CN106027249B

CN106027249B - Identity card card reading method and system

Info

Publication number: CN106027249B
Application number: CN201510765066.4A
Authority: CN
Inventors: 李东声
Original assignee: Tendyron Technology Co Ltd
Current assignee: Tendyron Technology Co Ltd
Priority date: 2015-11-10
Filing date: 2015-11-10
Publication date: 2019-09-06
Anticipated expiration: 2035-11-10
Also published as: CN106027249A

Abstract

The present invention provides a kind of identity card card reading method and system, wherein the identity card card reading method includes: the card seeking response instruction that card reader receives the return of the first resident identification card；Card reader reads the configuration information of the first resident identification card；Card reader inquires in electronic signature equipment whether be stored with configuration information by external interface, in the case where electronic signature equipment does not have storage configuration information, is stored configuration information into electronic signature equipment by external interface；Card reader receives card reading instrument readers and obtains the encryption identity card information stored in resident identification card, and encryption identity card information is sent to electronic signature equipment；Electronic signature equipment encrypts configuration information and encryption identity card information using the first transmission key, obtains transmission ciphertext and is sent to card reader；Background server receives the transmission ciphertext of card reader transmission, and transmission ciphertext is decrypted using the second transmission key, obtains configuration information and encryption identity card information.

Description

Identity card card reading method and system

Technical field

The present invention relates to a kind of electronic technology field more particularly to a kind of identity card card reading method and systems.

Background technique

In existing resident identification card card reading process, before the process for executing reading identity card, card seeking process is first executed, It is seeking resident identification card and then is starting the process of execution reading identity card.

Wherein, card seeking process specifically includes that card reader cycles through card seeking instruction, when resident identification card enters card reader When readable range, resident identification card detects the card seeking instruction that card reader is sent, and returns to card seeking response instruction, card reading to card reader After device receives card seeking response instruction, resident identification card, card seeking success are confirmly detected.

After the success of card reader card seeking, user indicates that card reader starts reading identity card, and card reader starts and residential identity Card interacts, and reads the information stored in resident identification card, by the safety control module (SAM module) of Ministry of Public Security's authorization to reading The resident identification card taken is decoded, and obtains the ID card information of plaintext.

In the related art, card reader is after seeking resident identification card, not can read and stores in resident identification card Information, but after receiving card reading instruction, information is just read from resident identification card.Since card reader by radio frequency and occupies People's identity card interacts, and the time for reading the information stored in resident identification card is longer, and user experience is not high.

Summary of the invention

Present invention seek to address that the time of the information stored in above-mentioned reading resident identification card is longer, user experience is not high Problem.

The main purpose of the present invention is to provide a kind of identity card card reading methods；

Another object of the present invention is to provide a kind of identity card card-reading systems.

In order to achieve the above objectives, the present invention the following technical schemes are provided:

Scheme 1, a kind of identity card card reading method, this method comprises: card reader receives the return of the first resident identification card Card seeking response instruction；Card reader reads the configuration information of the first resident identification card；Card reader inquires electronics label by external interface Whether it is stored with configuration information in name equipment, in the case where electronic signature equipment does not have storage configuration information, by external Mouth is by configuration information storage into electronic signature equipment；Card reader receives card reading instruction, sends exit passageway and establishes request extremely Background server；Background server is held consultation by card reader and electronic signature equipment, and electronic signature equipment obtains the first biography Defeated key, background server obtain the second transmission key；Card reader obtains the encryption identity card information stored in resident identification card, Encryption identity card information is sent to electronic signature equipment；Electronic signature equipment to configuration information and is added using the first transmission key Close ID card information is encrypted, and transmission ciphertext is obtained, and transmission ciphertext is sent to card reader；Card reader will transmit ciphertext and send To background server；Background server receives transmission ciphertext, and transmission ciphertext is decrypted using the second transmission key, obtains Configuration information and encryption identity card information.

Scheme 2, according to the method for scheme 1, background server is held consultation by card reader and electronic signature equipment, electronics Signature device obtains the first transmission key, and background server obtains the second transmission key, comprising: card reader sends exit passageway and builds It is vertical to request to background server；Background server receive exit passageway establish request, generate the first random factor, and by first with The machine factor is sent to card reader；Card reader receives the first random factor, and the first random factor is sent to electronic signature equipment；Electricity Sub- signature device receives the first random factor, sign using the private key of electronic signature equipment to the first data to be signed, generation the One signed data, by first transmission data be sent to card reader, wherein the first data to be signed include at least first it is random because Son, first sends data to digital certificate less including the first signed data and electronic signature equipment；Card reader receives the first hair Data are sent, the first transmission data are sent to background server；Background server receives first and sends data, verifying electronic signature The digital certificate of equipment, after being verified, carry out sign test operation to the first signed data terminates if sign test does not pass through Process；If sign test passes through, background server generate the second random factor, and based on the first random factor and second it is random because Son generates third random factor and encryption data is obtained, after utilization using the public key encryption third random factor of electronic signature equipment The private key pair encryption data of platform server are signed, and the second signed data is obtained, and are calculated using third random factor Second transmission data are sent to card reader, wherein the second transmission data include the second signed data, encryption by two transmission keys The digital certificate of data and background server；Card reader receives the second transmission data, and the second transmission data are sent to electronics label Name equipment；Electronic signature equipment receives the second transmission data, verifies the digital certificate of background server, right after being verified Second signed data carries out sign test operation, if sign test passes through, is carried out using the private key pair encryption data of electronic signature equipment Decryption oprerations obtain third random factor, and the first transmission key are calculated using third random factor.

Scheme 3, according to the method for scheme 1, background server is held consultation by card reader and electronic signature equipment, electronics Signature device obtains the first transmission key, and background server obtains the second transmission key, comprising: card reader sends exit passageway and builds It is vertical to request to background server；Background server receives exit passageway and establishes request, generates the first random factor, and first is recognized Card data are sent to card reader, wherein the first authentication data includes at least: the number card of the first random factor and background server Book；After card reader receives the first authentication data, the first authentication data is sent to electronic signature equipment；Electronic signature equipment receives First authentication data verifies the digital certificate of background server, after being verified, generates the second random factor, and utilize backstage The second random factor of public key encryption of server, obtains the first encryption data, to the first random factor and the first encryption data into Row signature, obtains the first signed data, the second authentication data is sent to card reader, and be calculated based on the second random factor First transmission key, wherein the second authentication data includes the number of the first signed data, the first encryption data and electronic signature equipment Word certificate；After card reader receives the second authentication data, the second authentication data is sent to background server；Background server receives Second authentication data verifies the digital certificate of electronic signature equipment, after being verified, carries out sign test to the first signed data, If sign test passes through, operation is decrypted to the first encryption data using the private key of background server, obtain second it is random because Son terminates process if sign test does not pass through；Background server is based on the second random factor and the second transmission key is calculated.

Scheme 4, according to the method for any one of scheme 1 to 3, card reader obtains the encryption identity card stored in resident identification card Information includes: whether to be stored with encryption identity card information corresponding with configuration information in card reader inquiry electronic signature equipment；? It determines in the case where being stored with encryption identity card information in electronic signature equipment, is read in electronic signature equipment by external interface The encryption identity card information of storage；In the case where in determining electronic signature equipment without storage encryption identity card information, card reading Device executes the card reading process of identity card, reads the encryption identity card information in the first resident identification card, and by the encryption body of reading Part card information is stored by external interface to be associated with into electronic signature equipment, and with configuration information.

Scheme 5, according to the method for any one of scheme 1 to 3, there is no the case where storage configuration information in electronic signature equipment Under, being stored configuration information by external interface includes: that card reader by external interface deletes electronics into electronic signature equipment The configuration information and encryption identity card information stored in signature device, by the configuration information storage of reading to electronic signature equipment In；It includes: in card reader inquiry electronic signature equipment that card reader, which obtains the encryption identity card information stored in resident identification card, is It is no to be stored with encryption identity card information；In the case where being stored with encryption identity card information in determining electronic signature equipment, pass through External interface reads the encryption identity card information stored in electronic signature equipment；Add in determining electronic signature equipment without storage In the case where close ID card information, card reader executes the card reading process of identity card, reads the encryption body in the first resident identification card Part card information, and the encryption identity card information of reading is stored by external interface into electronic signature equipment.

Scheme 6, according to the method for scheme 4 or 5, the encryption identity card information stored in electronic signature equipment includes multiple numbers According to packet；Electronic signature equipment encrypts configuration information and encryption identity card information using the first transmission key, is transmitted Transmission ciphertext is sent to card reader by ciphertext: card reader respectively believes configuration information, encryption identity card using the first transmission key Each data of breath are encrypted, and obtain multiple encrypted packets, multiple encrypted packets are sent to card reader.

Scheme 7, according to the method for scheme 6, method further include: upon receipt platform server send instruction retransmit encryption When the retransmission instructions of ID card information, card reader sends to electronic signature equipment and requests, and request retransmission instruction instruction needs to retransmit Data packet；Electronic signature equipment obtains the data packet that retransmission instructions instruction needs to retransmit, using the first transmission key to needs The data packet of re-transmission is encrypted, and needs the data packet retransmitted to be sent to card reader for encrypted；Card reader receives electronics The data packet that the encrypted needs that signature device returns retransmit, and by the encrypted data packet retransmission for needing to retransmit to backstage Server.

Scheme 8, according to the method for any one of scheme 1 to 7, configuration information and encryption identity card information are sent in card reader After background server, method further include: card reader does not detect resident identification card in the given time, empties electronics label The configuration information and encryption identity card information of the resident identification card of name device memory storage.

Scheme 9, according to the method for any one of scheme 1 to 8, configuration information and encryption identity card information are sent in card reader After background server, method further include: card reader obtains the identity card cleartext information encrypted from background server；Card reading The identity card cleartext information of encryption is sent to electronic signature equipment by device；Electronic signature equipment is using the first transmission key to encryption Identity card cleartext information be decrypted, obtain identity card cleartext information；Electronic signature equipment generates a random key；Electronics Signature device encrypts identity card cleartext information using random key；Electronic signature equipment stores encrypted proof of identification Literary information.

Scheme 10, according to the method for scheme 9, after electronic signature equipment stores encrypted identity card cleartext information, Method further include: card reader receives the card seeking response instruction of the second resident identification card return；Card reader reads second resident's body The configuration information of part card；Card reader judges the configuration information currently read whether is stored in electronic signature equipment；Card reader connects Receive the card reading instruction for the terminal being attached thereto；In the feelings for judging to be stored with the configuration information currently read in electronic signature equipment Under condition, judge whether electronic signature equipment is stored with encrypted identity card cleartext information；It is deposited in judging electronic signature equipment In the case where containing encrypted identity card cleartext information, identity card cleartext information is obtained from electronic signature equipment.

Scheme 11, according to the method for scheme 9, encrypted identity card cleartext information is stored to electricity in electronic signature equipment After in sub- signature device, method further include: card reader does not detect resident identification card in the given time, empties electronics label The encrypted identity card cleartext information of name device memory storage；And/or card reader does not detect resident's body in the given time In the case that part card or electronic signature equipment execute before power-off operation, electronic signature equipment deletes random key.

Scheme 12, the method according to any one of scheme 1-2,4-10, background server carry out sign test to the first signed data Operation, comprising: background server utilizes the electronic signature equipment in the first random factor and the digital certificate of electronic signature equipment Public key to the first signed data carry out sign test operation；Electronic signature equipment carries out sign test operation to the second signed data, comprising: Electronic signature equipment is signed using the public key of the background server in the digital certificate of encryption data and background server to second Data carry out sign test operation.

Scheme 13, the method according to any one of scheme 1-2,4-11, the first data to be signed further include: electronic signature equipment The first identity；First sends data further include: the second identity of electronic signature equipment.14, according to scheme 13 Method, the first identity of electronic signature equipment include: electronic signature equipment sequence number and/or electronic signature equipment certificate Number, the second identity of electronic signature equipment includes: electronic signature equipment sequence number and/or electronic signature equipment certificate number, And electronic signature equipment sequence number and electronic signature equipment certificate number have mapping relations.

Scheme 15, according to the method for scheme 13 or 14, background server carries out sign test operation, packet to the first signed data It includes:

Background server utilizes the electricity in the digital certificate of the first random factor, the second identity and electronic signature equipment The public key of sub- signature device carries out sign test operation to the first signed data.

Scheme 16, a kind of identity card card-reading system, system includes: card reader, is returned for receiving the first resident identification card The card seeking returned responds instruction, reads the configuration information of the first resident identification card, then inquires electronic signature equipment by external interface In whether be stored with configuration information, in the case where electronic signature equipment does not have storage configuration information, will be matched by external interface Confidence breath storage is into electronic signature equipment；Card reader is also used to receive card reading instruction, sends exit passageway and establishes request extremely Background server；Background server obtains the second transmission key for holding consultation by card reader and electronic signature equipment； Electronic signature equipment obtains the first transmission key for holding consultation by card reader and background server；Card reader is also used In obtaining the encryption identity card information stored in resident identification card, encryption identity card information is sent to electronic signature equipment；Electricity Sub- signature device is also used for the first transmission key and encrypts to configuration information and encryption identity card information, transmitted Transmission ciphertext is sent to card reader by ciphertext；Card reader is also used to transmit ciphertext and is sent to background server；Background service Device is also used to receive transmission ciphertext, and transmission ciphertext is decrypted using the second transmission key, and configuration information and encryption are obtained ID card information.

Scheme 17 obtains second according to the system of scheme 16, background server and electronic signature equipment in the following manner Transmission key and the first transmission key: background server establishes request for receiving exit passageway, generates the first random factor, And the first random factor is sent to electronic signature equipment by card reader；Electronic signature equipment, for receive first it is random because Son signs to the first data to be signed using the private key of electronic signature equipment, generates the first signed data, sends data for first Background server is sent to by card reader, wherein the first data to be signed include at least the first random factor, and first sends number According to the digital certificate for including at least the first signed data and electronic signature equipment；Background server is also used to receive the first transmission Data verify the digital certificate of electronic signature equipment, after being verified, carry out sign test operation to the first signed data, if Sign test does not pass through, then terminates process；If sign test passes through, the second random factor is generated, and based on the first random factor and the Two random factors generate third random factor, using the public key encryption third random factor of electronic signature equipment, obtain encryption number According to being signed using the private key pair encryption data of background server, obtain the second signed data, utilize third random factor meter Calculation obtains the second transmission key, the second transmission data is sent to electronic signature equipment by card reader, wherein the second transmission number According to the digital certificate for including the second signed data, encryption data and background server；Electronic signature equipment is also used to receive second Data are transmitted, the digital certificate of background server is verified, after being verified, sign test operation are carried out to the second signed data, such as Fruit sign test passes through, then operation is decrypted using the private key pair encryption data of electronic signature equipment, obtains third random factor, and The first transmission key is calculated using third random factor.

Scheme 18 obtains second according to the system of scheme 17, background server and electronic signature equipment in the following manner Transmission key and the first transmission key: background server establishes request for receiving exit passageway, generates the first random factor, And the first authentication data is sent to electronic signature equipment by card reader, wherein the first authentication data includes at least: first with The digital certificate of the machine factor and background server；Electronic signature equipment verifies background server for receiving the first authentication data Digital certificate, after being verified, generate the second random factor, and using background server public key encryption second it is random because Son obtains the first encryption data, signs to the first random factor and the first encryption data, obtains the first signed data, will Second authentication data card reader is sent to background server, and the first transmission key is calculated based on the second random factor, In, the second authentication data includes the digital certificate of the first signed data, the first encryption data and electronic signature equipment；Background service Device is also used to receive the second authentication data, verifies the digital certificate of electronic signature equipment, after being verified, signs to first Data carry out sign test and operation are decrypted to the first encryption data using the private key of background server, obtains if sign test passes through To the second random factor, the second transmission key is calculated based on the second random factor, if sign test does not pass through, terminates to flow Journey.

Scheme 19, according to the system of any one of scheme 16 to 18, card reader obtains in resident identification card in the following manner The encryption identity card information of storage: encryption identity card letter corresponding with configuration information whether is stored in inquiry electronic signature equipment Breath；In the case where being stored with encryption identity card information in determining electronic signature equipment, is read and signed electronically by external interface The encryption identity card information stored in equipment；The case where in determining electronic signature equipment without storage encryption identity card information Under, it executes the card reading process of identity card, reads the encryption identity card information in the first resident identification card, and by the encryption body of reading Part card information is stored by external interface to be associated with into electronic signature equipment, and with configuration information.

Scheme 20, according to the system of any one of scheme 16 to 18, there is no the feelings of storage configuration information in electronic signature equipment Under condition, configuration information storage is included: in the following manner to delete electricity by external interface into electronic signature equipment by card reader The configuration information and encryption identity card information stored in sub- signature device, by the configuration information storage of reading to electronic signature equipment In；Card reader obtains the encryption identity card information stored in resident identification card in the following manner: in inquiry electronic signature equipment Whether encryption identity card information is stored with；In the case where being stored with encryption identity card information in determining electronic signature equipment, lead to It crosses external interface and reads the encryption identity card information stored in electronic signature equipment；It is not stored in determining electronic signature equipment In the case where encryption identity card information, the card reading process of identity card is executed, reads the encryption identity card in the first resident identification card Information, and the encryption identity card information of reading is stored by external interface into electronic signature equipment.

Scheme 21, according to the system of scheme 19 or 20, the encryption identity card information stored in electronic signature equipment includes more A data packet；Electronic signature equipment in the following manner encrypts configuration information and encryption identity card information, is transmitted Ciphertext, by transmit ciphertext be sent to card reader: using the first transmission key respectively to configuration information, encryption identity card information it is each A data are encrypted, and multiple encrypted packets are obtained, and multiple encrypted packets are sent to card reader.

Scheme 22, according to the system of scheme 21, the instruction that platform server is sent upon receipt retransmits encryption identity card letter When the retransmission instructions of breath, card reader sends to electronic signature equipment and requests, the data packet that request retransmission instruction instruction needs to retransmit； Electronic signature equipment obtains the data packet that retransmission instructions instruction needs to retransmit, the data retransmitted using the first transmission key to needs Packet is encrypted, and needs the data packet retransmitted to be sent to card reader for encrypted；Card reader receives electronic signature equipment and returns The data packet that the encrypted needs returned retransmit, and need the data packet retransmission retransmitted to background server for encrypted.

Scheme 23, according to the system of any one of scheme 16 to 22, card reader is also used to by configuration information and crypto identity Card information is sent to after background server, is not detected resident identification card in the given time, is emptied electronic signature equipment The configuration information and encryption identity card information of the resident identification card of interior storage.

Scheme 24, according to the system of any one of scheme 16 to 23, card reader is also used to by configuration information and crypto identity Card information is sent to after background server, the identity card cleartext information encrypted from background server is obtained, by the body of encryption Part card cleartext information is sent to electronic signature equipment；Electronic signature equipment is also used to the identity using the first transmission key to encryption Card cleartext information is decrypted, and obtains identity card cleartext information, a random key is generated, using random key to proof of identification Literary information is encrypted, and encrypted identity card cleartext information is stored.

Scheme 25, according to the system of scheme 24, card reader be also used to receive the second resident identification card return card seeking ring It should instruct, read the configuration information of the second resident identification card, judge whether to be stored with matching of currently reading in electronic signature equipment Confidence breath receives the card reading instruction for the terminal being attached thereto, and is judging to be stored with matching of currently reading in electronic signature equipment In the case that confidence ceases, judge whether electronic signature equipment is stored with encrypted identity card cleartext information；Judging electronics label In the case where being stored with encrypted identity card cleartext information in name equipment, identity card is obtained from electronic signature equipment and is believed in plain text Breath.

Scheme 26, according to the system of scheme 25, card reader is also used to arrive by encrypted identity card cleartext information storage After in electronic signature equipment, resident identification card is not detected in the given time, empties storage in electronic signature equipment Encrypted identity card cleartext information；And/or electronic signature equipment is also used to not detect in the given time in card reader In the case that resident identification card or electronic signature equipment execute before power-off operation, random key is deleted.

Scheme 27, the system according to any one of scheme 16-17,19-26, background server test the first signed data Label operation, comprising: background server is set using the electronic signature in the first random factor and the digital certificate of electronic signature equipment Standby public key carries out sign test operation to the first signed data；Electronic signature equipment carries out sign test operation, packet to the second signed data Include: electronic signature equipment is signed using the public key of the background server in the digital certificate of encryption data and background server to second Name data carry out sign test operation.

Scheme 28, the system according to any one of scheme 16-17,19-27, the first data to be signed further include: electronic signature First identity of equipment；First sends data further include: the second identity of electronic signature equipment.

Scheme 29, according to the system of scheme 28, the first identity of electronic signature equipment includes: electronic signature equipment sequence Row number and/or electronic signature equipment certificate number, the second identity of electronic signature equipment include: electronic signature equipment sequence number And/or electronic signature equipment certificate number, and electronic signature equipment sequence number and electronic signature equipment certificate number have mapping relations.

Scheme 30, according to the system of scheme 28 or 29, background server carries out sign test operation, packet to the first signed data It includes:

The technical solution provided through the invention, card reader is after seeking resident identification card, i.e., from resident identification card Configuration information is read, after the instruction of subsequently received card reading, encryption identity card information is only read from resident identification card, to save The time for about reading configuration information after receiving card reading instruction, the reading efficiency of identity card is improved, user's body is improved It tests.

Detailed description of the invention

In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.

Fig. 1 is a kind of flow diagram for identity card card reading method that the embodiment of the present invention 1 provides；

Fig. 2 is a kind of flow diagram for identity card card reading method that the embodiment of the present invention 2 provides；

Fig. 3 is a kind of flow diagram for identity card card reading method that the embodiment of the present invention 3 provides；

Fig. 4 is a kind of configuration diagram for identity card card-reading system that the embodiment of the present invention 4 provides；

Fig. 5 is a kind of flow diagram in card reading process that the embodiment of the present invention 5 provides；

Fig. 6 is the flow diagram for another card reading process that the embodiment of the present invention 6 provides.

Specific embodiment

With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on this The embodiment of invention, every other implementation obtained by those of ordinary skill in the art without making creative efforts Example, belongs to protection scope of the present invention.

In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", "upper", "lower", The orientation or positional relationship of the instructions such as "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outside" is It is based on the orientation or positional relationship shown in the drawings, is merely for convenience of description of the present invention and simplification of the description, rather than instruction or dark Show that signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore should not be understood as pair Limitation of the invention.In addition, term " first ", " second " are used for description purposes only, it is not understood to indicate or imply opposite Importance or quantity or position.

In the description of the present invention, it should be noted that unless otherwise clearly defined and limited, term " installation ", " phase Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected；It can To be mechanical connection, it is also possible to be electrically connected；It can be directly connected, can also can be indirectly connected through an intermediary Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition Concrete meaning in invention.

The embodiment of the present invention is described in further detail below in conjunction with attached drawing.

Embodiment 1

Fig. 1 is a kind of flow diagram of identity card card reading method provided in this embodiment, as shown in Figure 1, the present embodiment The identity card card reading method of offer mainly includes the following steps that (101-109).

Step 101: card reader receives the card seeking response instruction of the first resident identification card return；

In the present embodiment, card reader is instructed by its radio-frequency module at interval of card seeking is sent out for a period of time, and first After resident identification card receives the card seeking instruction of card reader transmission, the first resident identification card can send card seeking response from trend card reader Instruction, card reader receive the card seeking that the first resident identification card returns and respond instruction.Card reader is returned by the first resident identification card Card seeking response instruction with the first resident identification card establish communicate to connect.

It should be noted that being provided with the safety control module of Ministry of Public Security's authorization in general card reader to decrypt card reader The encryption identity card information of reading, but at high cost, this reality of the safety control module of Ministry of Public Security's authorization is integrated in card reader It applies in example, card reader is not provided with the safety control module (SAM module) of Ministry of Public Security's authorization, and safety control module is arranged remote End, can be set in background server, can also be independently arranged, and pass through wired (for example, USB interface etc.) with background server Connection, can also be by wireless (for example, WIFI, bluetooth etc.), and specific this embodiment is not limited.By by card reader and SAM Module is provided separately, and a SAM module can be shared with multiple card reader, so as to save the cost.

Step 102: card reader reads the configuration information of the first resident identification card；

In the present embodiment, card reader after receiving the card seeking response instruction of the first resident identification card return, work as by determination There is identity card in preceding readable range, then directly reads the configuration information in the first resident identification card.

In practical applications, the information stored in the first resident identification card includes matching with the identity card of clear-text way storage Encryption identity card information confidence breath and stored with encrypted test mode.Wherein, the configuration information of identity card refers to the configuration of identity card Parameter, for example, identity card sequence number, be used to indicate the application being arranged in identity card relevant information application data, transmission association (for example, transport protocol type, bit digit rate, maximum frame size) etc. is discussed, card reader can be not required to the Direct Recognition configuration information The safety control module for wanting the Ministry of Public Security to authorize is decrypted.Encryption identity card information refers to the body stored in identity card with ciphertext Part card, such as the information such as identification card number, name, gender, address and photo, the encryption identity card information are only awarded by the Ministry of Public Security After the safety control module of power is decrypted, the cleartext information of the identity card could be obtained.The security control mould of Ministry of Public Security's authorization Block needs to decrypt by configuration information when decrypting encryption identity card information, therefore, in reading identity card, need by The configuration information and encryption identity card information stored in identity card is both provided to the safety control module of Ministry of Public Security's authorization.In this reality It applies in example, regardless of whether card reading instruction is received, as long as card reader detects that there are resident identification cards (to connect in readable range Receive the card seeking response instruction of resident identification card return), then read the configuration information of the resident identification card.

Step 103: card reader inquires in electronic signature equipment whether be stored with the configuration information by external interface, In the case that the electronic signature equipment does not store the configuration information, the configuration information is deposited by the external interface It stores up in the electronic signature equipment；

In the present embodiment, after card reader reads the configuration information in the first resident identification card, card reader passes through to external Whether the configuration information of first resident identification card that in step 102 card reader read is stored in mouth inquiry electronic signature equipment, If not being stored with the configuration information read in step 102, the configuration information storage is arrived by the external interface In the electronic signature equipment；In addition, directly executing step 104 if being stored with the configuration information read in step 102.

In the present embodiment, electronic signature equipment can use the smart card with safety chip, wirelessly (example Such as NFC, bluetooth mode) connect with terminal, can also using with safety chip electronic signature key (i.e. KEY, such as: The K treasured etc. that U-shield that industrial and commercial bank uses, agricultural bank use) connect by USB interface or audio port with terminal, concrete form reality of the invention Example is applied to be not construed as limiting.

In the present embodiment, card reader and electronic signature equipment can be by wired connections, for example, USB interface, audio connect Mouthful etc., it can also connect wirelessly, for example, the mode such as NFC, bluetooth.It is specific that this embodiment is not limited.

Step 104: card reader receives card reading instruction, sends exit passageway and establishes request to background server；

In the present embodiment, step 103 and card reader receive the step that card reading instruction is two not no chronological orders Suddenly, in practical applications, card reader may be that card reading instruction is received when executing step 103, be also possible to executing step Card reading instruction is received after 103, it is also possible to execute step 103 again after receiving card reading instruction, specific the present embodiment is not It limits.

In the present embodiment, card reading instruction is instruction for reading identity card information, card reader can by terminal (such as Computer or mobile phone etc.) card reading instruction is received, card reading instruction can also be obtained by card reader itself, card reader obtains card reading instruction Mode this embodiment and without limitation, as long as to can receive card reading instruction i.e. within the scope of the present invention for card reader. Card reader passes through the card reading instruction received and obtains the encryption identity card information stored in identity card.

Step 105, background server is held consultation by card reader and electronic signature equipment, according to negotiation result, electronics Signature device obtains the first transmission key, and background server obtains the second transmission key；

Background server negotiates the process of transmission key by card reader and electronic signature equipment, specifically may refer to subsequent Description in embodiment 5 and 6, details are not described herein.

Step 106, card reader obtains the encryption identity card information stored in resident identification card, by the encryption identity card information It is sent to electronic signature equipment；

In an optional embodiment of the embodiment of the present invention, encryption identity card letter is stored in electronic signature equipment In the case where breath, card reader can obtain encryption identity card information by external interface from electronic signature equipment, alternatively, card reading Device can also read encryption identity card information directly from the first resident identification card, specifically can refer to retouching in embodiment 2 and 3 It states.

Step 107, electronic signature equipment adds configuration information and encryption identity card information using the first transmission key It is close, transmission ciphertext is obtained, transmission ciphertext is sent to card reader；

In a particular application, electronic signature equipment can be carried out according to card reader to the mode that background server sends data Encryption, for example, sending a data every time if card reader configuration information and encryption identity card information are divided into multiple data packets Packet, then electronic signature equipment encrypts each data packet respectively.

Step 108, card reader is sent to background server for ciphertext is transmitted.

In the present embodiment, after card reader gets transmission ciphertext, which is sent to background server.Specifically , card reader can establish connection with background server by terminal (such as computer or mobile phone etc.) and communicate, can also be with wireless Mode (such as bluetooth, infrared or NFC near-field communication etc.) directly establish connection with background server and communicate.

Step 109, background server receives transmission ciphertext, and transmission ciphertext is decrypted using the second transmission key, Obtain configuration information and encryption identity card information.

Background server, can be by the resident identification card after decryption obtains configuration information and encryption identity card information Configuration information and encryption identity card information are sent to SAM module, are carried out by ID card information of the SAM module to the resident identification card Decoding, so that the available identity card cleartext information to the resident identification card of background server, and then it can be executed It needs the process using identity card, for example, banking system is that user's execution is remotely opened an account.

In the related art, when executing resident identification card reading process, detecting that there are residents in readable range When identity card, the information stored in resident identification card not can read, but wait card reading instruction, receiving card reading instruction Afterwards, then from resident identification card configuration information and encryption identity card information are read.And in identity card card reading provided in this embodiment In scheme, card reader is being detected in readable range there are when resident identification card, just directly reads the configuration of resident identification card Information only need to obtain the encryption identity card information stored in resident identification card, without reading again after receiving card reading instruction Configuration information is taken, so as to save the card reading time, improves user experience.Also, in the present embodiment, card reader and backstage take Negotiate transmission key between business device, in interactive process, transmission key through consultation encrypts the data of transmission, can be with It is further ensured that the transmission safety of information.

As a kind of optional embodiment of the present embodiment, card reader will transmit ciphertext be sent to background server it Afterwards, background server can be interacted with SAM module, the identity card cleartext information decrypted, and background server can incite somebody to action The identity card cleartext information is sent to card reader, which is sent to electronic signature equipment again by card reader.It can Selection of land, in order to guarantee the transmission safety of identity card cleartext information, background server can be encrypted identity card cleartext information After send, for example, background server can be used with electronic signature equipment negotiate the second transmission key encrypted.Therefore, In the optional embodiment, card reader will be transmitted after ciphertext is sent to background server, and this method can also include: electronics Signature device obtains the identity card cleartext information that background server is decrypted, and electronic signature equipment card reader generates one at random Key；Electronic signature equipment encrypts identity card cleartext information using random key, after electronic signature equipment storage encryption Identity card cleartext information.Wherein, card reader can receive the identity that background server is encrypted using the second transmission key Cleartext information is demonstrate,proved, the cleartext information of the encryption is sent to electronic signature equipment, electronic signature equipment uses the first transmission key It is decrypted, obtains identity card cleartext information.In embodiments, by the way that the identity card cleartext information of encryption is stored in electronics In signature device, encryption can be obtained directly from electronic signature equipment in the case where needing multiple reading identity card information Identity card cleartext information, do not need that encryption identity card information is decrypted again again by background server and SAM module, To save the time of secondary card reading, also, identity card cleartext information is encrypted by using random key, it is ensured that The safety of identity card cleartext information.

As a kind of optional embodiment of the present embodiment, encrypted identity card is stored in electronic signature equipment and is believed in plain text After breath, card reader receives the card seeking response instruction of the second resident identification card return, and card reader reads the second resident identification card Configuration information, card reader judges the configuration information currently read whether is stored in electronic signature equipment, and card reader receives The card reading for the terminal (for example, PC machine of bank front end) being attached thereto instructs, and is stored in inquiry electronic signature equipment current In the case where the configuration information of reading, whether inquiry electronic signature equipment is stored with encrypted identity card cleartext information, true Determine in the case where being stored with encrypted identity card cleartext information in electronic signature equipment, electronic signature equipment uses random key Encrypted identity card cleartext information is decrypted to obtain identity card cleartext information and is sent to card reader, card reader output solution Identity card cleartext information after close.It, can also be with for example, the identity card cleartext information after decryption can be sent to terminal by card reader Identity card cleartext information after directly displaying decryption.

Specifically, card reader is read in the case that the second resident identification card and the first resident identification card are same identity card The configuration information of the second resident identification card is taken, and determines in electronic signature equipment and is stored with the configuration information currently read, card reading After device receives card reading instruction, inquire in electronic signature equipment whether be stored with encrypted identity card cleartext information, is determining electricity In the case where being stored with encrypted identity card cleartext information in sub- signature device, electronic signature equipment is using random key to adding Identity card cleartext information after close is decrypted to obtain identity card cleartext information, and card reader acquisition identity card cleartext information is simultaneously defeated Out.In addition, card reader reads second and occupies in the case that the second resident identification card and the first resident identification card are different identity card The configuration information of people's identity card, and judge not to be stored with the configuration information currently read in electronic signature equipment, card reader is held The card reading process of the second resident identification card of row reads the card reading process of the second resident identification card and reads the first resident identification card Card reading process is identical, and details are not described herein.Judge whether it is secondary card reading by configuration information, and is stored with and matches in judgement When confidence ceases corresponding identity card cleartext information, the identity card cleartext information of encryption is directly obtained from electronic signature equipment, is saved About time of secondary card reading.

In the present embodiment, electronic signature equipment can only store the identity card cleartext information of the encryption of an identity card, For example, a memory space can be arranged in electronic signature equipment, which is used to store the identity card of encryption in plain text Information, in addition it can which a memory space is arranged for storage configuration information.Card reader is read when detecting resident identification card The configuration information of the resident identification card is taken, if the configuration information is not stored in electronic signature equipment, empties electronics label The information stored in the memory space of the identity card cleartext information of the memory space and encryption of configuration information in name equipment, then will work as The configuration information of preceding reading is saved in the memory space of configuration information, thereby may be ensured that the configuration stored in electronic signature equipment Information and the identity card cleartext information of encryption belong to same identity card.After execution in continuous identity card card reading process, obtaining After the identity card cleartext information decrypted to background server, reuses random key and the identity card cleartext information is encrypted, Then it is saved in the memory space of the identity card cleartext information of encryption.Receiving host computer (for example, PC machine of bank front end) When the card reading instruction of transmission, card reader may determine that be stored in the configuration information and electronic signature equipment of current resident identification card Whether configuration information is consistent, if unanimously, from the memory space of the identity card cleartext information of the encryption in electronic signature equipment The middle identity card cleartext information for taking out encryption, and be decrypted using random key, it is exported after decryption.

Certainly, it also can store the identity card cleartext information of the encryption of multiple identity cards in electronic signature equipment, for example, When storing the identity card cleartext information of encryption, the identity card cleartext information of the encryption is associated with the configuration information of resident identification card Storage.Card reader reads the configuration information of the resident identification card when detecting resident identification card, if the configuration information does not have It is stored in electronic signature equipment, then the configuration information currently read is saved in the memory space of configuration information, obtained subsequent It when taking the identity card cleartext information of the resident identification card, is encrypted using random key, encrypted identity card is believed in plain text Breath and the configuration information associated storage.In the card reading instruction of subsequently received host computer, card reader can inquire electronic signature Whether the configuration information of current resident identification card is stored in equipment, if so, further inquiring in electronic signature equipment is The no identity card cleartext information being stored with the associated encryption of the configuration information, if so, then electronic signature equipment is using at random Key is decrypted to obtain identity card cleartext information and is sent to card reader, and the identity card after card reader output decryption is believed in plain text Breath.

As a kind of optional embodiment of the present embodiment, encrypted identity card cleartext information storage is arrived in card reader After in electronic signature equipment, in order to guarantee the safety of resident identification card information, if card reader is not examined in the given time Resident identification card is measured, then empties the encrypted identity card cleartext information stored in electronic signature equipment.Specifically, card reader After encrypted identity card cleartext information is stored into electronic signature equipment, card reader judges whether to examine in the given time Resident identification card is measured, in the case that card reader does not detect resident identification card in the given time, card reader empties electricity The encrypted identity card cleartext information stored in sub- signature device.

As a kind of optional embodiment of the present embodiment, encrypted identity card cleartext information storage is arrived in card reader After in electronic signature equipment, if card reader does not detect that resident identification card or electronic signature equipment are held in the given time In the case where before row power-off operation, the random key in electronic signature equipment is deleted.Specifically, card reader is by encrypted identity After cleartext information storage is demonstrate,proved into electronic signature equipment, card reader judges whether to detect residential identity in the given time Card, in the case that card reader does not detect resident identification card in the given time, card reader instruction electronic signature equipment is deleted Except random key.Certainly, after card reader stores encrypted identity card cleartext information into electronic signature equipment, electronics label When name equipment executes power-off operation, electronic signature equipment also deletes random key.After deleting random key, even if the electronics label Name equipment is illegally accessed, and also the identity card cleartext information for the encryption that stored in electronic signature equipment can not be decrypted, from And ensure that the safety of resident identification card information, so that electronic signature equipment can deposit the identity card cleartext information of encryption It stores up in flash memory (flash).

Optionally, in the present embodiment, the configuration information of resident identification card and the identity card cleartext information of encryption can be with The mode of caching stores in electronic signature equipment, according to the characteristic of caching, after electricity under card reader, empties the letter of storage automatically Breath, thereby may be ensured that the safety of resident identification card information.

A kind of identity card card reading method provided through this embodiment is just read before card reader receives card reading instruction And by the configuration information of identity card storage to electronic signature equipment, after receiving card reading instruction, card reader does not need to read again Take the configuration information of identity card, it is only necessary to which the encryption identity card information stored in reading identity card has saved the card reading time.Separately Outside, it obtains identity card cleartext information in addition, being decrypted by background server and is stored in electronic signature equipment, work as transacting business In the case where needing multiple reading identity card information, the identity card cleartext information of encryption can be obtained from electronic signature equipment, It does not need background server repeatedly to decrypt, to further reduce the card reading time.Also, it in the present embodiment, signs electronically Equipment and background server are negotiated transmission key and are added using the transmission key of negotiation to information in information interactive process It is close, it ensure that the transmission safety of information.

Embodiment 2

Fig. 2 is the flow diagram of identity card card reading method provided in this embodiment, as shown in Fig. 2, the present embodiment provides Identity card card reading method mainly include the following steps that (201-211).

Step 201~205, identical as step 101~105 in embodiment 1, details are not described herein.

Step 206: card reader judges encryption identity card corresponding with configuration information whether is stored in electronic signature equipment Information；

In the present embodiment, after card reader receives card reading instruction, judge whether be stored with and match in electronic signature equipment Confidence ceases corresponding encryption identity card information, believes when being stored with encryption identity card corresponding with configuration information in electronic signature equipment In the case where breath, step 207 is executed；Believe when not being stored with encryption identity card corresponding with configuration information in electronic signature equipment In the case where breath, step 208 is executed.

In the present embodiment, card reader judges encryption body corresponding with configuration information whether is stored in electronic signature equipment When part card information, inquiry request can be sent to electronic signature equipment, what request electronic signature equipment was inquired and read matches confidence Corresponding encryption identity card information is ceased, if electronic signature equipment inquires the encryption identity card information, this can be returned and added Close ID card information only notice card reader can also inquire the encryption identity card information, if do not inquired, notify to read Card device does not store the encryption identity card information.Concrete form the present embodiment limits.

Step 207: card reader obtains the encryption identity card information from electronic signature equipment；

In the present embodiment, card reader judges to be stored with encryption identity card corresponding with configuration information in electronic signature equipment In the case where information, card reader obtains the encryption identity card letter of identity card corresponding with the configuration information from electronic signature equipment Breath.

Step 208: card reader executes card reading process, reads the encryption identity card information in the first resident identification card, will read The encryption identity card information taken is stored in electronic signature equipment, and the encryption identity card information and above-mentioned configuration information are closed Connection, i.e., by the encryption identity card information and above-mentioned configuration information associated storage in electronic signature equipment.

I.e. in the present embodiment, the configuration information of identity card and encryption identity card information are associated storages, therefore, electronics The configuration information and encryption identity card information of multiple resident identification cards can be stored in signature device simultaneously.

In the present embodiment, card reader judges not being stored with encryption body corresponding with configuration information in electronic signature equipment In the case where part card information, card reader needs to be implemented card reading process, reads the encryption identity card stored in the first resident identification card Information, card reader store the encryption identity card information of reading after reading encryption identity card information in the first resident identification card In electronic signature equipment.

In the present embodiment, electronic signature equipment can store multiple configuration informations, in adding for card reader reading identity card After close ID card information, the encryption identity card information of reading is associated with by card reader needs with the configuration information read in step 202 Storage, so as to obtain encryption identity card information by configuration information.

Step 209-211, it is identical as the step 107-109 in embodiment 1 respectively, it repeats no more.

As a kind of optional embodiment of the present embodiment, the encryption identity card information stored in electronic signature equipment includes Multiple data packets, in step 209, each number that electronic signature equipment includes to configuration information, encryption identity card information respectively It is encrypted according to packet, obtains multiple encrypted packets, multiple encrypted packets are sent to card reader.In step 210, card reader Will transmission ciphertext to be sent to background server may include: that multiple encrypted packets are successively sent to background service by card reader Device.It is stored by the way that encryption identity card information is divided into multiple data packets, Fast retransmission is carried out when subsequent transmission being facilitated to malfunction, is not required to All encryption identity card information are retransmitted.

As a kind of optional embodiment of the present embodiment, background server is in the transmission ciphertext for receiving card reader transmission Afterwards, after each encrypted packet is decrypted using the second transmission key, the encryption body received can be further checked Whether part card information is complete, if imperfect, sends retransmission instructions to background server, which this data packet of instruction needs again It passes.When the retransmission instructions that platform server is sent upon receipt, the data packet that card reader instruction electronic signature equipment needs to retransmit, After electronic signature equipment receives instruction, encrypted using the data packet that the first transmission key retransmits needs, it then will encryption The data packet that retransmits of needs return to card reader, the data packet retransmission retransmitted by the needs that card reader encrypts is to background service Device.Specifically, when one or more data packets of encryption identity card information are transmitted to background server error, background server Retransmission instructions are sent to card reader, and instruction needs the one or more data packets retransmitted in retransmission instructions, card reader receives After the retransmission instructions sent to background server, one or more data packets that instruction electronic signature equipment needs to retransmit, electronics Signature device obtains the one or more data packet, is encrypted using the first transmission key to the one or more data packet, Then one or more data packets of encryption are returned into card reader, card reader gives one or more data packet retransmissions of encryption Background server.Background server indicates that the data packet that card reader needs to retransmit, card reader need to will only be needed by retransmission instructions The data packet retransmission of re-transmission saves the time of reading identity card to background server.

As a kind of optional embodiment of the present embodiment, configuration information and encryption identity card information are sent in card reader After background server, in order to guarantee that resident identification card information security, card reader do not detect resident in the given time Identity card empties the configuration information and encryption identity card information of the resident identification card stored in electronic signature equipment.Specifically, reading Card device can be sent out card seeking instruction at interval of a period of time, when card reader sends out the configuration information and encryption identity card information After giving background server, card reader does not detect resident identification card in the given time, illustrates resident identification card Not in the range of card reader can be read, the encryption identity card information and configuration information stored in electronic signature equipment is no longer needed It wants, therefore, card reader will empty electronic signature equipment, and (card reader can send flush instructions, instruction electricity to electronic signature equipment Sub- signature device empties corresponding content) storage resident identification card configuration information and encryption identity card information.By pre- It fixes time and interior detection resident identification card and empties the information stored in electronic signature equipment, depositing for electronic signature equipment can be saved Space is stored up, guarantees the safety of resident identification card information.

Optionally, in the present embodiment, the configuration information of resident identification card and encryption identity card information can be with cachings Mode stores in electronic signature equipment, according to the characteristic of caching, after electricity under electronic signature equipment, and the letter that empties the cache automatically Breath, thereby may be ensured that the safety of resident identification card information.

Other unaccomplished matters are same as Example 1, and details are not described herein.

The identity card card reading method provided through this embodiment, card reader receive card reading instruction before just read and Electronic signature equipment stores the configuration information of identity card, and after receiving card reading instruction, card reader does not need to read identity again The configuration information of card, it is only necessary to which the encryption identity card information stored in reading identity card has saved the card reading time.In addition, will occupy The encryption identity card information of people's identity card is divided into multiple data packets and is stored in the electronic signature equipment of card reader, to take from the background When business device indicates the data packet that card reader needs to retransmit by retransmission instructions, card reader need to will only need the data packet retransmission that retransmit To background server, the time of reading identity card is further reduced.

Embodiment 3

Fig. 3 is the flow diagram of identity card card reading method provided in this embodiment, as shown in figure 3, the present embodiment provides Identity card card reading method mainly include the following steps that (301-311).

Unlike embodiment 2, in order to save memory space, in the present embodiment in the electronic signature equipment of card reader Only store the configuration information and encryption identity card information of a resident identification card.

Unlike embodiment 2, in step 303, what card reader stored before first deleting in electronic signature equipment Configuration information and encryption identity card information, then the configuration information of reading is stored into the electronic signature equipment.Specifically , in the case where card reader judges the configuration information for not having to read in storing step 302 in electronic signature equipment, card reader is first The configuration information and encryption identity card information stored before first deleting in electronic signature equipment, for example, can be set to electronic signature Preparation send deletion to instruct, the configuration information and encryption identity card information that instruction electronic signature equipment stores before deleting, and will step The configuration information read in rapid 302 is stored in electronic signature equipment.

Unlike embodiment 2, in step 308, card reader executes card reading process, reads the first resident identification card In encryption identity card information, the encryption identity card information of reading is stored in electronic signature equipment.Specifically, card reader is sentenced It is not stored in the case of configuration information before in disconnected electronic signature equipment, card reader needs to be implemented card reading process, reads first The encryption identity card information stored in resident identification card, card reader read encryption identity card information from the first resident identification card Afterwards, the encryption identity card information of reading is stored in electronic signature equipment.Unlike embodiment 2, due to electronic signature The information of a resident identification card is only stored in equipment, therefore, electronic signature equipment does not need to match what is read in step 302 The encryption identity card information association stored in confidence breath and step 308 stores.

Similar to Example 2, in the present embodiment, the encryption identity card information stored in electronic signature equipment includes multiple Data packet, in step 209, each data packet that electronic signature equipment includes to configuration information, encryption identity card information respectively It is encrypted, obtains multiple encrypted packets, multiple encrypted packets are sent to card reader.Card reader will transmit ciphertext and send It may include: that multiple encrypted packets are successively sent to background server by card reader to background server.By the way that body will be encrypted Part card information is divided into multiple data packets storages, and Fast retransmission is carried out when subsequent transmission being facilitated to malfunction, is not needed all encryption bodies Part card information is retransmitted.

As a kind of optional embodiment of the present embodiment, background server is in the transmission ciphertext for receiving card reader transmission Afterwards, after each encrypted packet is decrypted using the second transmission key, the encryption body received can be further checked Whether part card information is complete, if imperfect, sends retransmission instructions to background server, which this data packet of instruction needs again It passes.When the retransmission instructions that platform server is sent upon receipt, the data packet that card reader instruction electronic signature equipment needs to retransmit, After electronic signature equipment receives instruction, encrypted using the data packet that the first transmission key retransmits needs, it then will encryption The data packet that retransmits of needs return to card reader, the data packet retransmission retransmitted by the needs that card reader encrypts is to background service Device.Background server indicates the data packet that card reader needs to retransmit, the number that card reader need to only retransmit needs by retransmission instructions It retransmits according to packet to background server, saves the time of reading identity card.

In this embodiment it is possible to distribute two memory spaces, i.e. configuration information memory space in electronic signature equipment It is encrypted with encryption identity card memory space by the configuration information storage of same resident identification card to configuration information memory space ID card information is stored to encryption identity card memory space, when having detected resident identification card, reads the residential identity first The configuration information of card empties if the configuration information of the resident identification card is not stored in electronic signature equipment with confidence The information of memory space and the storage of encryption identity card memory space is ceased, then the configuration information currently read is stored to configuration information Memory space, subsequent execution card reading process believe encryption identity card after reading encryption identity card information in resident identification card Breath storage is stored to encryption identity card memory space.If the configuration information of the resident identification card is stored in electronic signature equipment In, then when receiving card reading instruction, crypto identity directly is obtained from the encryption identity card memory space of electronic signature equipment Demonstrate,prove information.In this way, it can be ensured that the safety of the resident identification card information used before avoids resident identification card information It is illegally used.

The identity card card reading method provided through this embodiment, card reader receive card reading instruction before just read and Electronic signature equipment stores the configuration information of identity card, and after receiving card reading instruction, card reader does not need to read identity again The configuration information of card, it is only necessary to which the encryption identity card information stored in reading identity card has saved the card reading time.In addition, reading Before the encryption identity card information stored in card device reading identity card, judges whether to be stored in electronic signature equipment and match confidence Corresponding encryption identity card information is ceased, card reading speed can be accelerated to avoid the reading encryption identity card information from identity card is repeated Degree.In addition, by the way that encryption identity card information is divided into multiple data packets, so that background server indicates card reading by retransmission instructions When the data packet that device needs to retransmit, card reader only need to will need the data packet retransmission retransmitted to background server, further Reduce the time of reading identity card.In addition, only needing to be provided with matching for one resident identification card of storage in electronic signature equipment Confidence breath and the memory space of encryption identity card information ensure that while the memory space for having saved electronic signature equipment The safety of resident identification card information.

Embodiment 4

Present embodiments provide a kind of identity card card-reading system.

Fig. 4 is the configuration diagram of identity card card-reading system provided in this embodiment, as shown in figure 4, the identity card card reading System specifically includes that card reader 400, electronic signature equipment 410 and background server 420.In the present embodiment, card reader 100 is It is not provided with the card reader of SAM module.

In the present embodiment, card reader 400 is read for receiving the card seeking response instruction of the first resident identification card return The configuration information of first resident identification card, then inquired in electronic signature equipment 410 and whether be stored with confidence by external interface Breath is stored configuration information to electronics by external interface in the case where electronic signature equipment 410 does not have storage configuration information In signature device 410；Card reader 400 is also used to receive card reading instruction, sends exit passageway and establishes request to background server 420；It is close to obtain the second transmission for holding consultation by card reader 400 with electronic signature equipment 410 for background server 420 Key；Electronic signature equipment 410 obtains the first transmission key for holding consultation by card reader 400 with background server 420； Card reader 400, is also used to obtain the encryption identity card information stored in resident identification card, and encryption identity card information is sent to electricity Sub- signature device 410；Electronic signature equipment 410 is also used for the first transmission key and believes configuration information and encryption identity card Breath is encrypted, and transmission ciphertext is obtained, and transmission ciphertext is sent to card reader 400；Card reader 400 is also used to that ciphertext will be transmitted It is sent to background server 420；Background server 420 is also used to receive transmission ciphertext, and using the second transmission key to transmission Ciphertext is decrypted, and obtains configuration information and encryption identity card information.

The identity card card-reading system provided through this embodiment, card reader are detecting that there are resident's bodies in readable range When part card, the configuration information of resident identification card is just directly read, after receiving card reading instruction, need to only be obtained in resident identification card The encryption identity card information of storage, so as to save the card reading time, improves user's body without reading configuration information again It tests.Also, in the present embodiment, negotiates transmission key between electronic signature equipment and background server, in interactive process, lead to It crosses the transmission key negotiated to encrypt the data of transmission, may further ensure that the transmission safety of information.

In an optional embodiment of the embodiment of the present invention, background server 420 and electronic signature equipment 410 pass through Following manner obtains the second transmission key and the first transmission key: background server 420, asks for receiving exit passageway foundation It asks, generates the first random factor, and the first random factor is sent to electronic signature equipment 410 by card reader 400；Electronics label Name equipment 410 signs to the first data to be signed using the private key of electronic signature equipment 410 for the first random factor of reception, The first signed data is generated, the first transmission data are sent to background server 420 by card reader 400, wherein first wait sign Name data include at least the first random factor, and first sends data to less including the first signed data and electronic signature equipment 410 Digital certificate；Background server 420 is also used to receive the first transmission data, the number card of verifying electronic signature equipment 410 Book, after being verified, carrying out sign test operation to the first signed data terminates process if sign test does not pass through；If sign test Pass through, then generates the second random factor, and third random factor is generated based on the first random factor and the second random factor, utilize The public key encryption third random factor of electronic signature equipment 410, obtains encryption data, utilizes the private key pair of background server 420 Encryption data is signed, and the second signed data is obtained, and the second transmission key is calculated using third random factor, by second Transmission data are sent to electronic signature equipment 410 by card reader 400, wherein the second transmission data include the second signed data, The digital certificate of encryption data and background server 420；Electronic signature equipment 410 is also used to receive the second transmission data, verifying The digital certificate of background server 420 carries out sign test operation to the second signed data after being verified, if sign test passes through, Operation then is decrypted using the private key pair encryption data of electronic signature equipment 410, obtains third random factor, and utilize third The first transmission key is calculated in random factor.

By the negotiation scheme for the transmission key that the embodiment provides, can be built between card reader and background server Vertical exit passageway, the data encryption using transmission key to transmitting in exit passageway improve the safety of data transmission.And And after card reader receives the first random factor that background server is sent, immediately using own private key to the first random factor Server is back to after being signed, so that background server can receive card reader passback within the shortest time First authentication data is simultaneously authenticated, and improves background server to the authentication efficiency of card reader, thus in card reader and backstage The initial stage that server is mutually authenticated, background server determine whether card reader is legal, is then immediately finished stream if it is illegal Journey is quickly judged by Replay Attack, and then disconnects the connection with illegal card reader, avoids illegal transaction to background server Resource occupation.

In an optional embodiment of the embodiment of the present invention, background server 420 and electronic signature equipment 410 pass through Following manner obtains the second transmission key and the first transmission key: background server 420, asks for receiving exit passageway foundation It asks, generates the first random factor, and the first authentication data is sent to electronic signature equipment 410 by card reader 400, wherein First authentication data includes at least: the digital certificate of the first random factor and background server 420；Electronic signature equipment 410 is used In receiving the first authentication data, the digital certificate of background server 420 is verified, after being verified, generates the second random factor, and Using the second random factor of public key encryption of background server 420, the first encryption data is obtained, to the first random factor and first Encryption data is signed, and the first signed data is obtained, and the second authentication data card reader 400 is sent to background server 420, And the first transmission key is calculated based on the second random factor, wherein the second authentication data includes the first signed data, first The digital certificate of encryption data and electronic signature equipment 410；Background server 420 is also used to receive the second authentication data, verifying The digital certificate of electronic signature equipment 410 carries out sign test to the first signed data after being verified, if sign test passes through, Operation is decrypted to the first encryption data using the private key of background server 420, obtains the second random factor, based on second with The second transmission key is calculated in the machine factor, if sign test does not pass through, terminates process.

In an optional embodiment of the embodiment of the present invention, card reader 400 obtains residential identity in the following manner The encryption identity card information stored in card: encryption corresponding with configuration information whether is stored in inquiry electronic signature equipment 410 ID card information；In the case where being stored with encryption identity card information in determining electronic signature equipment 410, read by external interface Take the encryption identity card information stored in electronic signature equipment 410；Without storage encryption body in determining electronic signature equipment 410 In the case where part card information, the card reading process of identity card is executed, reads the encryption identity card information in the first resident identification card, and The encryption identity card information of reading is stored by external interface and is associated with into electronic signature equipment 410, and with configuration information.It is logical The optional embodiment is crossed, the identity information of multiple resident identification cards can be stored in electronic signature equipment 410 simultaneously.

In an optional embodiment of the embodiment of the present invention, there is no storage configuration information in electronic signature equipment 410 In the case where, configuration information storage is included: in the following manner by external into electronic signature equipment 410 by card reader 400 Interface deletes the configuration information stored in electronic signature equipment 410 and encryption identity card information, and the configuration information of reading is stored Into electronic signature equipment 410；Card reader 400 obtains the encryption identity card letter stored in resident identification card in the following manner Breath: encryption identity card information whether is stored in inquiry electronic signature equipment 410；It is stored in determining electronic signature equipment 410 In the case where having encryption identity card information, the encryption identity card stored in electronic signature equipment 410 is read by external interface and is believed Breath；In the case where in determining electronic signature equipment 410 without storage encryption identity card information, the card reading stream of identity card is executed Journey reads the encryption identity card information in the first resident identification card, and the encryption identity card information of reading is passed through external interface It stores in electronic signature equipment 410.Resident's body is only stored by the optional embodiment, in electronic signature equipment 410 The relevant information of part card, can save memory space, improve the safety of ID card information.

In an optional embodiment of the embodiment of the present invention, the encryption identity card that is stored in electronic signature equipment 410 Information includes multiple data packets；Electronic signature equipment 410 in the following manner carries out configuration information and encryption identity card information Encryption, obtain transmission ciphertext, will transmission ciphertext be sent to card reader 400: using the first transmission key respectively to configuration information, plus Each data of close ID card information are encrypted, and multiple encrypted packets are obtained, and multiple encrypted packets are sent to card reading Device 400.By the optional embodiment, encryption identity card information is divided into multiple data packets and is transferred to background server, is being connect When receiving the retransmission instructions of background server, do not need to re-read the information stored in resident identification card, and then can save The card reading time improves user experience.

In an optional embodiment of the embodiment of the present invention, upon receipt platform server 420 send instruction weight When passing the retransmission instructions of encryption identity card information, card reader 400 sends to electronic signature equipment 410 and requests, request retransmission instruction Indicate the data packet for needing to retransmit；Electronic signature equipment 410 obtains the data packet that retransmission instructions instruction needs to retransmit, and uses first The data packet that transmission key retransmits needs encrypts, and needs the data packet retransmitted to be sent to card reader for encrypted 400；Card reader 400 receives the data packet that the encrypted needs that electronic signature equipment 410 returns retransmit, and by encrypted need The data packet retransmission to be retransmitted is to background server 420.In the optional embodiment, when retransmitting, card reader 100 is not needed The information stored in resident identification card is re-read, and only needs to obtain the data packet for needing to retransmit from electronic signature equipment, Process and card reading time have been saved, retransmission efficiency is improved.

In card reader 400, card reader 400 is also used to match in an optional embodiment of the embodiment of the present invention Confidence breath and encryption identity card information are sent to after background server 420, do not detect residential identity in the given time Card empties the configuration information and encryption identity card information of the resident identification card stored in electronic signature equipment 410.It is optional by this Embodiment can delete the relevant information of the resident identification card stored in electronic signature equipment 410 in time, ensure that information Safety.

In an optional embodiment of the embodiment of the present invention, card reader 400 is also used to by configuration information and encryption ID card information is sent to after background server 420, obtains the identity card cleartext information encrypted from background server 420, The identity card cleartext information of encryption is sent to electronic signature equipment 410；Electronic signature equipment 410 is also used to using the first transmission The identity card cleartext information of key pair encryption is decrypted, and obtains identity card cleartext information, generates a random key, using with Machine key pair identity card cleartext information is encrypted, and encrypted identity card cleartext information is stored.By the optional embodiment, After the identity card cleartext information that platform server 110 returns after the acquisition of electronic signature equipment 410, by a random key to this Identity card cleartext information carries out encryption storage, it is subsequent need to read same resident identification card when, can be directly from electronic signature The identity card cleartext information is obtained in equipment 410, has saved card reading process, improves card reading efficiency.

In an optional embodiment of the embodiment of the present invention, card reader 400 is also used to receive the second residential identity The card seeking that card returns responds instruction, reads the configuration information of the second resident identification card, judges whether deposit in electronic signature equipment 410 The configuration information currently read is contained, the card reading instruction for the terminal being attached thereto is received, is judging in electronic signature equipment 410 In the case where being stored with the configuration information currently read, judge whether electronic signature equipment 410 is stored with encrypted identity card Cleartext information；In the case where being stored with encrypted identity card cleartext information in judging electronic signature equipment 410, from electronics label Name equipment 410 obtains identity card cleartext information.Electronics is first inquired when receiving card reading instruction by the optional embodiment Whether the identity card cleartext information of the resident identification card, no storage in the case where, Ke Yijin are stored in signature device 410 One step judges the encryption identity card information that the resident identification card whether is stored in electronic signature equipment 410, in the feelings that judgement has Under condition, the encryption identity card information is obtained from electronic signature equipment 410, if the encryption identity card information is not stored, then The encryption identity card information is read from resident identification card.And the residential identity is stored in judging electronic signature equipment 410 In the case where the identity card cleartext information of card, directly acquires the identity card cleartext information and export, so as to improve identity card Card reading efficiency, save the time.

In an optional embodiment of the embodiment of the present invention, card reader 400 is also used to by encrypted identity card After cleartext information storage is into electronic signature equipment 410, resident identification card is not detected in the given time, empties electronics The encrypted identity card cleartext information stored in signature device 410；And/or electronic signature equipment 410 is also used in card reader In the case that 400 do not detect that resident identification card or electronic signature equipment 410 execute before power-off operation in the given time, delete Except random key.

In an optional embodiment of the embodiment of the present invention, background server 420 tests the first signed data Label operation, comprising: background server 420 utilizes the electronics in the first random factor and the digital certificate of electronic signature equipment 410 The public key of signature device 410 carries out sign test operation to the first signed data；Electronic signature equipment 410 carries out the second signed data Sign test operation, comprising: electronic signature equipment 410 is taken using the backstage in the digital certificate of encryption data and background server 420 The public key of business device 420 carries out sign test operation to the second signed data.

In an optional embodiment of the embodiment of the present invention, the first data to be signed further include: electronic signature equipment 410 the first identity；First sends data further include: the second identity of electronic signature equipment 410.

In an optional embodiment of the embodiment of the present invention, the first identity of electronic signature equipment 410 includes: 410 certificate number of 410 sequence number of electronic signature equipment and/or electronic signature equipment, the second identity of electronic signature equipment 410 It include: 410 certificate number of 410 sequence number of electronic signature equipment and/or electronic signature equipment, and 410 sequence number of electronic signature equipment Have mapping relations with 410 certificate number of electronic signature equipment.

In an optional embodiment of the embodiment of the present invention, background server 420 tests the first signed data Label operation, comprising: background server 420 utilizes the first random factor, the number of the second identity and electronic signature equipment 410 The public key of electronic signature equipment 410 in certificate carries out sign test operation to the first signed data.

Embodiment 5

Present embodiments provide the scheme of a kind of card reader during card reading and server negotiation transmission key.This implementation The process that example mainly negotiates transmission key with server to electronic signature equipment is illustrated, and specific card reading process may refer to Above-described embodiment, details are not described herein.

Fig. 5 is the flow diagram of card reading process provided in this embodiment, as shown in figure 5, the program mainly includes following Step (501-512).

Step 501, be not provided with SAM module card reader receive card reading instruction after, send exit passageway establish request To background server；

In an optional embodiment of the present embodiment, the card reader for being not provided with SAM module can be to be not provided with The card reader of ID card of SAM module is used for reading identity card information, for ease of description, hereinafter referred to as card reader, the reading Card device can be connect with background server by wired mode, can also wirelessly be connected, card reader can also access The network equipment (such as computer, mobile phone terminal) establishes connection, this implementation with background server by way of the network equipment transmits This is not restricted for example.Card reading instruction, which can be, to be received by card reader by input modules such as its included key, touch screens User input instruction, be also possible to other equipment (such as computer, mobile phone terminal) connecting with card reader and be sent to identity Card reader.In addition, SAM module is a module of existing card reader setting, SAM module is only used for the body read to card reader Part card information carries out authentication.

Step 502, background server receives exit passageway and establishes request, generates the first random factor, and random by first The factor is sent to card reader；

In an optional embodiment of the invention, it may include random that the first random factor, which is single authentication data, Several and/or chance event, herein with no restrictions.First random factor may be one or a string of random numbers, or can be with For one or any combination of a string of random characters or a string of random numbers and random combine.What background server generated every time What the first random factor was all randomly generated, the first random factor generated with the last time is different, and can be prevented from resetting and be attacked It hits, improves safety.

Step 503, card reader receives the first random factor, and the first random factor is sent to electronic signature equipment；

Electronic signature equipment can be the equipment with authentication, digital signature, such as USBkey (such as industrial and commercial bank U-shield, agricultural bank's K treasured etc.), audio KEY, the equipment such as smart card with electronic signature functionality.In an optional implementation of the invention In mode, electronic signature equipment can by the wired or wireless interface such as USB interface, audio interface, blue tooth interface, NFC interface with Card reader connection, this is not restricted for the present embodiment.Due to not having safety chip in card reader, and electronic signature equipment has There is safety chip, (Z8D64U (the close lot number SSX43 of state) of such as Guoming Technology Co., Ltd, (state is close by Z32 for the safety chip Lot number SSX20)) it is internal possess independent processor and storage unit, PKI digital certificate and key can be stored and other are special Data are levied, encryption and decryption operation is carried out to data, data encryption and identification safety authentication service is provided for user, protects business privacy And data safety.Therefore, need to carry out in the present embodiment encryption and decryption, signature, sign test, the data of digital certificate authentication be both needed to by Electronic signature equipment, to guarantee to interact safety between card reader and background server.

Step 504, electronic signature equipment receives the first random factor, using the private key of electronic signature equipment to first wait sign Name data signature, generates the first signed data, the first transmission data is sent to card reader, wherein the first data to be signed are extremely It less include the first random factor, first sends data to digital certificate less including the first signed data and electronic signature equipment；

In an optional embodiment of the present embodiment, the first data to be signed further include: the of electronic signature equipment One identity, first sends data further include: the second identity of electronic signature equipment.Further, electronic signature is set The first standby identity includes: electronic signature equipment sequence number and/or electronic signature equipment certificate number, electronic signature equipment Second identity includes: electronic signature equipment sequence number and/or electronic signature equipment certificate number, and electronic signature equipment sequence Number with electronic signature equipment certificate number have mapping relations, background server is stored with electronic signature equipment sequence number and electronics label Name device certificate number has mapping relations, after background server receives electronic signature equipment sequence number, can pass through inquiry electricity The mapping relations of sub- signature device sequence number and electronic signature equipment certificate number obtain electronic signature equipment certificate number, otherwise also So, by electronic signature equipment sequence number and/or card reader certificate number, background server can the fixation and recognition electronic signature set It is standby, and obtain the factory information of electronic signature equipment, history card reading information, history error message, history report information and history The information such as Transaction Information, in order to which background server is demonstrate,proved using the electronic signature equipment sequence number or electronic signature equipment received Book number realizes risk management.

Step 505, card reader receives first and sends data, and the first transmission data are sent to background server；

In the present embodiment, card reader is at least by the digital certificate of the electronic signature equipment comprising electronic signature equipment public key It is sent to background server together with the first signed data, so that legitimacy of the background server to electronic signature equipment is tested Card, ensure that the legitimacy and safety of transaction；Electronic signature equipment receives the first random factor of background server transmission Afterwards, in addition to carry out at least to the signature operation of the first random factor other than, without other any operations, so that background service Device can receive the first transmission data of card reader passback and be authenticated within the shortest time, improve background server To the authentication efficiency of electronic signature equipment.

Step 506, background server receives first and sends data, verifies the digital certificate of electronic signature equipment, is verifying By rear, carrying out sign test operation to the first signed data terminates process if sign test does not pass through；

In an optional embodiment of the present embodiment, background server can use root certificate to the electronics received The digital certificate of signature device is verified, and to prevent illegal person from distorting the public key of electronic signature equipment, is realized to electronics label The safety certification of name equipment, improves the safety of both sides' interaction.Background server is from authentication center (Certificate Authority, abbreviation CA) downloading root certificate, root certificate is the basis that CA and user establish trusting relationship.If the verification passes, Then continue follow-up process, if verifying does not pass through, process can be terminated at this moment, it is of course also possible to obstructed out-of-date in sign test Terminate process.

In the present embodiment, is received from step step 501 background server and establish secure channel request and card reader foundation Connection starts, to, when sign test does not pass through, end process, background server disconnects the connection with card reader, this process in step 506 Time-consuming very of short duration, background server can judge rapidly the signed data mistake of electronic signature equipment, the company of release and card reader Connecting road therefore, can in the case where background server is by Replay Attack when Replay Attack equipment disguise as card reader The interface channel with Replay Attack equipment is disconnected rapidly, mitigates Replay Attack to the occupancy of background server.And present technology In, the sign test step for preventing Replay Attack is placed on to the middle section for the process for entirely establishing exit passageway generation transmission key very To part rearward, can not quickly judge whether by repeat attack, since sign test step compares rearward, even if repeatedly being attacked It hits, can not judge quickly, can only continue the step of being subsequently generated transmission key, and sign test step is entire in the present invention Process most starts, can just verify at the first time electronic signature equipment identity it is illegal after, terminate subsequent operation, Quickly judge by Replay Attack, and then disconnect the connection with illegal card reader, guarantees the safety of background server.

In an optional embodiment of the present embodiment, background server carries out sign test operation to the first signed data, It include: public key of the background server using the electronic signature equipment in the first random factor and the digital certificate of electronic signature equipment Sign test operation is carried out to the first signed data.Using the electronic signature equipment in the digital certificate of electronic signature equipment public key into The operation of row sign test, has ensured in the case where background server does not prestore the digital certificate of electric signing tools, also achievable Sign test operation.

In an optional embodiment of the present embodiment, when including the first identity in the first data to be signed, the When including the second identity in one transmission data, it includes: backstage that background server, which carries out sign test operation to the first signed data, Electronic signature equipment in the digital certificate of the first random factor of server by utilizing, the second identity and electronic signature equipment Public key carries out sign test operation to the first signed data.Include the first identity in data to be signed, sign test result can be made more Add accurately and reliably, after background server receives the second identity again, risk control pipe can also be carried out according to the second identity Reason.

Step 507, if sign test passes through, background server generates the second random factor, and is based on the first random factor Third random factor is generated with the second random factor to be added using the public key encryption third random factor of electronic signature equipment Ciphertext data is signed using the private key pair encryption data of background server, obtains the second signed data, transmits data for second It is sent to card reader, wherein the second transmission data include the number card of the second signed data, encryption data and background server Book；

In the present embodiment, the second random factor is single authentication data, may include random number and/or chance event. Second random factor may be one or a string of random numbers, can be perhaps one or a string of random characters or a string Any combination of random number and random combine.After background server generates the second random factor, background server and electronic signature Equipment the first random factor can be based on using the algorithm negotiated in advance and the second random factor generates third random factor, specifically Algorithm there are many, the present embodiment with no restrictions, such as stitching algorithm, difference algorithm, slot algorithm etc., for example, first is random The factor and the second random factor are N, it is preferable that are the formation efficiency for improving third random factor, by the first random factor Carry out head and the tail splicing with the second random factor and generate 2N third random factors, or, by preceding X in the first random factor with Rear Y in second random factor are spliced, and generate X+Y third random factors, wherein 1≤X≤N, 1≤Y≤N.? After a series of verifyings in subsequent step, background server and electronic signature equipment can use the third random factor Transmission key is generated using identical algorithm.

Step 508, the second transmission key is calculated using third random factor in background server；

In the present embodiment, background server can use the third random factor using identical as electronic signature equipment side Algorithm generate transmission key, to guarantee that electronic signature equipment can be by card reader and background server and card reader using should Transmission key carries out information exchange, carries out encryption and decryption to the data in transmission process by the transmission key, to guarantee to transmit number According to safety.The step 508 and 509~step 511 of subsequent step sequence in no particular order.

Step 509, card reader receives the second transmission data, and the second transmission data are sent to electronic signature equipment；

Step 510, electronic signature equipment receives the second transmission data, verifies the digital certificate of background server, is verifying By rear, sign test operation is carried out to the second signed data, if sign test passes through, utilizes the private key pair encryption of electronic signature equipment Operation is decrypted in data, obtains third random factor；

In the present embodiment, electronic signature equipment can use digital certificate of the root certificate to the background server received It is verified, to prevent illegal person from distorting the public key of background server, realizes the safety certification to background server, improved double Just interactive safety.Electronic signature equipment is demonstrate,proved from authentication center (Certificate Authority, abbreviation CA) downloading root Book, root certificate are the bases that CA and user establish trusting relationship.If the verification passes, then continue follow-up process, if verifying is not Pass through, then terminate process, at this point, the connection of electronic signature equipment and background server disconnects, electronic signature equipment will not again to Background server sends data, so that electronic signature equipment not will receive the attack of illegal background server.

In an optional embodiment of the present embodiment, electronic signature equipment carries out sign test behaviour to the second signed data Make, comprising: electronic signature equipment utilizes the public key pair of the background server in the digital certificate of encryption data and background server Second signed data carries out sign test operation.Sign test is carried out using the public key of the background server in the digital certificate of background server Operation, has ensured in the case where electronic signature equipment does not prestore the digital certificate of background server, also achievable sign test behaviour Make.Further, if the sign test of the second signed data can not pass through, terminate process, disconnect card reader and background server Connection.

Step 511, the first transmission key is calculated using third random factor in electronic signature equipment；

In the present embodiment, electronic signature equipment can use the third random factor using identical as background server side Algorithm generate transmission key, transmission key progress can be utilized by card reader and background server with electronic signature equipment Information exchange carries out encryption and decryption to the data in transmission process by the transmission key, to guarantee the safety of transmission data.

As optional embodiment a kind of in the present embodiment, the first transmission key and the second transmission key can be identical Transmission key, i.e. symmetric key, card reader and background server be utilized respectively the symmetric key to the data encrypting and deciphering of transmission； Or one group include encryption key and decruption key key pair, card reader and background server can be utilized respectively wherein Encryption key to transmission data encryption, using decruption key therein to transmission data deciphering.

Step 512, electronic signature equipment is using the first transmission key to the number transmitted between card reader and background server According to encryption and decryption is carried out, background server carries out the data transmitted between card reader and background server using the second transmission key Encryption and decryption.

In the present embodiment, carried out data transmission between electronic signature equipment and background server using transmission key, mentioned The high safety of data transmission.

Embodiment 6

Present embodiments provide the scheme of a kind of card reader during card reading and server negotiation transmission key.This implementation The process that example mainly negotiates transmission key with server to card reader is illustrated, and specific card reading process may refer to above-mentioned reality Example is applied, details are not described herein.

Fig. 6 is the flow diagram of card reading process provided in this embodiment, as shown in fig. 6, the program mainly includes following Step (601-616).

Step 601: the card reader for being not provided with SAM (ID card verification security control) module receives card reading instruction, will Exit passageway establishes request and is sent to background server；

In the present embodiment, the card reader for being not provided with SAM module can be to be not provided with the card reader of SAM module, use In reading identity card information, for ease of description, hereinafter referred to as card reader, the card reader can have reception card reading instruction The input units such as key device, touch screen, when user inputs card reading instruction, card reader receives card reading instruction, card reader Also it can have external communication interface, which connect with terminal, receives the card reading instruction that terminal is sent, and terminal can be With carry out communication send instruction PC machine, PAD (tablet computer), smart phone, intelligence it is wearable set, electronic signature equipment Equipment such as (such as industrial and commercial bank's U-shield, agricultural bank's K treasured etc.).In addition, SAM module is a module of existing card reader setting, SAM module It is only used for carrying out authentication to the ID card information that card reader is read.

Step 602: after background server receives exit passageway foundation request, generating the first random factor；

In the present embodiment, the first random factor is single authentication data, may include random number and/or chance event, Herein with no restrictions.First random factor may be one or a string of random numbers, or can be one or a string random Any combination of character or a string of random numbers and random combine.The first random factor that background server generates every time is all It generates at random, the first random factor generated with the last time is different, and can be prevented Replay Attack, be improved safety.

Step 603: the first authentication data is sent to card reader by background server, wherein the first authentication data is at least wrapped It includes: the digital certificate of the first random factor and background server；

Step 604: after the card reader receives first authentication data, first authentication data being sent to electronics Signature device；

Due to not having safety chip in card reader, and electronic signature equipment has safety chip, and the safety chip is (such as Z8D64U (the close lot number SSX43 of state), the Z32 (the close lot number SSX20 of state) of Guoming Technology Co., Ltd) it is internal possess it is independent Processor and storage unit can store PKI digital certificate and key and other characteristics, carry out encryption and decryption fortune to data It calculates, provides data encryption and identification safety authentication service for user, protect business privacy and data safety.Therefore, the present embodiment It is middle to need to carry out encryption and decryption, signature, sign test, the data of digital certificate authentication and be both needed to by electronic signature equipment, to guarantee card reading Safety is interacted between device and background server.In an optional embodiment of the invention, electronic signature equipment can pass through The wired or wireless interface such as USB interface, audio interface, blue tooth interface, NFC interface is connect with card reader, and the present embodiment is herein not It is restricted.

In the present embodiment, the digital certificate of background server is sent to electronic signature equipment by card reader, so that electronics label Name equipment verifies digital certificate, and whether the certificate to confirm background server is legal；First random factor is sent to Electronic signature equipment so that electronic signature equipment signs to first random factor, background server pass through again this first Random factor carries out sign test to signature, so that the identity security of background server confirmation electronic signature equipment, and can prevent Replay Attack.

Step 605: after electronic signature equipment receives the first authentication data, to the legal of the digital certificate of background server Property verified, if the verification passes, then follow the steps 606, otherwise, terminate process；

In the specific implementation, electronic signature equipment can use digital certificate of the root certificate to the background server received It is verified, to prevent illegal person from distorting the public key of background server, realizes the safety certification to background server, improved double Just interactive safety.Electronic signature equipment is demonstrate,proved from authentication center (Certificate Authority, abbreviation CA) downloading root Book, root certificate are the bases that CA and user establish trusting relationship.If the verification passes, then continue follow-up process, if verifying is not Pass through, then terminate process, at this point, the connection of background server and card reader and electronic signature equipment disconnects, card reader will not Data are sent to background server again, so that card reader not will receive the attack of illegal background server.

Step 606: after being verified, electronic signature equipment generates the second random factor；

In the present embodiment, the second random factor is single authentication data, may include random number and/or chance event. Second random factor may be one or a string of random numbers, can be perhaps one or a string of random characters or a string Any combination of random number and random combine.

After through a series of verifyings in subsequent step, background server and electronic signature equipment can use this Two random factors generate transmission key using identical algorithm.

Step 607: electronic signature equipment is using the public key of the background server in the digital certificate of background server to the Two random factors carry out cryptographic operation, generate the first encryption data E1；

In the present embodiment, electronic signature equipment and background server are based on the second random factor and calculate transmission key, Therefore, the second random factor, which is not stolen, to be guaranteed to the encryption of the second random factor, to guarantee that electronic signature equipment is being incited somebody to action Second random factor is transmitted to the safety during background server, and then guarantees electronic signature equipment and background server Generate the safety and reliability of transmission key.

Step 608: electronic signature equipment signs to the first random factor and the first encryption data, generates the first signature Data；

In the present embodiment, card reader is signed after merging the first random factor and the first encryption data, can be made Sign test result is more accurate and reliable.

Step 609: the second authentication data is sent to card reader by electronic signature equipment, wherein the second authentication data is at least It include: the digital certificate of the first encryption data, the first signed data and electronic signature equipment；

In the present embodiment, its digital certificate is sent to background server by card reader by electronic signature equipment, so that after Platform server verifies digital certificate, and whether the certificate to confirm electronic signature equipment is legal；First encryption data is sent out It send to background server, so that background server carries out sign test to the first signed data using first encryption data, with confirmation The identity security of electronic signature equipment.

Step 610: after card reader receives the second authentication data, the second authentication data being sent to background server；

Step 611: background server receives the second authentication data, to the legitimacy of the digital certificate of electronic signature equipment into Row verifying；

In the specific implementation, background server can use digital certificate of the root certificate to the electronic signature equipment received It is verified, to prevent illegal person from distorting the public key of electronic signature equipment, realizes to the safety certification of electronic signature equipment, mention The safety of high both sides' interaction.Background server is demonstrate,proved from authentication center (Certificate Authority, abbreviation CA) downloading root Book, root certificate are the bases that CA and user establish trusting relationship.If the verification passes, then continue follow-up process, if verifying is not Pass through, then terminates process.At this point, the connection of background server and card reader and electronic signature equipment disconnects, background server Data will not be sent to card reader again, so that background server not will receive illegal card reader and illegal electronic signature is set Standby attack.

Step 612: after being verified, background server carries out sign test to the first signed data；If sign test does not pass through, Terminate process；If sign test passes through, 613 are thened follow the steps；

In the present embodiment, background server carries out sign test to the first signed data, comprising: background server utilizes first The public key of electronic signature equipment in the digital certificate of encryption data and electronic signature equipment tests the first signed data Label, specific sign test mode are the prior art, and details are not described herein again.

In the present embodiment, if sign test passes through, show that the first signed data is signed by electronic signature equipment, Further realize the safety certification to electronic signature equipment；If sign test does not pass through, terminate process, at this point, background service The connection of device and card reader and electronic signature equipment disconnects, and background server will not send data to card reader again, to make Obtaining background server not will receive the attack of illegal card reader and illegal electronic signature device.

Step 613: background server is decrypted the first encryption data using the private key of background server, obtains second Random factor；

Step 614: background server is based on the second random factor and the second transmission key is calculated；

In the present embodiment, background server can use second random factor using identical as electronic signature equipment side Algorithm generate transmission key, to guarantee between background server and card reader that information friendship can be carried out by the transmission key Mutually, encryption and decryption is carried out to the data in transmission process by the transmission key, to guarantee the safety of transmission data.

Step 615: electronic signature equipment is based on the second random factor and the first transmission key is calculated；

In the present embodiment, electronic signature equipment can use second random factor using identical as background server side Algorithm generate transmission key, to guarantee between background server and card reader that information friendship can be carried out by the transmission key Mutually, encryption and decryption is carried out to the data in transmission process by the transmission key, to guarantee the safety of transmission data.The step 615 with step 609~step 614 in no particular order sequence.

As optional embodiment a kind of in the present embodiment, the first transmission key and the second transmission key can be identical Transmission key, i.e. symmetric key, electronic signature equipment and background server be utilized respectively the symmetric key to the data of transmission Encryption and decryption；Or one group include encryption key and decruption key key pair, electronic signature equipment and background server can To be utilized respectively encryption key therein to transmission data encryption, using decruption key therein to transmission data deciphering.

Step 616: electronic signature equipment is using the first transmission key to the number transmitted between card reader and background server According to encryption and decryption is carried out, background server carries out the data transmitted between card reader and background server using the second transmission key Encryption and decryption.

The method of the ID card information safe transmission provided through this embodiment can use electronic signature equipment in card reading Exit passageway is established between device and background server, the data encryption using transmission key to transmitting in exit passageway improves The safety of data transmission.

Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention Embodiment person of ordinary skill in the field understood.

Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.

In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiment or examples in can be combined in any suitable manner.

Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example Property, it is not considered as limiting the invention, those skilled in the art are not departing from the principle of the present invention and objective In the case where can make changes, modifications, alterations, and variations to the above described embodiments within the scope of the invention.The scope of the present invention By appended claims and its equivalent limit.

Claims

1. a kind of identity card card reading method, which is characterized in that the described method includes:

The card reader for being not provided with security control SAM module receives the card seeking response instruction of the first resident identification card return, In, the information stored in first resident identification card includes: matching with first resident identification card of clear-text way storage Encryption identity card information confidence breath and stored with encrypted test mode；

The card reader reads the configuration information of first resident identification card, wherein the configuration of first resident identification card Information includes: the sequence number of first resident identification card, is used to indicate the application being arranged in first resident identification card The transport protocol of relevant information used using data and first resident identification card；

The card reader inquires in electronic signature equipment whether be stored with the configuration information by external interface, in the electronics In the case that signature device does not store the configuration information, the configuration information is stored to described by the external interface In electronic signature equipment；

The card reader receives card reading instruction, sends exit passageway and establishes request to background server；

The background server is held consultation by the card reader and the electronic signature equipment, and the electronic signature equipment obtains To the first transmission key, the background server obtains the second transmission key；

The card reader obtains the encryption identity card information stored in the resident identification card, and the encryption identity card information is sent out Give the electronic signature equipment；

The electronic signature equipment using first transmission key to the configuration information and the encryption identity card information into Row encryption obtains transmission ciphertext, the transmission ciphertext is sent to the card reader；

The transmission ciphertext is sent to background server by the card reader；

The background server receives the transmission ciphertext, and is solved using second transmission key to the transmission ciphertext It is close, obtain the configuration information and the encryption identity card information；

The configuration information and the encryption identity card information are sent to SAM module by the background server；

The SAM module is decoded the encryption identity card information according to the configuration information, obtains first resident The identity card cleartext information is returned to the background server by the identity card cleartext information of identity card.

2. the method according to claim 1, wherein the background server passes through the card reader and the electricity Sub- signature device is held consultation, and the electronic signature equipment obtains the first transmission key, and the background server obtains the second biography Defeated key, comprising:

The card reader sends exit passageway and establishes request to background server；

The background server receives the exit passageway and establishes request, generates the first random factor, and random by described first The factor is sent to the card reader；

The card reader receives first random factor, and first random factor is sent to electronic signature equipment；

The electronic signature equipment receives first random factor, using the private key of the electronic signature equipment to first wait sign Name data signature, generates the first signed data, the first transmission data is sent to the card reader, wherein described first wait sign Name data include at least first random factor, and described first to send data to include first signed data and described less The digital certificate of electronic signature equipment；

The card reader receives described first and sends data, and the first transmission data are sent to the background server；

The background server receives described first and sends data, verifies the digital certificate of the electronic signature equipment, is verifying By rear, carrying out sign test operation to first signed data terminates process if sign test does not pass through；

If sign test passes through, the background server generates the second random factor, and based on first random factor and the Two random factors generate third random factor, and third random factor described in the public key encryption using the electronic signature equipment obtains It to encryption data, is signed using the private key of the background server to the encryption data, obtains the second signed data, benefit The second transmission key is calculated with the third random factor, the second transmission data are sent to the card reader, In, the second transmission data include the number card of second signed data, the encryption data and the background server Book；

The card reader receives the second transmission data, and the second transmission data are sent to the electronic signature equipment；

The electronic signature equipment receives the second transmission data, verifies the digital certificate of the background server, is verifying By rear, sign test operation is carried out to second signed data, if sign test passes through, utilizes the private of the electronic signature equipment Operation is decrypted to the encryption data in key, obtains the third random factor, and calculate using the third random factor Obtain the first transmission key.

3. the method according to claim 1, wherein the background server passes through the card reader and the electricity Sub- signature device is held consultation, and the electronic signature equipment obtains the first transmission key, and the background server obtains the second biography Defeated key, comprising:

The background server receives the exit passageway and establishes request, generates the first random factor, and by the first authentication data It is sent to the card reader, wherein first authentication data includes at least: first random factor and the background service The digital certificate of device；

After the card reader receives first authentication data, first authentication data is sent to electronic signature equipment；

The electronic signature equipment receives first authentication data, verifies the digital certificate of the background server, and verifying is logical Later, the second random factor is generated, and using the second random factor described in the public key encryption of the background server, obtains first Encryption data signs to first random factor and first encryption data, obtains the first signed data, by second Authentication data is sent to the card reader, and the first transmission key is calculated based on second random factor, wherein described Second authentication data includes the number card of first signed data, first encryption data and the electronic signature equipment Book；

After the card reader receives second authentication data, second authentication data is sent to the background server；

The background server receives second authentication data, verifies the digital certificate of the electronic signature equipment, is verifying By rear, sign test is carried out to first signed data, if sign test passes through, using the private key of the background server to institute It states the first encryption data and operation is decrypted, obtaining second random factor if sign test does not pass through terminates process；

The background server is based on second random factor and the second transmission key is calculated.

4. the method according to claim 1, which is characterized in that the card reader obtains the encryption stored in the resident identification card ID card information includes:

The card reader inquires in the electronic signature equipment whether be stored with encryption identity card corresponding with the configuration information Information；

In the case where being stored with the encryption identity card information in determining the electronic signature equipment, pass through the external interface Read the encryption identity card information stored in the electronic signature equipment；

In the case where in determining the electronic signature equipment without storing the encryption identity card information, the card reader is executed The card reading process of identity card, reads the encryption identity card information in first resident identification card, and by the encryption of reading ID card information is stored by the external interface and is associated with into the electronic signature equipment, and with the configuration information.

5. the method according to claim 1, wherein

In the case where the electronic signature equipment does not store the configuration information, by the external interface by the configuration Information storage includes: that the card reader is set by the external interface deletion electronic signature into the electronic signature equipment The configuration information and encryption identity card information of standby middle storage, by the configuration information storage of reading to the electronic signature equipment In；

The card reader obtains the encryption identity card information stored in the resident identification card

The card reader inquires in the electronic signature equipment whether be stored with encryption identity card information；

In the case where in determining the electronic signature equipment without storing the encryption identity card information, the card reader is executed The card reading process of identity card, reads the encryption identity card information in first resident identification card, and by the encryption of reading ID card information is stored by the external interface into the electronic signature equipment.

6. method according to claim 4 or 5, which is characterized in that

The encryption identity card information stored in the electronic signature equipment includes multiple data packets；

The electronic signature equipment using first transmission key to the configuration information and the encryption identity card information into Row encryption, obtain transmission ciphertext, the transmission ciphertext is sent to the card reader: the electronic signature equipment uses described the One transmission key respectively encrypts each data of the configuration information, the encryption identity card information, obtains multiple add Multiple encrypted packets are sent to the card reader by ciphertext data packet.

7. according to the method described in claim 6, it is characterized in that, the method also includes:

When receiving the retransmission instructions for the instruction re-transmission encryption identity card information that the background server is sent, the reading Card device sends to the electronic signature equipment and requests, the data packet for requesting the retransmission instructions instruction to need to retransmit；

The electronic signature equipment obtains the data packet that the retransmission instructions instruction needs to retransmit, and uses first transmission key It needs the data packet retransmitted to encrypt to described, and needs the data packet retransmitted to be sent to the card reader for encrypted；

The card reader receives the data packet that the encrypted needs that the electronic signature equipment returns retransmit, and by the encryption The data packet retransmission that needs afterwards retransmit gives the background server.

8. method according to any one of claims 1 to 5, which is characterized in that in the card reader by the configuration information After being sent to the background server with the encryption identity card information, the method also includes:

The card reader does not detect resident identification card in the given time, empties the residence stored in the electronic signature equipment The configuration information and encryption identity card information of people's identity card.

9. method according to any one of claims 1 to 5, which is characterized in that in the card reader by the configuration information After being sent to the background server with the encryption identity card information, the method also includes:

The card reader obtains the identity card cleartext information encrypted from the background server；

The identity card cleartext information of the encryption is sent to the electronic signature equipment by the card reader；

The electronic signature equipment is decrypted the identity card cleartext information of the encryption using first transmission key, obtains To the identity card cleartext information；

The electronic signature equipment generates a random key；

The electronic signature equipment encrypts the identity card cleartext information using the random key；

The electronic signature equipment stores the encrypted identity card cleartext information.

10. according to the method described in claim 9, it is characterized in that, encrypted described in electronic signature equipment storage After identity card cleartext information, the method also includes:

The card reader receives the card seeking response instruction of the second resident identification card return；

The card reader reads the configuration information of second resident identification card；

The card reader judges the configuration information currently read whether is stored in the electronic signature equipment；

The card reader receives the card reading instruction for the terminal being attached thereto；

In the case where judging to be stored with the configuration information currently read in the electronic signature equipment, the electronics is judged Whether signature device is stored with the encrypted identity card cleartext information；

In the case where being stored with the encrypted identity card cleartext information in judging the electronic signature equipment, from the electricity Sub- signature device obtains the identity card cleartext information.

11. according to the method described in claim 9, it is characterized in that, in the electronic signature equipment by the encrypted body After part card cleartext information storage is into the electronic signature equipment, the method also includes:

The card reader does not detect resident identification card in the given time, empties adding for the interior storage of the electronic signature equipment Identity card cleartext information after close；And/or

The card reader does not detect that resident identification card or the electronic signature equipment execute power-off operation in the given time Before in the case where, the electronic signature equipment deletes the random key.

12. according to the method described in claim 2, it is characterized in that,

The background server carries out sign test operation to first signed data, comprising:

The background server utilizes the electricity in first random factor and the digital certificate of the electronic signature equipment The public key of sub- signature device carries out sign test operation to first signed data；

The electronic signature equipment carries out sign test operation to second signed data, comprising:

The electronic signature equipment is taken using the backstage in the digital certificate of the encryption data and the background server The public key of business device carries out sign test operation to second signed data.

13. according to the method described in claim 2, it is characterized in that,

First data to be signed further include: the first identity of the electronic signature equipment；Described first sends data Further include: the second identity of the electronic signature equipment.

14. according to the method for claim 13, which is characterized in that

First identity of the electronic signature equipment includes: electronic signature equipment sequence number and/or electronic signature equipment card Book number, the second identity of the electronic signature equipment include: the electronic signature equipment sequence number and/or the electronics label Name device certificate number, and the electronic signature equipment sequence number and the electronic signature equipment certificate number have mapping relations.

15. method described in 3 or 14 according to claim 1, which is characterized in that

The background server utilizes first random factor, the number of second identity and the electronic signature equipment The public key of the electronic signature equipment in word certificate carries out sign test operation to first signed data.

16. a kind of identity card card-reading system, which is characterized in that the system comprises:

It is not provided with the card reader of security control SAM module, the card seeking response for receiving the return of the first resident identification card refers to It enables, reads the configuration information of first resident identification card, then inquire in electronic signature equipment and whether store by external interface There is the configuration information, in the case where the electronic signature equipment does not store the configuration information, by described to external Mouth is by configuration information storage into the electronic signature equipment, wherein the information stored in first resident identification card It include: with the configuration information of first resident identification card of clear-text way storage and the encryption identity card stored with encrypted test mode Information, the configuration information of first resident identification card include: the sequence number of first resident identification card, be used to indicate it is described The biography of the relevant information for the application being arranged in first resident identification card used using data and first resident identification card Defeated agreement；

The card reader is also used to receive card reading instruction, sends exit passageway and establishes request to background server；

The background server obtains the second transmission for holding consultation by the card reader and the electronic signature equipment Key；

The electronic signature equipment obtains the first transmission for holding consultation by the card reader and the background server Key；

The card reader is also used to obtain the encryption identity card information stored in the resident identification card, by the crypto identity Card information is sent to the electronic signature equipment；

The electronic signature equipment is also used for first transmission key to the configuration information and the encryption identity card Information is encrypted, and obtains transmission ciphertext, the transmission ciphertext is sent to the card reader；

The card reader is also used to the transmission ciphertext being sent to background server；

The background server is also used to receive the transmission ciphertext, and close to the transmission using second transmission key Text is decrypted, and obtains the configuration information and the encryption identity card information；

The background server is also used to the configuration information and the encryption identity card information being sent to SAM module；

The SAM module obtains described first for being decoded according to the configuration information to the encryption identity card information The identity card cleartext information is returned to the background server by the identity card cleartext information of resident identification card.

17. system according to claim 16, which is characterized in that the background server and the electronic signature equipment are logical It crosses following manner and obtains second transmission key and the first transmission key:

The background server establishes request for receiving the exit passageway, generates the first random factor, and by described first Random factor is sent to the electronic signature equipment by the card reader；

The electronic signature equipment, for receiving first random factor, using the private key of the electronic signature equipment to One data to be signed signature, generates the first signed data, and the first transmission data are sent to the backstage by the card reader Server, wherein first data to be signed include at least first random factor, and described first sends data to Shao Bao Include the digital certificate of first signed data and the electronic signature equipment；

The background server is also used to receive described first and sends data, verifies the digital certificate of the electronic signature equipment, After being verified, carrying out sign test operation to first signed data terminates process if sign test does not pass through；If tested Label pass through, then generate the second random factor, and based on first random factor and the second random factor generate third it is random because Son, third random factor described in the public key encryption using the electronic signature equipment, obtains encryption data, utilizes backstage clothes The private key of business device signs to the encryption data, obtains the second signed data, is calculated using the third random factor To the second transmission key, the second transmission data are sent to the electronic signature equipment by the card reader, wherein institute State the digital certificate that the second transmission data include second signed data, the encryption data and the background server；

The electronic signature equipment is also used to receive the second transmission data, verifies the digital certificate of the background server, After being verified, sign test operation is carried out to second signed data, if sign test passes through, is set using the electronic signature Operation is decrypted to the encryption data in standby private key, obtains the third random factor, and using the third it is random because The first transmission key is calculated in son.

18. system according to claim 17, which is characterized in that the background server and the electronic signature equipment are logical It crosses following manner and obtains second transmission key and the first transmission key:

The background server establishes request for receiving the exit passageway, generates the first random factor, and first is authenticated Data are sent to the electronic signature equipment by the card reader, wherein first authentication data includes at least: described The digital certificate of one random factor and the background server；

The electronic signature equipment is verified the digital certificate of the background server, is tested for receiving first authentication data After card passes through, the second random factor is generated, and using the second random factor described in the public key encryption of the background server, is obtained First encryption data signs to first random factor and first encryption data, obtains the first signed data, will Card reader described in second authentication data is sent to the background server, and is calculated first based on second random factor Transmission key, wherein second authentication data includes first signed data, first encryption data and the electronics The digital certificate of signature device；

The background server is also used to receive second authentication data, verifies the digital certificate of the electronic signature equipment, After being verified, sign test is carried out to first signed data, if sign test passes through, utilizes the private of the background server Operation is decrypted to first encryption data in key, obtains second random factor, based on second random factor Calculation obtains the second transmission key, if sign test does not pass through, terminates process.

19. system according to claim 16, which is characterized in that the card reader obtains the resident in the following manner The encryption identity card information stored in identity card:

It inquires in the electronic signature equipment and whether is stored with encryption identity card information corresponding with the configuration information；

In the case where in determining the electronic signature equipment without storing the encryption identity card information, the reading of identity card is executed Card process, reads the encryption identity card information in first resident identification card, and by the encryption identity card information of reading It is associated with into the electronic signature equipment, and with the configuration information by external interface storage.

20. system according to claim 16, which is characterized in that

In the case where the electronic signature equipment does not store the configuration information, the card reader is in the following manner by institute Stating configuration information storage includes: to be deleted in the electronic signature equipment by the external interface into the electronic signature equipment The configuration information and encryption identity card information of storage store the configuration information of reading into the electronic signature equipment；

The card reader obtains the encryption identity card information stored in the resident identification card in the following manner:

It inquires and whether is stored with encryption identity card information in the electronic signature equipment；

In the case where in determining the electronic signature equipment without storing the encryption identity card information, the reading of identity card is executed Card process, reads the encryption identity card information in first resident identification card, and by the encryption identity card information of reading Through external interface storage into the electronic signature equipment.

21. system described in 9 or 20 according to claim 1, which is characterized in that

The electronic signature equipment in the following manner encrypts the configuration information and the encryption identity card information, obtains To transmission ciphertext, the transmission ciphertext is sent to the card reader: using first transmission key respectively to the configuration Information, each data of the encryption identity card information are encrypted, and multiple encrypted packets are obtained, by multiple encrypted packets It is sent to the card reader.

22. system according to claim 21, which is characterized in that

23. 6 to 20 described in any item systems according to claim 1, which is characterized in that the card reader is also used to will be described Configuration information and the encryption identity card information are sent to after the background server, do not detect residence in the given time People's identity card empties the configuration information and encryption identity card information of the resident identification card stored in the electronic signature equipment.

24. 6 to 20 described in any item systems according to claim 1, which is characterized in that

The card reader is also used to the configuration information and the encryption identity card information being sent to the background server Later, the identity card cleartext information encrypted from the background server is obtained, the identity card cleartext information of the encryption is sent out Give the electronic signature equipment；

The electronic signature equipment is also used to carry out using identity card cleartext information of first transmission key to the encryption Decryption, obtains the identity card cleartext information, generates a random key, using the random key to the identity card plaintext Information is encrypted, and the encrypted identity card cleartext information is stored.

25. system according to claim 24, which is characterized in that

The card reader is also used to receive the card seeking response instruction of the second resident identification card return, reads the second resident body The configuration information of part card, judges whether be stored with the configuration information currently read in the electronic signature equipment, receives The card reading for the terminal being attached thereto instructs, and is judging to be stored with the configuration information currently read in the electronic signature equipment In the case where, judge whether the electronic signature equipment is stored with the encrypted identity card cleartext information；Described in judgement In the case where being stored with the encrypted identity card cleartext information in electronic signature equipment, obtained from the electronic signature equipment The identity card cleartext information.

26. system according to claim 25, which is characterized in that

The card reader is also used to the encrypted identity card cleartext information storing into the electronic signature equipment it Afterwards, resident identification card is not detected in the given time, empties the encrypted identity stored in the electronic signature equipment Demonstrate,prove cleartext information；And/or

The electronic signature equipment is also used to not detect resident identification card or described in the given time in the card reader In the case that electronic signature equipment executes before power-off operation, the random key is deleted.

27. system according to claim 17, which is characterized in that

28. system according to claim 17, which is characterized in that

29. system according to claim 28, which is characterized in that

30. the system according to claim 28 or 29, which is characterized in that