to the key or certificate stored by the storage module and according to the application-related information.
实际应用时,所述第二接收单元41可由智能卡管理平台中的接收机实现;所述信息生成单元可由智能卡管理平台中的CPU、MCU、DSP或FPGA结合存储器实现;所述第二发送单元43可由智能卡管理平台中的发射机实现;所述存储模块可由智能卡管理平台中的存储器实现;所述数据通道安全模块可由智能卡管理平台中的CPU、MCU、DSP或FPGA实现。In practical application, the
为实现实施例一的方法,本实施例还提供一种智能卡设备,如图5所示,包括:第三接收单元51及数据通道建立单元52;其中,To implement the method of the first embodiment, this embodiment further provides a smart card device, as shown in FIG. 5 , including: a
所述第三接收单元51,用于接收卡外实体发送的携带安全认证信息的认证注册消息;The
所述数据通道建立单元52,用于校验所述安全认证信息成功后,与所述卡外实体建立数据通道。The data channel establishing
这里,所述数据通道建立单元52还可以包括:信息生成模块、匹配模块及数据通道建立模块;其中,Here, the data
所述信息生成模块,用于利用自身存储的密钥或证书,并根据对应应用相关信息,生成所述对应应用的安全认证信息;The information generation module is used to generate the security authentication information of the corresponding application according to the relevant information of the corresponding application by using the key or certificate stored by itself;
所述匹配模块,用于将生成的所述对应应用的安全认证信息与所述认证注册消息中携带的安全认证信息进行匹配,并在匹配后触发所述数据通道建立模块;The matching module is configured to match the generated security authentication information of the corresponding application with the security authentication information carried in the authentication registration message, and trigger the data channel establishment module after matching;
所述数据通道建立模块,用于收到所述匹配模块的触发后,与所述卡外实体建立数据通道。The data channel establishment module is configured to establish a data channel with the off-card entity after receiving a trigger from the matching module.
其中,所述匹配模块将生成的所述对应应用的安全认证信息与所述认证注册消息中携带的安全认证信息进行匹配时,如果二者能够匹配,说明校验所述安全认证信息成功,如果二者不能匹配,说明校验所述安全认证信息失败,此时,所述匹配模块会向所述卡外实体返回错误信息。Wherein, when the matching module matches the generated security authentication information of the corresponding application with the security authentication information carried in the authentication registration message, if the two can match, it means that the verification of the security authentication information is successful. If the two cannot match, it means that the verification of the security authentication information fails. In this case, the matching module will return an error message to the off-card entity.
其中,所述安全认证信息可以是签名或Token等。The security authentication information may be a signature or a Token or the like.
该智能卡设备还可以包括:应用软件注册表管理单元,用于数据通道建立后,在自身的应用软件注册表中增加所述对应应用的信息。这里,所述对应应用的信息可以包括:所述对应应用的标识、通道的状态以及分配的权限;其中,所述分配的权限可以包括:对应的注册、注销、以及安SE操作等。The smart card device may further include: an application software registry management unit, configured to add the information of the corresponding application in its own application software registry after the data channel is established. Here, the information of the corresponding application may include: the identifier of the corresponding application, the status of the channel, and the assigned authority; wherein, the assigned authority may include: corresponding registration, logout, and security operations.
该智能卡设备还可以包括:SE操作单元,用于数据通道建立,且收到所述卡外实体的APDU指令后,确定与所述APDU对应的数据通道有效时,进行相应的交易操作。The smart card device may further include: an SE operation unit for establishing a data channel, and after receiving the APDU instruction from the off-card entity, when it is determined that the data channel corresponding to the APDU is valid, a corresponding transaction operation is performed.
其中,所述确定与所述APDU对应的数据通道有效,具体为:The determining that the data channel corresponding to the APDU is valid is specifically:
根据所述应用软件注册表中所述APDU对应的数据通道的信息,确定所述APDU对应的数据通道有效。According to the information of the data channel corresponding to the APDU in the application software registry, it is determined that the data channel corresponding to the APDU is valid.
具体地,如果所述应用软件注册表中所述APDU对应的数据通道的信息中,数据通道的状态为有效,则说明所述APDU对应的数据通道有效;相应地,如果数据通道的状态为无效,则说明所述APDU对应的数据通道无效。Specifically, if in the information of the data channel corresponding to the APDU in the application software registry, the status of the data channel is valid, it means that the data channel corresponding to the APDU is valid; correspondingly, if the status of the data channel is invalid , the data channel corresponding to the APDU is invalid.
确定所述APDU对应的数据通道无效时,SE操作单元拒绝执行与所述APDU指令相关的操作。When it is determined that the data channel corresponding to the APDU is invalid, the SE operating unit refuses to perform the operation related to the APDU instruction.
所述数据通道建立单元52,还用于交易操作完成后,关闭所述APDU对应的数据通道;The data
相应地,所述应用软件注册表管理单元,还用于删除所述应用软件注册表中对应的信息。Correspondingly, the application software registry management unit is further configured to delete the corresponding information in the application software registry.
实际应用时,所述第三接收单元51可由智能卡设备中的接收机实现;所述数据通道建立单元52及数据通道建立模块可由智能卡设备中的CPU、MCU、DSP或FPGA结合收发机实现;所述信息生成模块、匹配模块、应用软件注册表管理单元及SE操作单元可由智能卡设备中的CPU、MCU、DSP或FPGA实现。In practical application, the
为实现实施例一的方法,本实施例还提供一种建立数据通道的系统,如图6所示,该系统包括:智能卡管理平台61、卡外实体62及智能卡设备63;其中,In order to implement the method of the first embodiment, this embodiment also provides a system for establishing a data channel. As shown in FIG. 6 , the system includes: a smart
所述卡外实体62,用于从所述智能卡管理平台61获取申请数据通道的安全认证信息;并向所述智能卡设备63发送携带所述安全认证信息的认证注册消息;The off-
所述智能卡设备63,用于校验所述安全认证信息成功后,与所述卡外实体62建立数据通道。The
其中,所述卡外实体62,用于向所述智能卡管理平台61发送携带对应应用相关信息的数据通道注册申请;并接收所述智能卡管理平台61发送的全认证信息;Wherein, the off-
所述智能卡管理平台61,用于收到所述数据通道注册申请后,利用自身存储的密钥或证书,并根据所述应用相关信息,生成所述对应应用的安全认证信息;并将生成的安全认证信息发送给所述卡外实体62。The smart
所述卡外实体62的物理形态可以多种,比如可以为非接触IC卡、接触式IC卡、蓝牙卡等。The physical form of the off-
所述安全认证信息可以是签名或Token等。The security authentication information may be a signature or a Token or the like.
这里,所述智能卡设备63校验所述安全认证信息,具体包括:Here, the
所述智能卡设备63利用自身存储的密钥或证书,并根据对应应用相关信息,生成所述对应应用的安全认证信息;The
将生成的所述对应应用的安全认证信息与所述认证注册消息中携带的安全认证信息进行匹配;如果二者能够匹配,说明所述智能卡设备63校验所述安全认证信息成功,如果二者不能匹配,说明所述智能卡设备63校验所述安全认证信息失败,此时,所述智能卡设备63会向所述卡外实体62返回错误信息。Match the generated security authentication information of the corresponding application with the security authentication information carried in the authentication registration message; if the two can match, it means that the
所述智能卡设备63,还用于数据通道建立后,在自身的应用软件注册表中增加所述对应应用的信息。这里,所述对应应用的信息可以包括:所述对应应用的标识、通道的状态以及分配的权限;其中,所述分配的权限可以包括:对应的注册、注销、以及SE操作等。The
所述智能卡设备63,还用于数据通道建立后,且收到所述卡外实体的APDU指令后,确定与所述APDU对应的数据通道有效时,进行相应的交易操作。The
其中,所述确定与所述APDU对应的数据通道有效,具体为:The determining that the data channel corresponding to the APDU is valid is specifically:
所述智能卡设备63根据所述应用软件注册表中所述APDU对应的数据通道的信息,确定所述APDU对应的数据通道有效。The
具体地,如果所述应用软件注册表中所述APDU对应的数据通道的信息中,数据通道的状态为有效,则说明所述APDU对应的数据通道有效;相应地,如果数据通道的状态为无效,则说明所述APDU对应的数据通道无效。Specifically, if in the information of the data channel corresponding to the APDU in the application software registry, the status of the data channel is valid, it means that the data channel corresponding to the APDU is valid; correspondingly, if the status of the data channel is invalid , the data channel corresponding to the APDU is invalid.
确定所述APDU对应的数据通道无效时,所述智能卡设备63拒绝执行与所述APDU指令相关的操作。When it is determined that the data channel corresponding to the APDU is invalid, the
所述智能卡设备63,还用于交易操作完成后,关闭所述APDU对应的数据通道;并删除所述应用软件注册表中对应的信息。The
本实施例提供的建立数据通道的系统,卡外实体62从智能卡管理平台61获取申请数据通道的安全认证信息;所述卡外实体62向智能卡设备63发送携带所述安全认证信息的认证注册消息;所述智能卡设备63校验所述安全认证信息成功后,与所述卡外实体62建立数据通道,如此,能保证所述智能卡不受攻击和伤害,从而保证智能卡设备的安全性。In the system for establishing a data channel provided in this embodiment, the off-
另外,所述智能卡设备63收到所述卡外实体的APDU指令后,确定与所述APDU对应的数据通道有效时,才进行相应的交易操作;如此,进一步保证了智能卡设备的安全性。In addition, after receiving the APDU instruction from the off-card entity, the
实施例三Embodiment 3
本实施例建立数据通道的系统,如图7所示,包括智能卡管理平台71、卡外实体72及智能卡73;其中,The system for establishing a data channel in this embodiment, as shown in FIG. 7 , includes a smart card management platform 71, an off-
智能卡管理平台71主要负责根据应用软件信息生成应用软件的签名或令牌(Token),可以包括数据通道密钥或证书存储模块711(其功能相当于实施例二中存储模块的功能)及数据通道安全模块712(其功能相当于实施例二中第二接收单元、第二发送单元及数据通道安全模块三者功能之和)。这里,数据通道密钥或证书存储模块711用于存储数据通道的密钥或证书;数据通道安全模块712用于生成应用软件的签名或Token。The smart card management platform 71 is mainly responsible for generating a signature or token (Token) of the application software according to the application software information, and may include a data channel key or certificate storage module 711 (the function of which is equivalent to the function of the storage module in the second embodiment) and a data channel. The security module 712 (its function is equivalent to the sum of the functions of the second receiving unit, the second transmitting unit and the data channel security module in the second embodiment). Here, the data channel key or
卡外实体72,包含智能卡管理软件721(其功能相当于实施例二中第一发送模块、第一接收模块、第一发送单元及数据通道建立单元的功能之和)、应用软件722及底层芯片723,主要负责将卡外实体72的应用软件在智能卡73上认证注册;具体地,将应用软件的注册申请发送至智能卡管理平台71;将智能卡管理71平台返回的应用软件的签名或Token发送给智能卡73进行认证注册;并通知应用软件在智能卡73的认证注册结果。实际应用时,卡外实体72的物理形态可以多种,比如可以为非接触IC卡、接触式IC卡、蓝牙卡等。The off-
智能卡73是一种可安全管理数据通道的智能卡设备,与现有的智能卡相比,本实施例的智能卡增设有数据通道管理单元731,其具体包括:密钥或证书存储模块7311、卡外实体应用软件认证模块7312(其功能相当于实施例二中第三接收单元、信息生成模块及匹配模块的功能之和)、卡外实体应用软件注册表管理模块7313(其功能相当于实施例二中应用软件注册表管理单元的功能)、数据通道生命周期管理模块7314及SE操作模块7315(其功能相当于实施例二中SE操作单元的功能)。The smart card 73 is a smart card device that can safely manage a data channel. Compared with the existing smart card, the smart card of this embodiment is additionally provided with a data channel management unit 731, which specifically includes: a key or certificate storage module 7311, an entity outside the card The application software authentication module 7312 (its function is equivalent to the sum of the functions of the third receiving unit, the information generation module and the matching module in the second embodiment), the off-card entity application software registry management module 7313 (its function is equivalent to that in the second embodiment) The functions of the application software registry management unit), the data channel life cycle management module 7314 and the SE operation module 7315 (the functions of which are equivalent to the functions of the SE operation unit in the second embodiment).
这里,密钥或证书存储模块7311存储用于认证应用软件的密钥或证书。Here, the key or certificate storage module 7311 stores a key or certificate for authenticating application software.
卡外实体应用软件认证模块7312校验卡外实体72应用软件的安全认证信息(签名或Token)是否有效。The off-card entity application software authentication module 7312 verifies whether the security authentication information (signature or Token) of the off-
卡外实体应用软件注册表管理模块7313存储认证通过的应用软件标识以及分配应用软件权限;并在数据通道关闭后,将应用软件标识从卡外实体应用软件注册表中删除。应用软件的权限包括:软件注册(该权限只分配给智能卡管理软件)、软件注销(该权限只分配给智能卡管理软件)、SE操作(该权限可分配给智能卡管理软件和应用软件)。The off-card entity application software registry management module 7313 stores the certified application software identifiers and assigns application software permissions; and deletes the application software identifiers from the off-card entity application software registry after the data channel is closed. The permissions of the application software include: software registration (the permission is only assigned to the smart card management software), software cancellation (the permission is only assigned to the smart card management software), SE operation (the permission can be assigned to the smart card management software and the application software).
数据通道生命周期管理模块7314用于维护每一个数据通道生命周期的状态,包括:数据通道的创建、关闭等状态;在数据通道创建后,为每个数据通道分配标识。The data channel life cycle management module 7314 is used to maintain the state of the life cycle of each data channel, including: the creation, closing and other states of the data channel; after the data channel is created, an identifier is assigned to each data channel.
SE操作模块7315将合法有效的应用软件发送的APDU指令透传给SE 732;并拒绝无效的应用软件的APDU指令。The SE operation module 7315 transparently transmits the APDU instruction sent by the valid application software to the SE 732; and rejects the APDU instruction of the invalid application software.
实际应用时,对建立数据通道的系统的安全性要求,主要包括以下几点:In practical application, the security requirements of the system for establishing the data channel mainly include the following points:
(1)智能卡73的数据通道管理单元731提供对应用软件的认证注册能力,可以采用签名方式或Token方式进行认证。(1) The data channel management unit 731 of the smart card 73 provides the authentication and registration capability for the application software, which can be authenticated by a signature method or a Token method.
(2)智能卡73的卡外实体应用软件注册表中的软件注册信息只是“暂时”有效,即在该数据通道有效的生命周期内是有效的,应用软件只有在该数据通道有效的生命周期内可以允许访问智能卡73。(2) The software registration information in the off-card entity application software registry of the smart card 73 is only valid "temporarily", that is, it is valid within the valid life cycle of the data channel, and the application software is only valid within the valid life cycle of the data channel Access to the smart card 73 may be allowed.
(3)对于数据通道密钥或证书,智能卡73和智能卡管理平台71中存储有用于建立数据通道的密钥或证书;具体地,智能卡管理平台71存储有私钥或根密钥,制卡时智能卡73存储有公钥或者根据集成电路卡识别码(ICCID,Integrate Circuit Card Identity)分散的子密钥,从而保证每个SE的证书或密钥是不同的。(3) For the data channel key or certificate, the smart card 73 and the smart card management platform 71 store the key or certificate for establishing the data channel; specifically, the smart card management platform 71 stores the private key or the root key. The smart card 73 stores a public key or a sub-key distributed according to an integrated circuit card identification code (ICCID, Integrate Circuit Card Identity), thereby ensuring that the certificates or keys of each SE are different.
(4)智能卡73与智能卡管理平台71之间的安全性;每个智能卡与智能卡管理平台之间的指令交互均有密钥保护,智能卡管理平台存储私钥或根密钥,制卡时将公钥或根据ICCID分散的子密钥写入智能卡中,且保证每个智能卡的密钥是不同的。(4) Security between the smart card 73 and the smart card management platform 71; the instruction interaction between each smart card and the smart card management platform is protected by a key, the smart card management platform stores the private key or the root key, and the public key is stored in the smart card management platform. The key or the sub-key distributed according to the ICCID is written into the smart card, and the key of each smart card is guaranteed to be different.
本实施例建立数据通道的过程,如图7所示,包括以下步骤:The process of establishing a data channel in this embodiment, as shown in Figure 7, includes the following steps:
步骤701:在与智能卡建立数据通道前,应用软件722向智能卡管理软件721发送数据通道注册申请;Step 701: Before establishing a data channel with the smart card, the application software 722 sends a data channel registration application to the smart card management software 721;
步骤702:智能卡管理软件722收到数据通道注册申请后,将应用软件522发送的数据通道注册申请发送到智能卡管理平台51;Step 702: After receiving the data channel registration application, the smart card management software 722 sends the data channel registration application sent by the application software 522 to the smart
步骤703:智能卡管理平台71收到数据通道注册申请后,数据通道安全模块712从数据通道密钥或证书存储模块711中读取数据通道的密钥或证书;Step 703: After the smart card management platform 71 receives the data channel registration application, the data channel security module 712 reads the data channel key or certificate from the data channel key or
步骤704:数据通道安全模块712利用读取的密钥或证书,依据应用软件的信息计算出应用软件申请数据通道的签名或Token;Step 704: The data channel security module 712 uses the read key or certificate to calculate the signature or Token of the application software application for the data channel according to the information of the application software;
步骤705:智能卡管理平台71向智能卡管理软件722发送应用软件认证注册的消息;Step 705: The smart card management platform 71 sends the application software authentication and registration message to the smart card management software 722;
这里,发送的消息中携带应用软件申请数据通道的签名或Token。Here, the sent message carries the signature or Token of the application software to apply for the data channel.
步骤706:智能卡管理软件722收到消息后,向智能卡数据通道管理单元731发送应用软件认证注册的消息;智能卡数据通道管理单元731收到消息后,对应用软件进行数据通道认证注册,认证注册成功后执行步骤707;Step 706: After receiving the message, the smart card management software 722 sends a message of application software authentication and registration to the smart card data channel management unit 731; after receiving the message, the smart card data channel management unit 731 performs data channel authentication and registration on the application software, and the authentication and registration are successful Then execute step 707;
这里,发送的消息中携带应用软件申请数据通道的签名或Token。Here, the sent message carries the signature or Token of the application software to apply for the data channel.
具体地,卡外实体应用软件认证模块7312读取密钥或证书存储模块7311中存储的密钥或证书,根据应用软件的信息计算出签名或者Token,并与智能卡管理软件721发送的签名或Token进行匹配,并在匹配后,触发卡外实体应用软件注册表管理模块7313在卡外实体应用软件注册表里增加应用软件的信息,此时说明认证注册成功,并继续步骤707的操作;如果不能匹配,则智能卡数据通道管理单元731向智能卡管理软件521返回错误信息,流程结束。Specifically, the off-card entity application software authentication module 7312 reads the key or certificate stored in the key or certificate storage module 7311, calculates the signature or Token according to the information of the application software, and matches the signature or Token sent by the smart card management software 721. Carry out matching, and after matching, trigger the off-card entity application software registry management module 7313 to add application software information in the off-card entity application software registry, at this time, it means that the authentication and registration are successful, and continue the operation of step 707; If it matches, the smart card data channel management unit 731 returns an error message to the smart card management software 521, and the process ends.
步骤707:智能卡管理软件721向应用软件722返回数据通道认证注册成功的结果;Step 707: The smart card management software 721 returns the result of the successful data channel authentication and registration to the application software 722;
步骤708:应用软件722收到结果后,与智能卡73的数据通道管理单元731建立数据通道,并由数据通道生命周期管理模块7314维护数据通道生命周期;Step 708: After receiving the result, the application software 722 establishes a data channel with the data channel management unit 731 of the smart card 73, and the data channel life cycle management module 7314 maintains the data channel life cycle;
这里,数据通道生命周期管理模块7314动态确定数据通道是否有效,并将数据通道的状态通知给软件注册表管理模块7313,以便软件注册表管理模块7313更新对应的数据通道状态的相关信息。Here, the data channel life cycle management module 7314 dynamically determines whether the data channel is valid, and notifies the software registry management module 7313 of the status of the data channel, so that the software registry management module 7313 updates the relevant information of the corresponding data channel status.
其中,数据通道生命周期管理模块7314可以根据数据通道建立的时间长短、APDU指令的类别等动态确定数据通道是否有效。Wherein, the data channel life cycle management module 7314 can dynamically determine whether the data channel is valid according to the duration of the establishment of the data channel, the type of the APDU command, and the like.
步骤709:数据通道建立后,应用软件722可以向智能卡73发送应用处理逻辑的APDU指令,智能卡数据通道管理单元校验应用软件的状态有效后,将应用软件722发送的APDU指令转发到SE,进行应用交易。Step 709: After the data channel is established, the application software 722 can send the APDU instruction of the application processing logic to the smart card 73. After the smart card data channel management unit verifies that the status of the application software is valid, it forwards the APDU instruction sent by the application software 722 to the SE for processing. Apply transactions.
这里,交易完成后,应用软件与智能卡之间的数据通道关闭,卡外实体应用软件注册表管理模块7313删除卡外实体应用软件注册表中的相关信息。Here, after the transaction is completed, the data channel between the application software and the smart card is closed, and the off-card entity application software registry management module 7313 deletes the relevant information in the off-card entity application software registry.
从上面的描述中可以看出,本实施例提供的方案,可以保障智能卡被卡外实体应用软件访问的安全性。It can be seen from the above description that the solution provided by this embodiment can ensure the security of the smart card being accessed by application software outside the card.
另外,智能卡管理软件722与智能卡管理平台51之间、以及智能卡管理软件722与智能卡数据通道管理单元731之间的安全策略可以灵活调整和升级。In addition, the security policies between the smart card management software 722 and the smart
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein, including but not limited to disk storage, optical storage, and the like.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.
Claims (21)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410806632.7A CN105790946B (en) | 2014-12-22 | 2014-12-22 | Method, system and related equipment for establishing data channel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410806632.7A CN105790946B (en) | 2014-12-22 | 2014-12-22 | Method, system and related equipment for establishing data channel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105790946A CN105790946A (en) | 2016-07-20 |
| CN105790946B true CN105790946B (en) | 2020-05-12 |
Family
ID=56385312
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410806632.7A Active CN105790946B (en) | 2014-12-22 | 2014-12-22 | Method, system and related equipment for establishing data channel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105790946B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019134145A1 (en) * | 2018-01-05 | 2019-07-11 | 深圳市大疆创新科技有限公司 | Communication method, device, and system |
| CN113840274B (en) * | 2021-09-18 | 2023-06-02 | 中国联合网络通信集团有限公司 | BIP channel state management method, mobile device, UICC and user terminal |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257683A (en) * | 2008-02-01 | 2008-09-03 | 北京握奇数据系统有限公司 | Method for electric communication smart card signaling interactive with external non-contact card |
| CN101477607A (en) * | 2009-01-16 | 2009-07-08 | 北京海升天达科技有限公司 | Smart card and smart card user identity authentication process thereof |
| CN101488111A (en) * | 2009-02-17 | 2009-07-22 | 普天信息技术研究院有限公司 | Identification authentication method and system |
| CN101917216A (en) * | 2010-08-25 | 2010-12-15 | 罗正棣 | System and method for realizing safe mobile application by adopting Bluetooth intelligent card |
| CN102479089A (en) * | 2010-11-23 | 2012-05-30 | 天津中兴软件有限责任公司 | Software upgrading method for card reader |
| CN102547691A (en) * | 2010-12-22 | 2012-07-04 | 国民技术股份有限公司 | Security electronic control system and method based on 2.4G radio frequency identification (RFID) smart card system |
| CN103971149A (en) * | 2013-01-24 | 2014-08-06 | 国民技术股份有限公司 | Smart card device and authentication method of smart card device |
-
2014
- 2014-12-22 CN CN201410806632.7A patent/CN105790946B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257683A (en) * | 2008-02-01 | 2008-09-03 | 北京握奇数据系统有限公司 | Method for electric communication smart card signaling interactive with external non-contact card |
| CN101477607A (en) * | 2009-01-16 | 2009-07-08 | 北京海升天达科技有限公司 | Smart card and smart card user identity authentication process thereof |
| CN101488111A (en) * | 2009-02-17 | 2009-07-22 | 普天信息技术研究院有限公司 | Identification authentication method and system |
| CN101917216A (en) * | 2010-08-25 | 2010-12-15 | 罗正棣 | System and method for realizing safe mobile application by adopting Bluetooth intelligent card |
| CN102479089A (en) * | 2010-11-23 | 2012-05-30 | 天津中兴软件有限责任公司 | Software upgrading method for card reader |
| CN102547691A (en) * | 2010-12-22 | 2012-07-04 | 国民技术股份有限公司 | Security electronic control system and method based on 2.4G radio frequency identification (RFID) smart card system |
| CN103971149A (en) * | 2013-01-24 | 2014-08-06 | 国民技术股份有限公司 | Smart card device and authentication method of smart card device |
Non-Patent Citations (1)
| Title |
|---|
| 智能卡数据交互安全性的研究与实现;岳佩;《中国优秀硕士学位论文全文数据库 信息科技辑》;20080815;正文第3章节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105790946A (en) | 2016-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10699277B2 (en) | Security for mobile payment applications | |
| JP5443659B2 (en) | Local trusted service manager for contactless smart cards | |
| KR102221636B1 (en) | Cloud-based transactions methods and systems | |
| CA2980114C (en) | Authentication in ubiquitous environment | |
| CN104040553B (en) | Method for performing the application program in NFC device | |
| CN107820238B (en) | SIM card, blockchain application security module, client and security operation method thereof | |
| Busold et al. | Smart keys for cyber-cars: Secure smartphone-based NFC-enabled car immobilizer | |
| US20140214673A1 (en) | Method for authentication using biometric data for mobile device e-commerce transactions | |
| US20130145455A1 (en) | Method for accessing a secure storage, secure storage and system comprising the secure storage | |
| CN105874494A (en) | Disabling mobile payments for lost electronic devices | |
| CN106157025A (en) | The mobile terminal safety method of payment of identity-based card and system | |
| US10129248B2 (en) | One-time-password generated on reader device using key read from personal security device | |
| JP2017537421A (en) | How to secure payment tokens | |
| JP2019517229A (en) | System and method for generating, storing, managing and using digital secrets associated with portable electronic devices | |
| CN105635168A (en) | Off-line transaction device and security key using method thereof | |
| US20180240113A1 (en) | Determining legitimate conditions at a computing device | |
| WO2017076202A1 (en) | Smart card, mobile terminal, and method for using smart card to implement network identity authentication | |
| CN105790946B (en) | Method, system and related equipment for establishing data channel | |
| US20180240111A1 (en) | Security architecture for device applications | |
| KR101103189B1 (en) | Method and system for issuing a public certificate using universal subscriber identification module information and recording medium therefor | |
| EP4177810A1 (en) | Method and device for authorizing mobile transactions | |
| CN105185002B (en) | Mobile terminal, business platform and card operation system | |
| CN105103180B (en) | Method for handling the distribution of mobile credit card | |
| CN109690596A (en) | Dynamic security code for card transaction | |
| KR101642219B1 (en) | Method for Registering Payment Means |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |