CN106027252A - Cloud authentication platform in identity card authentication system - Google Patents
Cloud authentication platform in identity card authentication system Download PDFInfo
- Publication number
- CN106027252A CN106027252A CN201610041100.8A CN201610041100A CN106027252A CN 106027252 A CN106027252 A CN 106027252A CN 201610041100 A CN201610041100 A CN 201610041100A CN 106027252 A CN106027252 A CN 106027252A
- Authority
- CN
- China
- Prior art keywords
- key
- double secret
- secret key
- pki
- certification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a cloud authentication platform in an identity card authentication system, and the cloud authentication platform comprises a communication module which is used for receiving first transmission data transmitted by an identity card reading terminal; transmitting the second transmission data to the identity card reading terminal; receiving third transmission data transmitted by the identity card reading terminal; and transmitting fourth transmission data to the identity card reading terminal. The cloud authentication platform also comprises an authentication safety control module which is used for the signature verification of first signature information through employing a public key of a first secret key pair; generating a session key; encrypting the session key through employing the public key of a second secret key pair, and obtaining a first encrypted session key; carrying out the signing of the first encrypted session key through employing a secret key of a third secret key pair, and obtaining second signature information; carrying out the decryption of the third transmission data through employing the session key, obtaining an identity card ciphertext, decrypting the identity card ciphertext, obtaining an identity card plaintext, encrypting the identity card plaintext through employing the session key, and obtaining fourth transmission data.
Description
Technical field
The present invention relates to authentication ids field, particularly relate to the cloud authentication platform in a kind of authentication ids system.
Background technology
In prior art, the identity card reading device of No.2 residence card has an at least two module: card reading module and SAM
(Secure Access Module, residence card verifying security control) module.Wherein, the identity card letter that card reading module reads
Breath is all ciphertext, and the ciphertext ID card information that card reading module reads could be entered by only residence card verifying safety control module
Row deciphering is read to complete identity card, and this residence card verifying safety control module is the special product that the Ministry of Public Security specifies, price
Costliness, for cost-effective, the most by residence card verifying safety control module and card reading module reading separately positioned, multiple
Card device can share the scheme of a residence card verifying safety control module, in this scheme, how to make key
With thus ensure that the safety of identity card reading process is to need badly to solve the technical problem that.
Summary of the invention
It is contemplated that at least solve one of the problems referred to above, key is made in authentication ids system by cloud authentication platform
With, it is ensured that the reliability of the key in authentication ids system, it is ensured that the safety of identity information in identity card reading process.
The cloud authentication platform provided in a kind of authentication ids system is provided.
For reaching above-mentioned purpose, technical scheme is specifically achieved in that
One aspect of the present invention provides the cloud authentication platform in a kind of authentication ids system, including:
Communication module, for receiving the first transmission data that identity card card-reading terminal sends, wherein, first transfers data to few bag
Include the public key certificate of the second double secret key, the public key certificate of the first double secret key, first add confidential information, the first signing messages, wherein,
First to add confidential information be that identity card card-reading terminal uses the PKI of the first double secret key to be encrypted session key solicited message to obtain,
First signing messages is that identity card card-reading terminal uses the private key of the first double secret key to add confidential information to first to carry out signature and obtain;By
Two transmission data are sent to identity card card-reading terminal, wherein, the second public key certificate transferring data to include less the 3rd double secret key,
First encryption session key, the second signing messages;Receive the 3rd transmission data that identity card card-reading terminal sends, wherein, the 3rd
Transmission data are that the identity card ciphertext that identity card card-reading terminal is obtained by session key identity card card-reading terminal obtains;Will
4th transmission data are sent to identity card card-reading terminal;
Certification safety control module, for obtaining the PKI of the first double secret key according to the public key certificate of the first double secret key, and uses the
The PKI of one double secret key carries out sign test to the first signing messages, if sign test result is correct, certification safety control module is according to certification solution
Decryption key adds confidential information and is decrypted and obtains the second information first;Generate session key;Public key certificate according to the second double secret key
Obtain the PKI of the second double secret key, and using the PKI of the second double secret key to be encrypted session key, to obtain the first encryption session close
Key;The private key using the 3rd double secret key carries out signature to the first encryption session key and obtains the second signing messages;Utilize session key
3rd transmission data are decrypted, obtain identity card ciphertext, and identity card ciphertext is decrypted, obtain identity card in plain text,
And utilize session key that identity card is encrypted in plain text to obtain the 4th transmission data.
Additionally, cloud authentication platform also includes acquisition module;
Acquisition module is additionally operable to obtain customer identification information and obtain the result of customer identification information, if the result is correct,
Then communication module receives the first transmission data that identity card card-reading terminal sends.
Additionally, cloud certification also includes control of authority module;
Control of authority module, before receiving, at communication module, the first transmission data that identity card card-reading terminal sends, obtains this
The maximum mistake access times of the customer identification information of secondary use and the currently used number of times of this customer identification information used;
Control of authority module judges whether the currently used number of times of this customer identification information used is known less than this user used
The maximum mistake access times of other information, the most then communication module receives the first transmission data that identity card card-reading terminal sends.
Additionally, cloud authentication platform also includes control of authority module;
Control of authority module, for when certification security module uses the PKI of the first double secret key, obtain that this uses first is close
The attribute information of the PKI of the occupation mode information of the PKI of key pair and this first double secret key used;
Control of authority module judges the occupation mode information of the PKI of this first double secret key used and the PKI of the first double secret key
Attribute information is the most consistent, if unanimously, then certification security module uses the PKI of the first double secret key.
Additionally, cloud authentication platform also includes RAM module;
Before control of authority module is additionally operable to the PKI that certification security module uses the first double secret key, the first key that this is used
To PKI be stored in RAM module;
After certification security module uses the PKI of the first double secret key, the public affairs of the first double secret key that this is used by control of authority module
Key is removed from RAM module.
Additionally, cloud authentication platform also includes DBM and authorization module;
Certification safety control module is to DBM application authentication decruption key;
DBM distributes the certification decruption key of an encryption to certification safety control module;
Certification safety control module is used for deciphering the decruption key of the certification decruption key of encryption to authorization module application one;
The certification decruption key of encryption is decrypted and obtains certification decruption key by certification safety control module use decruption key.
Additionally, cloud authentication platform also includes control of authority module;
Control of authority module, for when certification safety control module uses certification decruption key, obtains this certification solution used
The occupation mode information of decryption key and the attribute information of this certification decruption key used;
Control of authority module judges the occupation mode information of this certification decruption key used and the attribute information of certification decruption key
The most consistent, if unanimously, then certification safety control module uses certification decruption key.
Additionally, cloud authentication platform also includes RAM module;
Before control of authority module is additionally operable to certification safety control module use certification decruption key, the certification deciphering that this is used
Key is stored in RAM module;
Certification safety control module uses after certification decruption key, the certification decruption key that this is used by control of authority module from
RAM module is removed.
Additionally, cloud authentication platform also includes control of authority module;
Control of authority module, for when certification security module uses the PKI of the second double secret key, obtain that this uses second is close
The attribute information of the PKI of the occupation mode information of the PKI of key pair and this second double secret key used;
Control of authority module judges the occupation mode information of the PKI of this second double secret key used and the PKI of the second double secret key
Attribute information is the most consistent, if unanimously, then certification security module uses the PKI of the second double secret key.
Additionally, cloud authentication platform also includes RAM module;
Before control of authority module is additionally operable to the PKI that certification security module uses the second double secret key, the second key that this is used
To PKI be stored in RAM module;
After certification security module uses the PKI of the second double secret key, the public affairs of the second double secret key that this is used by control of authority module
Key is removed from RAM module.
Additionally, cloud authentication platform also includes control of authority module;
Control of authority module, during for using the private key of the 3rd double secret key in certification security module, obtain that this uses is the 3rd close
The attribute information of the private key of the occupation mode information of the private key of key pair and this 3rd double secret key used;
Control of authority module judges the occupation mode information of the private key of this 3rd double secret key used and the private key of the 3rd double secret key
Attribute information is the most consistent, if unanimously, then certification security module uses the private key of the 3rd double secret key.
Additionally, cloud authentication platform also includes RAM module;
Before control of authority module is additionally operable to the private key that certification security module uses the 3rd double secret key, the 3rd key that this is used
To private key be stored in RAM module;
After certification security module uses the private key of the 3rd double secret key, the private of the 3rd double secret key that this is used by control of authority module
Key is removed from RAM module.
Another aspect of the present invention also provides for a kind of identity card cloud Verification System, including: above-mentioned identity card card-reading terminal and above-mentioned
Cloud authentication platform.
Cloud authentication platform in a kind of authentication ids system that the present invention provides, is used key by cloud authentication platform,
Ensure that the reliability of key in authentication ids system, it is ensured that the safety of identity information in identity card reading process.Enter
One step ground, during the use of key, by carrying out control of authority to key, it is achieved that look into the occupation mode of key
Test, it is ensured that the normal use of key.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, the required accompanying drawing used in embodiment being described below
It is briefly described, it should be apparent that, the accompanying drawing in describing below is only some embodiments of the present invention, for this area
From the point of view of those of ordinary skill, on the premise of not paying creative work, it is also possible to obtain other accompanying drawings according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of the authentication ids system medium cloud authentication platform use key of the embodiment of the present invention 1;
Fig. 2 is the structural representation of the authentication ids system medium cloud authentication platform of the embodiment of the present invention 1;
Fig. 3 is the optional structural representation of the authentication ids system medium cloud authentication platform of the embodiment of the present invention 1.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described,
Obviously, described embodiment is only a part of embodiment of the present invention rather than whole embodiments.Reality based on the present invention
Execute example, the every other embodiment that those of ordinary skill in the art are obtained under not making creative work premise, broadly fall into
Protection scope of the present invention.
In describing the invention, it is to be understood that term " " center ", " longitudinally ", " laterally ", " on ", D score, " front ",
Orientation or the position relationship of the instruction such as " afterwards ", "left", "right", " vertically ", " level ", " top ", " end ", " interior ", " outward " are base
In orientation shown in the drawings or position relationship, it is for only for ease of the description present invention and simplifies description rather than instruction or hint institute
The device that refers to or element must have specific orientation, with specific azimuth configuration and operation, therefore it is not intended that to the present invention
Restriction.Additionally, term " first ", " second " are only used for describing purpose, and it is not intended that instruction or hint relative importance
Or quantity or position.
In describing the invention, it should be noted that unless otherwise clearly defined and limited, term " install ", " being connected ",
" connect " and should be interpreted broadly, connect for example, it may be fixing, it is also possible to be to removably connect, or be integrally connected;Permissible
It is to be mechanically connected, it is also possible to be electrical connection;Can be to be joined directly together, it is also possible to be indirectly connected to by intermediary, can be two
The connection of individual element internal.For the ordinary skill in the art, can understand that above-mentioned term is in the present invention with concrete condition
In concrete meaning.
Describe the present invention below in conjunction with drawings and Examples.
Embodiment 1
Present embodiments providing a kind of method that authentication ids system medium cloud authentication platform uses key, Fig. 1 is authentication ids
System medium cloud authentication platform uses the schematic flow sheet of key, as it is shown in figure 1, the method comprises the following steps (S101~S108):
S101: cloud authentication platform receives the first transmission data, and wherein, described first transfers data to include the second double secret key less
Public key certificate, the public key certificate of the first double secret key, first adding confidential information, the first signing messages, wherein, described first adds secret letter
Breath is that described identity card card-reading terminal uses the PKI of the first double secret key to be encrypted session key solicited message to obtain, described
One signing messages is that described identity card card-reading terminal uses the private key of the first double secret key to add confidential information to described first to carry out signature and obtain;
And obtain the PKI of the first double secret key according to the public key certificate of the first double secret key, and use the PKI of the first double secret key to the first signature
Information carries out sign test, if sign test result is correct, cloud authentication platform adds confidential information according to certification decruption key to first and is decrypted
To the second information;
In the present embodiment, cloud authentication platform is originally for supporting the verification platform of checking ID card information, for the identity card received
The ID card information that card-reading terminal sends is authenticated.It is to say, this cloud authentication platform includes that residence card verifying is controlled safely
Molding block, needs to be authenticated second-generation identification card information.In specific implementation process, cloud authentication platform can be computer, example
Such as panel computer, desktop computer, notebook computer, large server etc., in an embodiment of the present invention this is not defined.
In the present embodiment, due to the PKI of the first double secret key be sign test key, private key be signature key, therefore, identity card Card Reader
Terminal uses the private key of the first double secret key that identity card card-reading terminal is sent to the first of cloud authentication platform to add after confidential information signs
Obtaining the first signing messages, and carried by the first signing messages and send to cloud authentication platform in the first transmission data, cloud certification is put down
After platform receives the first transmission data, the PKI of the first double secret key can be obtained according to the public key certificate of the first double secret key, so that
With the PKI of the first double secret key, the first signing messages is carried out sign test, if sign test result is correct, illustrate that the first signing messages is strictly
Identity card card-reading terminal is sent to cloud authentication platform, and is not tampered with during transmission, it is achieved thereby that cloud certification
The identity of identity card card-reading terminal is verified by platform.Therefore, if sign test result is correct, cloud authentication platform is deciphered according to certification
Double secret key first adds confidential information and is decrypted and obtains the second information.
In an optional embodiment of the present embodiment, cloud authentication platform adds confidential information according to certification decruption key to first to be carried out
Before deciphering obtains the second information, cloud authentication platform needs first to obtain certification decruption key.Preferably, the PKI of the first double secret key
It is identical right all to obtain from the data server of cloud authentication platform for symmetric key, identity card card-reading terminal and cloud authentication platform
Algorithm is claimed to generate the PKI of the first double secret key.
In specific implementation process, the database server of cloud authentication platform stores the algorithm of the PKI generating the first double secret key, cloud
Authentication platform is when the database server application authentication decruption key of cloud authentication platform, and the data base of cloud authentication platform is to cloud certification
The ciphertext of platform one certification decruption key of distribution, wherein, this certification decruption key and identity card card-reading terminal apllied first
The PKI of double secret key is corresponding;Cloud authentication platform is for the plaintext of access authentication decruption key, and cloud authentication platform is to cloud authentication platform
Authorization server application one authorize decruption key, wherein, this mandate decruption key is for the ciphertext of decrypted authentication decruption key;
The occupation mode of the authorization server judges certification decruption key of cloud authentication platform, if by certification, then distributes to cloud authentication platform
One authorizes decruption key;The ciphertext of certification decruption key is decrypted and obtains certification by cloud authentication platform use mandate decruption key
The plaintext of decruption key, thus cloud authentication platform obtains certification decruption key.
By the optional embodiment of the present embodiment, cloud authentication platform, after authorization server mandate, could obtain certification deciphering
Key, it is therefore prevented that the illegal use to the key algorithm in the data base of cloud authentication platform.
S102: cloud authentication platform generates session key;
In the present embodiment, cloud authentication platform can call random number interface and obtain the random number of a preseting length, as session key.
The preseting length of this random number can be 16 bytes can also be other length, as use RC4 cryptographic algorithm can be then 1-256
Byte.Preferably, RC4 cryptographic algorithm is used.By session key number between identity card card-reading terminal and cloud authentication platform
According to transmission, it is ensured that the safety of data transmission link.
S103: cloud authentication platform obtains the PKI of the second double secret key according to the public key certificate of the second double secret key, and uses the second key
To PKI session key be encrypted obtain the first encryption session key;
In the present embodiment, due to the PKI of the second double secret key be encryption key, private key be decruption key, therefore, cloud authentication platform
Public key certificate according to the second double secret key obtains the PKI of the second double secret key, and uses the PKI of the second double secret key to enter session key
Row encryption obtains the first encryption session key, and after identity card card-reading terminal receives the first encryption session key, identity card Card Reader is eventually
First encryption session key can be decrypted and obtains session key according to the private key of the second double secret key by end, it is therefore prevented that cloud certification is put down
Session cipher key delivery is destroyed by platform to during identity card card-reading terminal, thus ensure that identity card card-reading terminal receives
Session key be safe.
The private key of S104: cloud authentication platform use the 3rd double secret key carries out signature to the first encryption session key and obtains the second A.L.S.
Breath;
In the present embodiment, the 3rd double secret key is unsymmetrical key pair, wherein, the 3rd double secret key include the 3rd double secret key PKI and
The private key of the 3rd double secret key.The PKI of the 3rd double secret key be sign test key, private key be signature key.In specific implementation process, cloud
The private key of authentication platform use the 3rd double secret key carries out signature to the first encryption session key being sent to identity card card-reading terminal and obtains
Second signing messages, after identity card card-reading terminal receives the second signing messages, identity card card-reading terminal uses the 3rd double secret key
PKI carries out sign test to the second signing messages, if sign test result is correct, illustrates that the second signing messages is strictly cloud authentication platform and sends
To identity card card-reading terminal, and it is not tampered with, it is achieved thereby that cloud is recognized by identity card card-reading terminal during transmission
The identity of card platform is verified.
In an optional embodiment of the present embodiment, before cloud authentication platform uses the private key of the 3rd double secret key, need first to obtain
Take the 3rd double secret key.In specific implementation process, it can be that cloud authentication platform obtains from outside that cloud authentication platform obtains the 3rd double secret key
3rd double secret key, it is also possible to be that cloud authentication platform is internally generated the 3rd double secret key.In order to ensure that the cloud authentication platform obtains the 3rd is close
Key is to being safe, it is preferred that cloud authentication platform is internally generated the 3rd double secret key.By the optional embodiment of the present embodiment,
Owing to cloud authentication platform is internally generated the 3rd double secret key, the private key of the 3rd double secret key can not be derived, and the PKI of the 3rd double secret key is permissible
Carry and export in public key certificate, by the way of using cloud authentication platform to be internally generated so that private key can not be revealed, it is ensured that
The safety of the 3rd double secret key.
Second transmission data are sent to identity card card-reading terminal by S105: cloud authentication platform, and wherein, second transfers data to few bag
Include the public key certificate of the 3rd double secret key, the first encryption session key, the second signing messages;
In an optional embodiment of the present embodiment, the second transmission data are sent to identity card card-reading terminal by cloud authentication platform,
Need first to obtain the public key certificate of the 3rd double secret key.In specific implementation process, the certificate that cloud authentication platform obtains is all by numeral
Certificate server is signed and issued, and digital certificate server is usually certificate visa-granting office, and certificate visa-granting office is according to the letter of visa-granting office
Breath, the public key information of user, the signature of authority office and effect duration etc. generate the public key certificate of user.
In specific implementation process, if cloud authentication platform is internally generated the 3rd double secret key, cloud authentication platform obtains the 3rd double secret key
During public key certificate, cloud authentication platform needs to send to digital certificate server, digital certificate server the PKI of the 3rd double secret key
Information, the public key information of the 3rd double secret key, the signature of authority office and effect duration etc. according to visa-granting office are to described 3rd key
To PKI carry out digital certificate and sign and issue operation and generate the public key certificate of the 3rd double secret key, and the public key certificate of the 3rd double secret key is sent out
Deliver to cloud authentication platform;If cloud authentication platform obtains the 3rd double secret key from outside, then also obtain while obtaining and given birth to
The public key certificate of the 3rd double secret key become.
By the optional embodiment of the present embodiment, cloud authentication platform, can be by the by obtaining the public key certificate of the 3rd double secret key
The public key certificate of three double secret key is sent to identity card card-reading terminal so that identity card card-reading terminal uses the PKI pair of the 3rd double secret key
The information received carries out sign test, so that identity card card-reading terminal confirms the identity of cloud authentication platform.
S106: cloud authentication platform receives the 3rd transmission data that identity card card-reading terminal sends, and wherein the 3rd transmission data are by body
Part card card-reading terminal is obtained by the identity card ciphertext that session key identity card card-reading terminal obtains;
In the present embodiment, after confirming session key between identity card card-reading terminal and cloud authentication platform, it is possible to pass through session
Key carries out data transmission.In specific implementation process, the ID card information that identity card card-reading terminal reads is usually ciphertext form,
Identity card card-reading terminal cannot show the plaintext of ID card information, and therefore, identity card card-reading terminal needs to send identity card ciphertext
It is authenticated to cloud authentication platform, and during sending, in order to ensure the safety of identity card ciphertext, identity card card-reading terminal
First use session key that the encryption of identity card ciphertext obtains the 3rd transmission data, then the 3rd transmission data are sent to cloud authentication platform.
S107: cloud authentication platform, to utilizing session key to be decrypted the 3rd transmission data, obtains identity card ciphertext, and to body
Part card ciphertext is decrypted, and obtains identity card in plain text, and utilizes session key to be encrypted identity card in plain text to obtain the 4th transmission
Data.
In the present embodiment, after cloud authentication platform receives the 3rd transmission data, first use session key that the 3rd transmission data are carried out
Deciphering obtains identity card ciphertext, then checking security module identity card ciphertext sent to cloud authentication platform is decrypted and obtains identity
Prove literary composition.In order to ensure identity card safety in plain text, cloud authentication platform first uses session key that identity card plain text encryption obtains the
Four transmission data, then the 4th transmission data are sent to identity card card-reading terminal.
4th transmission data are sent to identity card card-reading terminal by S108: cloud authentication platform.
In the present embodiment, the 4th transmission data are sent to identity card card-reading terminal by cloud authentication platform, and identity card card-reading terminal receives
After the 4th transmission data, use session key that the 4th transmission data are decrypted thus obtain identity card in plain text, thus realize
Identity card card-reading terminal is to identity card acquisition in plain text.In specific implementation process, identity card card-reading terminal can have display screen,
By identity card display in plain text at display screen, in order to user reads.
Key is used by a kind of authentication ids system medium cloud authentication platform provided by the present embodiment, it is ensured that identity card
The reliability of the key in Verification System, it is ensured that the safety of identity information in identity card reading process.
In an optional embodiment of the present embodiment, before step S101, cloud authentication platform can also obtain this and use
The occupation mode information of PKI of the first double secret key and the attribute information of PKI of this first double secret key used;Cloud certification
Whether platform judges the attribute information of the occupation mode information of the PKI of this first double secret key used and the PKI of the first double secret key
Unanimously, if unanimously, then perform step S101, otherwise, do not perform step S101.
In specific implementation process, safety information all has an attribute information, and attribute information can use several byte representation, such as,
The attribute information of the PKI of the first double secret key is " 01 ", for representing that the PKI of the first double secret key is for sign test;Second double secret key
The attribute information of PKI is " 10 ", for representing that the second double secret key is used for deciphering;The attribute information of the private key of the 3rd double secret key is " 11 ",
For representing that the 3rd double secret key is used for signing.
And before cloud authentication platform uses safety information, the occupation mode letter of this safety information used that cloud authentication platform obtains
Breath can also be with 2 byte representations, and such as, the occupation mode of this safety information used is for sign test, then this uses
The occupation mode information of safety information be " 01 ";The occupation mode of this safety information used is that then this makes for deciphering
The occupation mode information of safety information be " 10 ";This occupation mode of safety information used is for signing, then this
The occupation mode information of the safety information used is " 11 ".
Cloud authentication platform judges that the occupation mode information of this safety information used is the most consistent with the attribute information of safety information,
If consistent, then cloud authentication platform can use this safety information, and otherwise, cloud authentication platform refusal uses this safety information.Such as,
This safety information used is the PKI of the first double secret key, and this safety information used is used for sign test, then this peace used
The occupation mode information of full information is " 01 ", and the attribute information of the PKI of the first double secret key is " 01 ", and the two is consistent, then cloud
Authentication platform can use the PKI of the first double secret key.The most such as, this safety information used is the PKI of the second double secret key,
This safety information used is used for signing, then the occupation mode information of this safety information used is " 11 ", and the second key
To PKI for deciphering, its attribute information be " 10 ", and the two is inconsistent, then cloud authentication platform refusal use the second key
To PKI.
Therefore, before cloud authentication platform uses the PKI of the first double secret key, first obtain the PKI of this first double secret key used
Occupation mode information and the attribute information of PKI of this first double secret key used also judge this first double secret key used
The occupation mode information of PKI is the most consistent with the attribute information of the PKI of the first double secret key, if unanimously, cloud authentication platform is the most permissible
Use the PKI of the first double secret key.
By the optional embodiment of the present embodiment, by the attribute of the PKI of the first double secret key is defined, such as, can only enter
The PKI of the first double secret key of row sign test cannot be used for data encryption or deciphering calculating or the double secret key that can only be encrypted or decipher
Cannot be used for data signature or sign test calculates, the occupation mode of the PKI of the first double secret key is checked by cloud authentication platform so that
Cloud authentication platform directly refuses the occupation mode being not allowed to, it is ensured that the normal use of the PKI of the first double secret key.
In an optional embodiment of the present embodiment, before step S101, this can also be used by cloud authentication platform
In the RAM of the safety chip that the PKI of the first double secret key is stored in cloud authentication platform, after step slol, i.e. put down in cloud certification
After platform makes to be finished the PKI of the first double secret key, cloud authentication platform by the PKI of the first double secret key from the safe core of Card Reader cloud authentication platform
The RAM of sheet removes.In specific implementation process, when the safety chip of cloud authentication platform uses the PKI of the first double secret key, meeting
Being temporarily stored in the RAM of safety chip by the PKI of the first double secret key, the application relevant when the PKI of the first double secret key uses
After completing, cloud authentication platform forces to remove the PKI of this first double secret key from safety chip internal RAM.Pass through the present embodiment
Optional embodiment, it is ensured that the RAM of safety chip does not haves the residual data of safety information, it is to avoid safe hidden
Suffer from.
In an optional embodiment of the present embodiment, before step S101, cloud authentication platform can also obtain cloud certification and put down
Platform customer identification information, and obtain the result of customer identification information, if the result is correct, then perform step S101.
In specific implementation process, customer identification information can be PIN code, fingerprint, iris, face etc..Log in cloud first user to recognize
During card platform, user is by physical button and/or virtual key input PIN code, or passes through the noctovisor scan of cloud authentication platform
Region carries out the typing of fingerprint, iris or face.Cloud authentication platform is started working each time, is required for customer identification information true
Recognize so that cloud authentication platform obtains just starting working after user authorizes, it is ensured that the safe handling of cloud authentication platform.
In an optional embodiment of the present embodiment, before step S101, cloud authentication platform obtains cloud authentication platform and uses
Family identifies information, and, cloud authentication platform also obtain the maximum mistake access times of this customer identification information used and this
The currently used number of times of the customer identification information of secondary use;Cloud authentication platform judges currently making of this customer identification information used
With number of times whether less than the maximum mistake access times of this customer identification information used, the most then perform S101, otherwise,
Do not perform step S101.
In specific implementation process, the maximum mistake access times of customer identification information can be with 1 byte representation, such as, user
The maximum mistake access times of identification information are " 3 ", are 3 times for representing the maximum mistake access times of customer identification information.
And during cloud authentication platform use customer identification information, the currently used number of times of this customer identification information used of acquisition can also
With 1 byte representation, such as, this uses customer identification information and is to use customer identification information for the 2nd time, then originally
The currently used number of times of the customer identification information of secondary use is " 2 ".
Cloud authentication platform judges whether the currently used number of times of this customer identification information used is less than the maximum of customer identification information
Mistake access times, the most then cloud authentication platform can use this customer identification information, and verifies customer identification information,
Otherwise, this customer identification information is verified by cloud authentication platform refusal.Such as, this use customer identification information and
Be to use customer identification information for the 2nd time, then the access times of this customer identification information used are " 2 ", and user identifies letter
The maximum mistake access times of breath are 3 times, and owing to 2 less than 3, then cloud authentication platform can use customer identification information, and right
Customer identification information is verified.The most such as, this uses customer identification information and is that the 4th uses user to identify letter
Breath, then the currently used number of times of this customer identification information used is " 4 ", and the maximum mistake use time of customer identification information
Number is 3 times, and owing to 4 not less than 3, then customer identification information is verified by cloud authentication platform refusal.
It addition, in specific implementation process, when cloud authentication platform uses customer identification information, this user used of acquisition identifies
The currently used number of times of information can be counted by enumerator, uses customer identification information the most each time, this customer identification information
Corresponding enumerator all can increase by 1 time.Such as, before this uses customer identification information, customer identification information is used
1 time, rolling counters forward is " 1 ", and when this re-uses customer identification information, rolling counters forward is " 2 ", then this uses
The currently used number of times of customer identification information is " 2 ".Cloud authentication platform judges the enumerator of this customer identification information used
Whether counting is less than the wrong access times of the maximum of customer identification information, the most then cloud authentication platform can use this user to identify
Information, and customer identification information is verified, otherwise, this customer identification information is verified by cloud authentication platform refusal.Example
As, before this uses customer identification information, customer identification information is used 1 time, and rolling counters forward is " 1 ", this
When re-using customer identification information, rolling counters forward is " 2 ", and the maximum mistake access times of customer identification information are 3 times,
Owing to 2 less than 3, then cloud authentication platform can use customer identification information, and verifies customer identification information.
By the optional embodiment of the present embodiment, by limiting the maximum mistake access times of customer identification information so that user
After the access times of identification information exceed maximum mistake access times, the application that this customer identification information is relevant will be locked, thus
Prevent the illegal exploration to cloud authentication platform.
In an optional embodiment of the present embodiment, before step S103, cloud authentication platform can also obtain this and use
The occupation mode information of PKI of the second double secret key and the attribute information of PKI of this second double secret key used;Cloud certification
Whether platform judges the attribute information of the occupation mode information of the PKI of this second double secret key used and the PKI of the second double secret key
Unanimously, if unanimously, then perform step S103, otherwise, do not perform step S103.This process and above-mentioned examination the first double secret key
The occupation mode of PKI is similar to, and does not repeats them here.
In an optional embodiment of the present embodiment, before step S103, this can also be used by cloud authentication platform
In the RAM of the safety chip that the PKI of the second double secret key is stored in cloud authentication platform, after step s 103, i.e. put down in cloud certification
After platform makes to be finished the PKI of the second double secret key, cloud authentication platform by the PKI of the second double secret key from the safety chip of cloud authentication platform
RAM removes.This process is similar with the process of above-mentioned storage the PKI removing the first double secret key, does not repeats them here.
In an optional embodiment of the present embodiment, before step S104, cloud authentication platform can also obtain this and use
The occupation mode information of private key of the 3rd double secret key and the attribute information of private key of this 3rd double secret key used;Cloud certification
Whether platform judges the attribute information of the occupation mode information of the private key of this 3rd double secret key used and the private key of the 3rd double secret key
Unanimously, if unanimously, then perform step S104, otherwise, do not perform step S104.This process and above-mentioned examination the first double secret key
The occupation mode of PKI is similar to, and does not repeats them here.
In an optional embodiment of the present embodiment, before step S104, this can also be used by cloud authentication platform
In the RAM of the safety chip that the private key of the 3rd double secret key is stored in cloud authentication platform, after step s 104, i.e. put down in cloud certification
After platform makes to be finished the private key of the 3rd double secret key, cloud authentication platform by the private key of the 3rd double secret key from the safety chip of cloud authentication platform
RAM removes.This process is similar with the process of above-mentioned storage the PKI removing the first double secret key, does not repeats them here.
The method that a kind of authentication ids system medium cloud authentication platform provided by the present embodiment uses key, it is ensured that safety letter
The reliability of breath, it is ensured that the safety of identity information in identity card reading process.Further, during the use of key,
By key is carried out control of authority, it is achieved that the occupation mode of key is checked, it is ensured that the normal use of key.
Fig. 2 is the structural representation of the authentication ids system medium cloud authentication platform of the embodiment of the present invention 1, as in figure 2 it is shown, should
Cloud authentication platform includes: communication module 21 and certification safety control module 22.
Communication module 21, for receiving the first transmission data that identity card card-reading terminal sends, wherein, first transfers data to less
Including the public key certificate of the second double secret key, the public key certificate of the first double secret key, first add confidential information, the first signing messages, wherein,
First to add confidential information be that identity card card-reading terminal uses the PKI of the first double secret key to be encrypted session key solicited message to obtain,
First signing messages is that identity card card-reading terminal uses the private key of the first double secret key to add confidential information to first to carry out signature and obtain;By
Two transmission data are sent to identity card card-reading terminal, wherein, the second public key certificate transferring data to include less the 3rd double secret key,
First encryption session key, the second signing messages;Receive the 3rd transmission data that identity card card-reading terminal sends, wherein, the 3rd
Transmission data are that the identity card ciphertext that identity card card-reading terminal is obtained by session key identity card card-reading terminal obtains;Will
4th transmission data are sent to identity card card-reading terminal;
Certification safety control module 22, for obtaining the PKI of the first double secret key according to the public key certificate of the first double secret key, and uses
The PKI of the first double secret key carries out sign test to the first signing messages, if sign test result is correct, cloud authentication platform is close according to certification deciphering
Key adds confidential information and is decrypted and obtains the second information first;Generate session key;Public key certificate according to the second double secret key obtains
The PKI of the second double secret key, and use the PKI of the second double secret key that session key is encrypted to obtain the first encryption session key;
The private key using the 3rd double secret key carries out signature to the first encryption session key and obtains the second signing messages;Utilize session key to
Three transmission data are decrypted, and obtain identity card ciphertext, and are decrypted identity card ciphertext, obtain identity card in plain text, and profit
With session key identity card is encrypted in plain text and obtains the 4th transmission data.
By the cloud authentication platform in a kind of authentication ids system that the present embodiment provides, key is used, it is ensured that identity
The reliability of the key in card Verification System, it is ensured that the safety of identity information in identity card reading process.
In the present embodiment, cloud authentication platform is originally for supporting the verification platform of checking ID card information, for the identity card received
The ID card information that card-reading terminal sends is authenticated.It is to say, this cloud authentication platform includes that residence card verifying is controlled safely
Molding block, needs to be authenticated second-generation identification card information.In specific implementation process, cloud authentication platform can be computer, example
Such as panel computer, desktop computer, notebook computer, large server etc., in an embodiment of the present invention this is not defined.
In the present embodiment, due to the PKI of the first double secret key be sign test key, private key be signature key, therefore, identity card Card Reader
Terminal uses the private key of the first double secret key that identity card card-reading terminal is sent to the first of communication module 21 to add confidential information and sign
After obtain the first signing messages, and the first signing messages carried send to communication module 21 in the first transmission data, communicate mould
After block 21 receives the first transmission data, certification safety control module 22 can obtain the according to the public key certificate of the first double secret key
The PKI of one double secret key, so that the first signing messages being carried out sign test with the PKI of the first double secret key, if sign test result is correct,
Illustrate that the first signing messages strictly identity card card-reading terminal is sent to cloud authentication platform, and during transmission not by
Distort, it is achieved thereby that the identity of identity card card-reading terminal is verified by cloud authentication platform.Therefore, if sign test result is correct,
Certification safety control module 22 adds confidential information according to certification decruption key and is decrypted and obtains the second information first.
In the present embodiment, due to the PKI of the second double secret key be encryption key, private key be decruption key, therefore, certification is controlled safely
Molding block 22 obtains the PKI of the second double secret key according to the public key certificate of the second double secret key, and uses the PKI of the second double secret key to meeting
Words key is encrypted and obtains the first encryption session key, after identity card card-reading terminal receives the first encryption session key, and identity
First encryption session key can be decrypted and obtains session key according to the private key of the second double secret key by card card-reading terminal, it is therefore prevented that
Session cipher key delivery is destroyed by cloud authentication platform to during identity card card-reading terminal, thus ensure that identity card Card Reader is eventually
The session key that termination receives is safe.
In the present embodiment, certification safety control module 22 can call random number interface and obtain the random number of a preseting length, as
Session key.The preseting length of this random number can be 16 bytes can also be other length, as use RC4 cryptographic algorithm then
It can be 1-256 byte.Preferably, RC4 cryptographic algorithm is used.Pass through between identity card card-reading terminal and cloud authentication platform
Session key carries out data transmission, it is ensured that the safety of data transmission link.
In the present embodiment, the 3rd double secret key is unsymmetrical key pair, wherein, the 3rd double secret key include the 3rd double secret key PKI and
The private key of the 3rd double secret key.The PKI of the 3rd double secret key be sign test key, private key be signature key.In specific implementation process, recognize
Card safety control module 22 uses the private key of the 3rd double secret key to enter the first encryption session key being sent to identity card card-reading terminal
Row signature obtains the second signing messages, and after identity card card-reading terminal receives the second signing messages, identity card card-reading terminal uses the
The PKI of three double secret key carries out sign test to the second signing messages, if sign test result is correct, illustrates that the second signing messages is strictly certification
Safety control module 22 is sent to identity card card-reading terminal, and is not tampered with during transmission, it is achieved thereby that body
The identity of cloud authentication platform is verified by part card card-reading terminal.
In an optional embodiment of the present embodiment, before certification safety control module 22 uses the private key of the 3rd double secret key,
Need first to obtain the 3rd double secret key.In specific implementation process, it can be certification that certification safety control module 22 obtains the 3rd double secret key
Safety control module 22 obtains the 3rd double secret key from outside, it is also possible to be that certification safety control module 22 is internally generated the 3rd key
Right.It it is safe to ensure the 3rd double secret key that certification safety control module 22 obtains, it is preferred that certification safety control module
22 are internally generated the 3rd double secret key.By the optional embodiment of the present embodiment, owing to certification safety control module is internally generated
Three double secret key, the private key of the 3rd double secret key can not derive, and the PKI of the 3rd double secret key can carry and export in public key certificate, logical
Cross the mode using cloud authentication platform to be internally generated so that private key can not be revealed, it is ensured that the safety of the 3rd double secret key.
In another optional embodiment of the present embodiment, the second transmission data are sent to identity card Card Reader eventually by communication module 21
End, certification safety control module 22 needs first to obtain the public key certificate of the 3rd double secret key.In specific implementation process, certification is controlled safely
The certificate that molding block 22 obtains all is signed and issued by digital certificate server, and digital certificate server is usually certificate visa-granting office,
Certificate visa-granting office generates user according to information, the public key information of user, the signature of authority office and the effect duration etc. of visa-granting office
Public key certificate.
In specific implementation process, if certification safety control module 22 is internally generated the 3rd double secret key, certification safety control module
During the public key certificate that 22 obtain the 3rd double secret key, communication module 21 needs to send to digital certificate clothes the PKI of the 3rd double secret key
Business device, digital certificate server is according to the information of visa-granting office, the public key information of the 3rd double secret key, the signature of authority office and has
The effect phases etc. carry out digital certificate and sign and issue operation and generate the public key certificate of the 3rd double secret key the PKI of described 3rd double secret key, and by the
The public key certificate of three double secret key sends to communication module 21;If certification safety control module 22 obtains the 3rd double secret key from outside,
While obtaining, so also obtain the public key certificate of the 3rd double secret key generated.
By the optional embodiment of the present embodiment, certification safety control module, can by obtaining the public key certificate of the 3rd double secret key
It is sent to identity card card-reading terminal so that identity card card-reading terminal uses the 3rd double secret key with the public key certificate by the 3rd double secret key
The PKI information to receiving carries out sign test, so that identity card card-reading terminal confirms the identity of cloud authentication platform.
In the present embodiment, after confirming session key between identity card card-reading terminal and cloud authentication platform, it is possible to pass through session
Key carries out data transmission.In specific implementation process, the ID card information that identity card card-reading terminal reads is usually ciphertext form,
Identity card card-reading terminal cannot show the plaintext of ID card information, and therefore, identity card card-reading terminal needs to send identity card ciphertext
It is authenticated to the certification safety control module 22 of cloud authentication platform, and during sending, in order to ensure identity card ciphertext
Safety, identity card card-reading terminal first uses session key that the encryption of identity card ciphertext obtains the 3rd transmission data, then transmits the 3rd
Data are sent to the communication module 21 of cloud authentication platform.
In the present embodiment, after communication module 21 receives the 3rd transmission data, certification safety control module 22 first uses session close
3rd transmission data are decrypted and obtain identity card ciphertext by key, then identity card ciphertext is sent the checking safety to cloud authentication platform
Module is decrypted and obtains identity card in plain text.In order to ensure identity card safety in plain text, certification safety control module 22 first uses meeting
Words double secret key identity card plain text encryption obtains the 4th transmission data, then by communication module 21, the 4th transmission data is sent to identity
Card card-reading terminal.After identity card card-reading terminal receives the 4th transmission data, use session key that the 4th transmission data are solved
It is close thus obtain identity card in plain text, it is achieved thereby that identity card card-reading terminal is to identity card acquisition in plain text.In specific implementation process,
Identity card card-reading terminal can have display screen, by identity card display in plain text at display screen, in order to user reads.
By the cloud authentication platform in a kind of authentication ids system that the present embodiment provides, it is ensured that in authentication ids system
The reliability of key, it is ensured that the safety of identity information in identity card reading process.
In an optional embodiment of the present embodiment, cloud authentication platform also includes acquisition module 23, as shown in Figure 3.Obtain
Module 23 can obtain cloud authentication platform customer identification information, and obtains the result of customer identification information, if the result is
Correctly, then communication module 21 receives the first transmission data that identity card card-reading terminal sends.In specific implementation process, user identifies
Information can be PIN code, fingerprint, iris, face etc..When user logs in cloud authentication platform first, user is pressed by physics
Key and/or virtual key input PIN code, or carry out fingerprint, iris or face by the noctovisor scan region of cloud authentication platform
Typing.Cloud authentication platform is started working each time, is required for confirming customer identification information so that cloud authentication platform is used
Just start working after authorizing in family, it is ensured that the safe handling of cloud authentication platform.
In an optional embodiment of the present embodiment, cloud authentication platform also includes control of authority module 24, as shown in Figure 3.
Acquisition module 23 obtains cloud authentication platform customer identification information, and, control of authority module 24 also obtains this use used
Family identifies maximum mistake access times and the currently used number of times of this customer identification information used of information;Control of authority mould
Block 24 judges that whether less than this customer identification information used the most currently used number of times of this customer identification information used
Serious mistake access times, the most then communication module 21 receives the first transmission data that identity card card-reading terminal sends, otherwise, logical
Letter module 21 does not receive the first transmission data that identity card card-reading terminal sends.
In specific implementation process, the maximum mistake access times of customer identification information can be with 1 byte representation, such as, user
The maximum mistake access times of identification information are " 3 ", are 3 times for representing the maximum mistake access times of customer identification information.
And acquisition module 23 is when using customer identification information, control of authority module 24 obtains the current of this customer identification information used
Access times can also be with 1 byte representation, and such as, this uses customer identification information and is to use user the 2nd time
Identification information, then the currently used number of times of this customer identification information used is " 2 ".
Control of authority module 24 judges that whether the currently used number of times of this customer identification information used is less than customer identification information
Maximum mistake access times, the most then acquisition module 23 can use customer identification information, and carries out customer identification information
Checking, otherwise, acquisition module 23 is refused to verify this customer identification information.Such as, this uses user to identify letter
Breath and be to use customer identification information for the 2nd time, then these access times of customer identification information used are " 2 ", and user
The maximum mistake access times of identification information are 3 times, and owing to 2 less than 3, then acquisition module 23 can use customer identification information,
And customer identification information is verified.The most such as, this uses customer identification information and is that the 4th uses user to know
Other information, then the currently used number of times of this customer identification information used is " 4 ", and the maximum mistake of customer identification information makes
Being 3 times with number of times, owing to 4 not less than 3, then acquisition module 23 is refused to verify customer identification information.
It addition, in specific implementation process, when acquisition module 23 uses customer identification information, the basis that control of authority module 24 obtains
The currently used number of times of the customer identification information of secondary use can be counted by enumerator, uses customer identification information the most each time,
The enumerator that this customer identification information is corresponding all can increase by 1 time.Such as, before this uses customer identification information, user identifies
Information is used 1 time, and rolling counters forward is " 1 ", and when this re-uses customer identification information, rolling counters forward is " 2 ",
Then the currently used number of times of this customer identification information used is " 2 ".Control of authority module 24 judges that this user used knows
Whether the counting of the enumerator of other information is less than the wrong access times of the maximum of customer identification information, the most then acquisition module 23 can
To use customer identification information, and verifying customer identification information, otherwise, acquisition module 23 is refused this user is identified letter
Breath is verified.Such as, before this obtains customer identification information, customer identification information has been acquired 1 time, counter counts
Number is " 1 ", and when this obtains customer identification information again, rolling counters forward is " 2 ", and the maximum mistake of customer identification information makes
Being 3 times with number of times, owing to 2 less than 3, then acquisition module 23 can use customer identification information, and enters customer identification information
Row checking.
By the optional embodiment of the present embodiment, by limiting the maximum mistake access times of customer identification information so that user
After the access times of identification information exceed maximum mistake access times, the application that this customer identification information is relevant will be locked, thus
Prevent the illegal exploration to cloud authentication platform.
In another optional embodiment of the present embodiment, cloud authentication platform also includes control of authority module 24, and control of authority can
Thinking that the purposes of the control of authority module 24 safety information to using is checked, wherein safety information may include that the first key
To PKI, the PKI of the second double secret key and the private key of the 3rd double secret key.
I.e. control of authority module 24 is additionally operable to before certification safety control module 22 uses safety information, and control of authority module 24 obtains
Take the occupation mode information of this safety information used;Control of authority module 24 uses safety at certification safety control module 22
During information, obtain the attribute information of this safety information used;Control of authority module 24 judges this safety information used
Occupation mode information is the most consistent with the attribute information of safety information, if unanimously, then certification safety control module 22 uses safe letter
Breath.
In specific implementation process, each safety information also includes attribute information, for representing the attribute of safety information.Such as,
The attribute information of the PKI of the first double secret key is used for sign test for the PKI representing the first double secret key, and it is close that acquisition module 23 obtains first
The PKI attribute information of the first double secret key is also obtained after the PKI of key pair;The attribute information of the PKI of the second double secret key is for expression the
The PKI of two double secret key is used for deciphering, and acquisition module 23 also obtains the PKI of the second double secret key after obtaining the PKI of the second double secret key
Attribute information;The attribute information of the private key of the 3rd double secret key is used for signing for the private key representing the 3rd double secret key, acquisition module 23
The attribute information of the private key of the 3rd double secret key is also obtained after obtaining the private key of the 3rd double secret key;.
In specific implementation process, control of authority module 24 carries out control of authority to the safety information used and can be: certification is controlled safely
Before molding block 22 uses safety information, control of authority module 24 also obtains the occupation mode information of this safety information used,
Before the PKI that authentication authorization and accounting safety control module 22 uses the first double secret key, control of authority module 24 also obtains first that this uses
The occupation mode information of the PKI of double secret key, control of authority mould before the PKI that certification safety control module 22 uses the second double secret key
Block 24 also obtains the occupation mode information of the PKI of this second double secret key used, and certification safety control module 22 uses the 3rd
Before the private key of double secret key, control of authority module 24 also obtains the occupation mode information of the private key of this 3rd double secret key used.Power
Limit control module 24 judges that the occupation mode information of this safety information used is the most consistent with the attribute information of safety information, if
Unanimously, then performing subsequent operation, otherwise, identity card card-reading terminal refusal performs subsequent operation.
In specific implementation process, the attribute information of safety information can use several byte representation, such as, the PKI of the first double secret key
Attribute information is " 10 ", for representing that the PKI of the first double secret key is for sign test;The attribute information of the PKI of the second double secret key is " 11 ",
For representing that the PKI of the second double secret key is for deciphering;The attribute information of the private key of the 3rd double secret key is " 01 ", for representing the 3rd
The private key of double secret key is used for signing.
And before certification safety control module 22 uses safety information, this safety letter used that control of authority module 24 obtains
The occupation mode information of breath can also be with 2 byte representations, and such as, the occupation mode of this safety information used is for testing
Sign, then the occupation mode information of this safety information used is " 10 ";This occupation mode of safety information used be for
Deciphering, then the occupation mode information of this safety information used is " 11 ";The occupation mode of this safety information used is to use
In signature, then the occupation mode information of this safety information used is " 01 ".
Control of authority module 24 judge the occupation mode information of this safety information used whether with the attribute information of safety information
Unanimously, if unanimously, then certification safety control module 22 uses safety information, and otherwise, certification safety control module 22 refusal makes
Use safety information.Such as, this safety information used is the PKI of the first double secret key, and this safety information used is used for testing
Sign, then the occupation mode information of this safety information used is " 10 ", and the attribute information of the PKI of the first double secret key is " 10 ",
The two is consistent, then certification safety control module 22 uses safety information.The most such as, this safety information used is the second key
To PKI, this safety information used is used for signing, then this occupation mode information of safety information used is " 01 ",
And the PKI of the second double secret key is for deciphering, its attribute information is " 11 ", and the two is inconsistent, then certification safety control module
22 refusals use safety information.
By the optional embodiment of the present embodiment, by the attribute of safety information is defined, the such as key can only signed
Cannot be used for data encryption or deciphering calculating or the double secret key that can only be encrypted or decipher cannot be used for data signature or sign test meter
Calculating, the occupation mode of safety information is checked by cloud authentication platform so that cloud authentication platform directly refuses the use being not allowed to
Mode, it is ensured that the normal use of safety information.
In another optional embodiment of the present embodiment, cloud authentication platform can also include RAM module 25, such as Fig. 3 institute
Show.The authority of the control of authority module 24 safety information to using can be that certification safety control module 22 uses safety information
Time, the safety information that this is used by control of authority module 24 is stored in RAM module;Certification safety control module 22 uses
After safety information, the safety information that this is used by control of authority module 24 is removed from RAM module.
In specific implementation process, when certification safety control module 22 uses safety information, safety can be believed by control of authority module 24
Breath is temporarily stored in RAM module 25, and after the application that safety information is relevant has used, control of authority module 24 is forced
This safety information is removed from RAM module 25.Such as, certification safety control module 22 uses the PKI of the first double secret key to enter
Before row sign test, control of authority module 24 can read the PKI of the first double secret key from the storage address of the PKI of the first double secret key, and
It is deposited in RAM module, after certification safety control module 22 uses the PKI of the first double secret key, this first double secret key
The application of PKI used, then control of authority module 24 is by its Compulsory Removal from RAM module 25.
By the optional embodiment of the present embodiment, it is ensured that RAM module does not haves the residual data of safety information, keeps away
Exempt from potential safety hazard.
In another optional embodiment of the present embodiment, cloud authentication platform can also include DBM 26 and authorization module
27, as shown in Figure 3.Authentication authorization and accounting safety control module 22 adds confidential information according to certification decruption key and is decrypted and obtains first
Before two information, certification safety control module 22 needs first to obtain certification decruption key.Preferably, the PKI of the first double secret key is
Symmetric key, identity card card-reading terminal and cloud authentication platform all can obtain identical symmetry from the data server of cloud authentication platform
Algorithm generates the PKI of the first double secret key.
In specific implementation process, DBM 26 stores the algorithm of the PKI generating the first double secret key, certification security control mould
Block 22 is when the database server application authentication decruption key of cloud authentication platform, and DBM 26 gives certification security control mould
Block 22 distributes the ciphertext of a certification decruption key, wherein, this certification decruption key and identity card card-reading terminal apllied first
The PKI of double secret key is corresponding;Certification safety control module 22 is for the plaintext of access authentication decruption key, certification security control mould
To authorization module 27, block 22 applies for that authorizes a decruption key, wherein, this mandate decruption key is used for decrypted authentication decruption key
Ciphertext;Authorization module 27 judges the occupation mode of certification decruption key, if by certification, then gives certification safety control module
22 distribution one authorize decruption key;Certification safety control module 22 uses and authorizes the decruption key ciphertext to certification decruption key
It is decrypted the plaintext obtaining certification decruption key, thus certification safety control module 22 obtains certification decruption key.
By the optional embodiment of the present embodiment, certification safety control module 22, after authorization module 27 authorizes, just can obtain
Take certification decruption key, it is therefore prevented that the illegal use to the key algorithm in DBM 26.
In sum, by the cloud authentication platform in the authentication ids system that the present embodiment provides, by cloud authentication platform to close
Key uses, it is ensured that key leans on property, it is ensured that the safety of identity information in identity card reading process.Further, exist
During the use of key, by key is carried out control of authority, it is achieved that the occupation mode of key is checked, it is ensured that
The normal use of key.
Any process described otherwise above or method describe and are construed as in flow chart or at this, represent include one or
The module of code, fragment or the part of the executable instruction of the more steps for realizing specific logical function or process, and
The scope of the preferred embodiment of the present invention includes other realization, wherein can not be by order that is shown or that discuss, including root
According to involved function by basic mode simultaneously or in the opposite order, performing function, this should be by embodiments of the invention institute
Belong to those skilled in the art to be understood.
Those skilled in the art are appreciated that it is permissible for realizing all or part of step that above-described embodiment method carries
Instructing relevant hardware by program to complete, described program can be stored in a kind of computer-readable recording medium, this journey
Sequence upon execution, including one or a combination set of the step of embodiment of the method.
In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " concrete example ",
Or specific features, structure, material or the feature that the description of " some examples " etc. means to combine this embodiment or example describes comprises
In at least one embodiment or example of the present invention.In this manual, the schematic representation to above-mentioned term not necessarily refers to
It is identical embodiment or example.And, the specific features of description, structure, material or feature can at any one or
Multiple embodiments or example combine in an appropriate manner.
Although above it has been shown and described that embodiments of the invention, it is to be understood that above-described embodiment is exemplary,
Being not considered as limiting the invention, those of ordinary skill in the art is in the case of without departing from the principle of the present invention and objective
Above-described embodiment can be changed within the scope of the invention, revise, replace and modification.The scope of the present invention is by appended power
Profit requires and equivalent limits.
Claims (8)
1. the cloud authentication platform in an authentication ids system, it is characterised in that including:
Communication module, for receiving the first transmission data that identity card card-reading terminal sends, wherein, described first transfers data to
Include the public key certificate of the second double secret key, the public key certificate of the first double secret key less, first add confidential information, the first signing messages, its
In, described first to add confidential information be that described identity card card-reading terminal uses the PKI of the first double secret key to enter session key solicited message
Row encryption obtains, and described first signing messages is that described identity card card-reading terminal uses the private key of the first double secret key to add described first
Confidential information carries out signature and obtains;Second transmission data are sent to described identity card card-reading terminal, wherein, described second transmission number
According at least including the public key certificate of the 3rd double secret key, the first encryption session key, the second signing messages;Receive described identity card to read
The 3rd transmission data that card terminal sends, wherein, described 3rd transmission data are that described identity card card-reading terminal is by described session
The identity card ciphertext that the key described identity card card-reading terminal of encryption obtains obtains;4th transmission data are sent to described identity card
Card-reading terminal;
Certification safety control module, for obtaining the PKI of the first double secret key according to the public key certificate of described first double secret key, and makes
With the PKI of described first double secret key, described first signing messages being carried out sign test, if sign test result is correct, described certification is controlled safely
Molding tuber adds confidential information according to certification decruption key and is decrypted and obtains the second information first;Generate session key;According to described
The public key certificate of the second double secret key obtains the PKI of the second double secret key, and uses the PKI of described second double secret key close to described session
Key is encrypted and obtains the first encryption session key;Described first encryption session key is signed by the private key using the 3rd double secret key
Name obtains the second signing messages;Utilize described session key that the 3rd transmission data are decrypted, obtain identity card ciphertext, and right
Identity card ciphertext is decrypted, and obtains identity card in plain text, and utilizes described session key to be encrypted described identity card in plain text
To described 4th transmission data.
Cloud authentication platform the most according to claim 1, it is characterised in that described cloud authentication platform also includes acquisition module;
Described acquisition module is additionally operable to obtain customer identification information and obtain the result of described customer identification information, if checking knot
Fruit is correct, and the most described communication module receives the first transmission data that identity card card-reading terminal sends.
Identity card card-reading terminal the most according to claim 2, it is characterised in that described cloud certification also includes control of authority mould
Block;
Described control of authority module, before receiving, at described communication module, the first transmission data that identity card card-reading terminal sends,
Obtain the maximum mistake access times of this described customer identification information used and this described customer identification information used
Currently used number of times;
Described control of authority module judges that whether the currently used number of times of this described customer identification information used described is less than this
The maximum mistake access times of the described customer identification information used, the most described communication module receives identity card card-reading terminal
The the first transmission data sent.
4. according to the cloud authentication platform described in any one of claims 1 to 3, it is characterised in that described cloud authentication platform also includes
Control of authority module;
Described control of authority module, for when described certification security module uses the PKI of the first double secret key, obtains this and uses
The occupation mode information of PKI of described first double secret key and the attribute information of PKI of this described first double secret key used;
Described control of authority module judges the occupation mode information of the PKI of this described first double secret key used described and described the
The attribute information of the PKI of one double secret key is the most consistent, if unanimously, the most described certification security module uses the PKI of the first double secret key.
5. according to the cloud authentication platform described in any one of Claims 1-4, it is characterised in that described cloud authentication platform also includes
DBM and authorization module;
Described certification safety control module is to described DBM application authentication decruption key;
Described DBM distributes the certification decruption key of an encryption to described certification safety control module;
Described certification safety control module is used for deciphering the solution of the certification decruption key of described encryption to described authorization module application one
Decryption key;
Described certification safety control module use described decruption key the certification decruption key of described encryption is decrypted obtain described
Certification decruption key.
6. according to the cloud authentication platform described in any one of claim 1 to 5, it is characterised in that described cloud authentication platform also includes
Described control of authority module;
Described control of authority module, for when described certification safety control module uses certification decruption key, obtains this and uses
The occupation mode information of described certification decruption key and the attribute information of this described certification decruption key used;
Described control of authority module judges the occupation mode information of this described certification decruption key used described and described certification solution
The attribute information of decryption key is the most consistent, if unanimously, the most described certification safety control module uses certification decruption key.
7. according to the cloud authentication platform described in any one of claim 1 to 6, it is characterised in that described cloud authentication platform also includes
Control of authority module;
Described control of authority module, for when described certification security module uses the PKI of the second double secret key, obtains this and uses
The occupation mode information of PKI of described second double secret key and the attribute information of PKI of this described second double secret key used;
Described control of authority module judges the occupation mode information of the PKI of this described second double secret key used described and described the
The attribute information of the PKI of two double secret key is the most consistent, if unanimously, the most described certification security module uses the PKI of the second double secret key.
8. according to the cloud authentication platform described in any one of claim 1 to 7, it is characterised in that described cloud authentication platform also includes
Control of authority module;
Described control of authority module, during for using the private key of the 3rd double secret key in described certification security module, obtains this and uses
The occupation mode information of private key of described 3rd double secret key and the attribute information of private key of this described 3rd double secret key used;
Described control of authority module judges the occupation mode information of the private key of this described 3rd double secret key used described and described the
The attribute information of the private key of three double secret key is the most consistent, if unanimously, the most described certification security module uses the private key of the 3rd double secret key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610041100.8A CN106027252B (en) | 2016-01-21 | 2016-01-21 | A kind of cloud authentication platform in authentication ids system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610041100.8A CN106027252B (en) | 2016-01-21 | 2016-01-21 | A kind of cloud authentication platform in authentication ids system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106027252A true CN106027252A (en) | 2016-10-12 |
CN106027252B CN106027252B (en) | 2019-05-21 |
Family
ID=57082726
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610041100.8A Active CN106027252B (en) | 2016-01-21 | 2016-01-21 | A kind of cloud authentication platform in authentication ids system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106027252B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107483430A (en) * | 2017-08-09 | 2017-12-15 | 北京中软信科技有限公司 | A kind of testimony of a witness unification authentication method and device of the cloud identification of identity-based card |
CN107483429A (en) * | 2017-08-09 | 2017-12-15 | 北京中软信科技有限公司 | A kind of data ciphering method and device |
CN109474929A (en) * | 2018-12-29 | 2019-03-15 | 飞天诚信科技股份有限公司 | Power consumption mode adjusting method, device, electronic equipment and computer readable storage medium |
CN111600829A (en) * | 2019-02-21 | 2020-08-28 | 杭州萤石软件有限公司 | Secure communication method and system for Internet of things equipment |
CN112702305A (en) * | 2019-10-23 | 2021-04-23 | 中电智能科技有限公司 | System access authentication method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101276448A (en) * | 2007-03-29 | 2008-10-01 | 阿里巴巴集团控股有限公司 | Payment system and method performing trading with identification card including IC card |
CN101324942A (en) * | 2007-06-13 | 2008-12-17 | 阿里巴巴集团控股有限公司 | Payment system and method performing trade by identification card including IC card |
EP2940922A1 (en) * | 2014-04-29 | 2015-11-04 | Arnaud Pernel | Symmetric cryptosystems with public key based on the symmetric group |
-
2016
- 2016-01-21 CN CN201610041100.8A patent/CN106027252B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101276448A (en) * | 2007-03-29 | 2008-10-01 | 阿里巴巴集团控股有限公司 | Payment system and method performing trading with identification card including IC card |
CN101324942A (en) * | 2007-06-13 | 2008-12-17 | 阿里巴巴集团控股有限公司 | Payment system and method performing trade by identification card including IC card |
EP2940922A1 (en) * | 2014-04-29 | 2015-11-04 | Arnaud Pernel | Symmetric cryptosystems with public key based on the symmetric group |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107483430A (en) * | 2017-08-09 | 2017-12-15 | 北京中软信科技有限公司 | A kind of testimony of a witness unification authentication method and device of the cloud identification of identity-based card |
CN107483429A (en) * | 2017-08-09 | 2017-12-15 | 北京中软信科技有限公司 | A kind of data ciphering method and device |
CN107483429B (en) * | 2017-08-09 | 2019-10-11 | 北京中软信科技有限公司 | A kind of data ciphering method and device |
CN109474929A (en) * | 2018-12-29 | 2019-03-15 | 飞天诚信科技股份有限公司 | Power consumption mode adjusting method, device, electronic equipment and computer readable storage medium |
CN109474929B (en) * | 2018-12-29 | 2022-03-18 | 飞天诚信科技股份有限公司 | Power consumption mode adjusting method and device, electronic equipment and computer readable storage medium |
CN111600829A (en) * | 2019-02-21 | 2020-08-28 | 杭州萤石软件有限公司 | Secure communication method and system for Internet of things equipment |
CN112702305A (en) * | 2019-10-23 | 2021-04-23 | 中电智能科技有限公司 | System access authentication method and device |
CN112702305B (en) * | 2019-10-23 | 2023-05-16 | 中电智能科技有限公司 | System access authentication method and device |
Also Published As
Publication number | Publication date |
---|---|
CN106027252B (en) | 2019-05-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106789018B (en) | Secret key remote acquisition methods and device | |
CN103714634B (en) | A kind of method of main key of secure download terminal and system | |
CN106027461A (en) | Secret key use method for cloud authentication platform in identity card authentication system | |
CN109756485A (en) | Electronic contract signs method, apparatus, computer equipment and storage medium | |
EP2765752B1 (en) | Method for equipping a mobile terminal with an authentication certificate | |
CN107248075B (en) | Method and device for realizing bidirectional authentication and transaction of intelligent key equipment | |
CN104798083B (en) | For the method and system of authentication-access request | |
CN104393993B (en) | A kind of safety chip and its implementation for electricity-selling terminal | |
CN109309565A (en) | A kind of method and device of safety certification | |
CN106327184A (en) | Intelligent mobile terminal payment system and intelligent mobile terminal payment method based on safe hardware isolation | |
CN103269271B (en) | A kind of back up the method and system of private key in electronic signature token | |
CN106027252A (en) | Cloud authentication platform in identity card authentication system | |
CN106713279A (en) | Video terminal identity authentication system | |
KR20120108599A (en) | Credit card payment service using online credit card payment device | |
CN112055019B (en) | Method for establishing communication channel and user terminal | |
CN105162797A (en) | Bidirectional authentication method based on video surveillance system | |
CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
CN105162607A (en) | Authentication method and system of payment bill voucher | |
CN104579680B (en) | A kind of method of secure distribution seed | |
CN102238193A (en) | Data authentication method and system using same | |
CN103944724A (en) | User identity identification card | |
CN103345703A (en) | Banking transaction authentication method and system based on image authentication | |
CN106789024A (en) | A kind of remote de-locking method, device and system | |
CN110401613A (en) | A kind of authentication management method and relevant device | |
US20120284787A1 (en) | Personal Secured Access Devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220407 Address after: Tiantianrong building, No. 1, Zhongguancun, Beiqing Road, Haidian District, Beijing 100094 Patentee after: TENDYRON Corp. Address before: 100086 room 603, building 12, taiyueyuan, Haidian District, Beijing Patentee before: Li Ming |