CN106027252A

CN106027252A - Cloud authentication platform in identity card authentication system

Info

Publication number: CN106027252A
Application number: CN201610041100.8A
Authority: CN
Inventors: 李明
Original assignee: 李明
Current assignee: Tendyron Corp
Priority date: 2016-01-21
Filing date: 2016-01-21
Publication date: 2016-10-12
Anticipated expiration: 2036-01-21
Also published as: CN106027252B

Abstract

The invention provides a cloud authentication platform in an identity card authentication system, and the cloud authentication platform comprises a communication module which is used for receiving first transmission data transmitted by an identity card reading terminal; transmitting the second transmission data to the identity card reading terminal; receiving third transmission data transmitted by the identity card reading terminal; and transmitting fourth transmission data to the identity card reading terminal. The cloud authentication platform also comprises an authentication safety control module which is used for the signature verification of first signature information through employing a public key of a first secret key pair; generating a session key; encrypting the session key through employing the public key of a second secret key pair, and obtaining a first encrypted session key; carrying out the signing of the first encrypted session key through employing a secret key of a third secret key pair, and obtaining second signature information; carrying out the decryption of the third transmission data through employing the session key, obtaining an identity card ciphertext, decrypting the identity card ciphertext, obtaining an identity card plaintext, encrypting the identity card plaintext through employing the session key, and obtaining fourth transmission data.

Description

A kind of cloud authentication platform in authentication ids system

Technical field

The present invention relates to authentication ids field, particularly relate to the cloud authentication platform in a kind of authentication ids system.

Background technology

In prior art, the identity card reading device of No.2 residence card has an at least two module: card reading module and SAM (Secure Access Module, residence card verifying security control) module.Wherein, the identity card letter that card reading module reads Breath is all ciphertext, and the ciphertext ID card information that card reading module reads could be entered by only residence card verifying safety control module Row deciphering is read to complete identity card, and this residence card verifying safety control module is the special product that the Ministry of Public Security specifies, price Costliness, for cost-effective, the most by residence card verifying safety control module and card reading module reading separately positioned, multiple Card device can share the scheme of a residence card verifying safety control module, in this scheme, how to make key With thus ensure that the safety of identity card reading process is to need badly to solve the technical problem that.

Summary of the invention

It is contemplated that at least solve one of the problems referred to above, key is made in authentication ids system by cloud authentication platform With, it is ensured that the reliability of the key in authentication ids system, it is ensured that the safety of identity information in identity card reading process.

The cloud authentication platform provided in a kind of authentication ids system is provided.

For reaching above-mentioned purpose, technical scheme is specifically achieved in that

One aspect of the present invention provides the cloud authentication platform in a kind of authentication ids system, including:

Communication module, for receiving the first transmission data that identity card card-reading terminal sends, wherein, first transfers data to few bag Include the public key certificate of the second double secret key, the public key certificate of the first double secret key, first add confidential information, the first signing messages, wherein, First to add confidential information be that identity card card-reading terminal uses the PKI of the first double secret key to be encrypted session key solicited message to obtain, First signing messages is that identity card card-reading terminal uses the private key of the first double secret key to add confidential information to first to carry out signature and obtain；By Two transmission data are sent to identity card card-reading terminal, wherein, the second public key certificate transferring data to include less the 3rd double secret key, First encryption session key, the second signing messages；Receive the 3rd transmission data that identity card card-reading terminal sends, wherein, the 3rd Transmission data are that the identity card ciphertext that identity card card-reading terminal is obtained by session key identity card card-reading terminal obtains；Will 4th transmission data are sent to identity card card-reading terminal；

Certification safety control module, for obtaining the PKI of the first double secret key according to the public key certificate of the first double secret key, and uses the The PKI of one double secret key carries out sign test to the first signing messages, if sign test result is correct, certification safety control module is according to certification solution Decryption key adds confidential information and is decrypted and obtains the second information first；Generate session key；Public key certificate according to the second double secret key Obtain the PKI of the second double secret key, and using the PKI of the second double secret key to be encrypted session key, to obtain the first encryption session close Key；The private key using the 3rd double secret key carries out signature to the first encryption session key and obtains the second signing messages；Utilize session key 3rd transmission data are decrypted, obtain identity card ciphertext, and identity card ciphertext is decrypted, obtain identity card in plain text, And utilize session key that identity card is encrypted in plain text to obtain the 4th transmission data.

Additionally, cloud authentication platform also includes acquisition module；

Acquisition module is additionally operable to obtain customer identification information and obtain the result of customer identification information, if the result is correct, Then communication module receives the first transmission data that identity card card-reading terminal sends.

Additionally, cloud certification also includes control of authority module；

Control of authority module, before receiving, at communication module, the first transmission data that identity card card-reading terminal sends, obtains this The maximum mistake access times of the customer identification information of secondary use and the currently used number of times of this customer identification information used；

Control of authority module judges whether the currently used number of times of this customer identification information used is known less than this user used The maximum mistake access times of other information, the most then communication module receives the first transmission data that identity card card-reading terminal sends.

Additionally, cloud authentication platform also includes control of authority module；

Control of authority module, for when certification security module uses the PKI of the first double secret key, obtain that this uses first is close The attribute information of the PKI of the occupation mode information of the PKI of key pair and this first double secret key used；

Control of authority module judges the occupation mode information of the PKI of this first double secret key used and the PKI of the first double secret key Attribute information is the most consistent, if unanimously, then certification security module uses the PKI of the first double secret key.

Additionally, cloud authentication platform also includes RAM module；

Before control of authority module is additionally operable to the PKI that certification security module uses the first double secret key, the first key that this is used To PKI be stored in RAM module；

After certification security module uses the PKI of the first double secret key, the public affairs of the first double secret key that this is used by control of authority module Key is removed from RAM module.

Additionally, cloud authentication platform also includes DBM and authorization module；

Certification safety control module is to DBM application authentication decruption key；

DBM distributes the certification decruption key of an encryption to certification safety control module；

Certification safety control module is used for deciphering the decruption key of the certification decruption key of encryption to authorization module application one；

The certification decruption key of encryption is decrypted and obtains certification decruption key by certification safety control module use decruption key.

Control of authority module, for when certification safety control module uses certification decruption key, obtains this certification solution used The occupation mode information of decryption key and the attribute information of this certification decruption key used；

Control of authority module judges the occupation mode information of this certification decruption key used and the attribute information of certification decruption key The most consistent, if unanimously, then certification safety control module uses certification decruption key.

Additionally, cloud authentication platform also includes RAM module；

Before control of authority module is additionally operable to certification safety control module use certification decruption key, the certification deciphering that this is used Key is stored in RAM module；

Certification safety control module uses after certification decruption key, the certification decruption key that this is used by control of authority module from RAM module is removed.

Control of authority module, for when certification security module uses the PKI of the second double secret key, obtain that this uses second is close The attribute information of the PKI of the occupation mode information of the PKI of key pair and this second double secret key used；

Control of authority module judges the occupation mode information of the PKI of this second double secret key used and the PKI of the second double secret key Attribute information is the most consistent, if unanimously, then certification security module uses the PKI of the second double secret key.

Additionally, cloud authentication platform also includes RAM module；

Before control of authority module is additionally operable to the PKI that certification security module uses the second double secret key, the second key that this is used To PKI be stored in RAM module；

After certification security module uses the PKI of the second double secret key, the public affairs of the second double secret key that this is used by control of authority module Key is removed from RAM module.

Control of authority module, during for using the private key of the 3rd double secret key in certification security module, obtain that this uses is the 3rd close The attribute information of the private key of the occupation mode information of the private key of key pair and this 3rd double secret key used；

Control of authority module judges the occupation mode information of the private key of this 3rd double secret key used and the private key of the 3rd double secret key Attribute information is the most consistent, if unanimously, then certification security module uses the private key of the 3rd double secret key.

Additionally, cloud authentication platform also includes RAM module；

Before control of authority module is additionally operable to the private key that certification security module uses the 3rd double secret key, the 3rd key that this is used To private key be stored in RAM module；

After certification security module uses the private key of the 3rd double secret key, the private of the 3rd double secret key that this is used by control of authority module Key is removed from RAM module.

Another aspect of the present invention also provides for a kind of identity card cloud Verification System, including: above-mentioned identity card card-reading terminal and above-mentioned Cloud authentication platform.

Cloud authentication platform in a kind of authentication ids system that the present invention provides, is used key by cloud authentication platform, Ensure that the reliability of key in authentication ids system, it is ensured that the safety of identity information in identity card reading process.Enter One step ground, during the use of key, by carrying out control of authority to key, it is achieved that look into the occupation mode of key Test, it is ensured that the normal use of key.

Accompanying drawing explanation

In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, the required accompanying drawing used in embodiment being described below It is briefly described, it should be apparent that, the accompanying drawing in describing below is only some embodiments of the present invention, for this area From the point of view of those of ordinary skill, on the premise of not paying creative work, it is also possible to obtain other accompanying drawings according to these accompanying drawings.

Fig. 1 is the schematic flow sheet of the authentication ids system medium cloud authentication platform use key of the embodiment of the present invention 1；

Fig. 2 is the structural representation of the authentication ids system medium cloud authentication platform of the embodiment of the present invention 1；

Fig. 3 is the optional structural representation of the authentication ids system medium cloud authentication platform of the embodiment of the present invention 1.

Detailed description of the invention

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, Obviously, described embodiment is only a part of embodiment of the present invention rather than whole embodiments.Reality based on the present invention Execute example, the every other embodiment that those of ordinary skill in the art are obtained under not making creative work premise, broadly fall into Protection scope of the present invention.

In describing the invention, it is to be understood that term " " center ", " longitudinally ", " laterally ", " on ", D score, " front ", Orientation or the position relationship of the instruction such as " afterwards ", "left", "right", " vertically ", " level ", " top ", " end ", " interior ", " outward " are base In orientation shown in the drawings or position relationship, it is for only for ease of the description present invention and simplifies description rather than instruction or hint institute The device that refers to or element must have specific orientation, with specific azimuth configuration and operation, therefore it is not intended that to the present invention Restriction.Additionally, term " first ", " second " are only used for describing purpose, and it is not intended that instruction or hint relative importance Or quantity or position.

In describing the invention, it should be noted that unless otherwise clearly defined and limited, term " install ", " being connected ", " connect " and should be interpreted broadly, connect for example, it may be fixing, it is also possible to be to removably connect, or be integrally connected；Permissible It is to be mechanically connected, it is also possible to be electrical connection；Can be to be joined directly together, it is also possible to be indirectly connected to by intermediary, can be two The connection of individual element internal.For the ordinary skill in the art, can understand that above-mentioned term is in the present invention with concrete condition In concrete meaning.

Describe the present invention below in conjunction with drawings and Examples.

Embodiment 1

Present embodiments providing a kind of method that authentication ids system medium cloud authentication platform uses key, Fig. 1 is authentication ids System medium cloud authentication platform uses the schematic flow sheet of key, as it is shown in figure 1, the method comprises the following steps (S101～S108):

S101: cloud authentication platform receives the first transmission data, and wherein, described first transfers data to include the second double secret key less Public key certificate, the public key certificate of the first double secret key, first adding confidential information, the first signing messages, wherein, described first adds secret letter Breath is that described identity card card-reading terminal uses the PKI of the first double secret key to be encrypted session key solicited message to obtain, described One signing messages is that described identity card card-reading terminal uses the private key of the first double secret key to add confidential information to described first to carry out signature and obtain； And obtain the PKI of the first double secret key according to the public key certificate of the first double secret key, and use the PKI of the first double secret key to the first signature Information carries out sign test, if sign test result is correct, cloud authentication platform adds confidential information according to certification decruption key to first and is decrypted To the second information；

In the present embodiment, cloud authentication platform is originally for supporting the verification platform of checking ID card information, for the identity card received The ID card information that card-reading terminal sends is authenticated.It is to say, this cloud authentication platform includes that residence card verifying is controlled safely Molding block, needs to be authenticated second-generation identification card information.In specific implementation process, cloud authentication platform can be computer, example Such as panel computer, desktop computer, notebook computer, large server etc., in an embodiment of the present invention this is not defined.

In the present embodiment, due to the PKI of the first double secret key be sign test key, private key be signature key, therefore, identity card Card Reader Terminal uses the private key of the first double secret key that identity card card-reading terminal is sent to the first of cloud authentication platform to add after confidential information signs Obtaining the first signing messages, and carried by the first signing messages and send to cloud authentication platform in the first transmission data, cloud certification is put down After platform receives the first transmission data, the PKI of the first double secret key can be obtained according to the public key certificate of the first double secret key, so that With the PKI of the first double secret key, the first signing messages is carried out sign test, if sign test result is correct, illustrate that the first signing messages is strictly Identity card card-reading terminal is sent to cloud authentication platform, and is not tampered with during transmission, it is achieved thereby that cloud certification The identity of identity card card-reading terminal is verified by platform.Therefore, if sign test result is correct, cloud authentication platform is deciphered according to certification Double secret key first adds confidential information and is decrypted and obtains the second information.

In an optional embodiment of the present embodiment, cloud authentication platform adds confidential information according to certification decruption key to first to be carried out Before deciphering obtains the second information, cloud authentication platform needs first to obtain certification decruption key.Preferably, the PKI of the first double secret key It is identical right all to obtain from the data server of cloud authentication platform for symmetric key, identity card card-reading terminal and cloud authentication platform Algorithm is claimed to generate the PKI of the first double secret key.

In specific implementation process, the database server of cloud authentication platform stores the algorithm of the PKI generating the first double secret key, cloud Authentication platform is when the database server application authentication decruption key of cloud authentication platform, and the data base of cloud authentication platform is to cloud certification The ciphertext of platform one certification decruption key of distribution, wherein, this certification decruption key and identity card card-reading terminal apllied first The PKI of double secret key is corresponding；Cloud authentication platform is for the plaintext of access authentication decruption key, and cloud authentication platform is to cloud authentication platform Authorization server application one authorize decruption key, wherein, this mandate decruption key is for the ciphertext of decrypted authentication decruption key； The occupation mode of the authorization server judges certification decruption key of cloud authentication platform, if by certification, then distributes to cloud authentication platform One authorizes decruption key；The ciphertext of certification decruption key is decrypted and obtains certification by cloud authentication platform use mandate decruption key The plaintext of decruption key, thus cloud authentication platform obtains certification decruption key.

By the optional embodiment of the present embodiment, cloud authentication platform, after authorization server mandate, could obtain certification deciphering Key, it is therefore prevented that the illegal use to the key algorithm in the data base of cloud authentication platform.

S102: cloud authentication platform generates session key；

In the present embodiment, cloud authentication platform can call random number interface and obtain the random number of a preseting length, as session key. The preseting length of this random number can be 16 bytes can also be other length, as use RC4 cryptographic algorithm can be then 1-256 Byte.Preferably, RC4 cryptographic algorithm is used.By session key number between identity card card-reading terminal and cloud authentication platform According to transmission, it is ensured that the safety of data transmission link.

S103: cloud authentication platform obtains the PKI of the second double secret key according to the public key certificate of the second double secret key, and uses the second key To PKI session key be encrypted obtain the first encryption session key；

In the present embodiment, due to the PKI of the second double secret key be encryption key, private key be decruption key, therefore, cloud authentication platform Public key certificate according to the second double secret key obtains the PKI of the second double secret key, and uses the PKI of the second double secret key to enter session key Row encryption obtains the first encryption session key, and after identity card card-reading terminal receives the first encryption session key, identity card Card Reader is eventually First encryption session key can be decrypted and obtains session key according to the private key of the second double secret key by end, it is therefore prevented that cloud certification is put down Session cipher key delivery is destroyed by platform to during identity card card-reading terminal, thus ensure that identity card card-reading terminal receives Session key be safe.

The private key of S104: cloud authentication platform use the 3rd double secret key carries out signature to the first encryption session key and obtains the second A.L.S. Breath；

In the present embodiment, the 3rd double secret key is unsymmetrical key pair, wherein, the 3rd double secret key include the 3rd double secret key PKI and The private key of the 3rd double secret key.The PKI of the 3rd double secret key be sign test key, private key be signature key.In specific implementation process, cloud The private key of authentication platform use the 3rd double secret key carries out signature to the first encryption session key being sent to identity card card-reading terminal and obtains Second signing messages, after identity card card-reading terminal receives the second signing messages, identity card card-reading terminal uses the 3rd double secret key PKI carries out sign test to the second signing messages, if sign test result is correct, illustrates that the second signing messages is strictly cloud authentication platform and sends To identity card card-reading terminal, and it is not tampered with, it is achieved thereby that cloud is recognized by identity card card-reading terminal during transmission The identity of card platform is verified.

In an optional embodiment of the present embodiment, before cloud authentication platform uses the private key of the 3rd double secret key, need first to obtain Take the 3rd double secret key.In specific implementation process, it can be that cloud authentication platform obtains from outside that cloud authentication platform obtains the 3rd double secret key 3rd double secret key, it is also possible to be that cloud authentication platform is internally generated the 3rd double secret key.In order to ensure that the cloud authentication platform obtains the 3rd is close Key is to being safe, it is preferred that cloud authentication platform is internally generated the 3rd double secret key.By the optional embodiment of the present embodiment, Owing to cloud authentication platform is internally generated the 3rd double secret key, the private key of the 3rd double secret key can not be derived, and the PKI of the 3rd double secret key is permissible Carry and export in public key certificate, by the way of using cloud authentication platform to be internally generated so that private key can not be revealed, it is ensured that The safety of the 3rd double secret key.

Second transmission data are sent to identity card card-reading terminal by S105: cloud authentication platform, and wherein, second transfers data to few bag Include the public key certificate of the 3rd double secret key, the first encryption session key, the second signing messages；

In an optional embodiment of the present embodiment, the second transmission data are sent to identity card card-reading terminal by cloud authentication platform, Need first to obtain the public key certificate of the 3rd double secret key.In specific implementation process, the certificate that cloud authentication platform obtains is all by numeral Certificate server is signed and issued, and digital certificate server is usually certificate visa-granting office, and certificate visa-granting office is according to the letter of visa-granting office Breath, the public key information of user, the signature of authority office and effect duration etc. generate the public key certificate of user.

In specific implementation process, if cloud authentication platform is internally generated the 3rd double secret key, cloud authentication platform obtains the 3rd double secret key During public key certificate, cloud authentication platform needs to send to digital certificate server, digital certificate server the PKI of the 3rd double secret key Information, the public key information of the 3rd double secret key, the signature of authority office and effect duration etc. according to visa-granting office are to described 3rd key To PKI carry out digital certificate and sign and issue operation and generate the public key certificate of the 3rd double secret key, and the public key certificate of the 3rd double secret key is sent out Deliver to cloud authentication platform；If cloud authentication platform obtains the 3rd double secret key from outside, then also obtain while obtaining and given birth to The public key certificate of the 3rd double secret key become.

By the optional embodiment of the present embodiment, cloud authentication platform, can be by the by obtaining the public key certificate of the 3rd double secret key The public key certificate of three double secret key is sent to identity card card-reading terminal so that identity card card-reading terminal uses the PKI pair of the 3rd double secret key The information received carries out sign test, so that identity card card-reading terminal confirms the identity of cloud authentication platform.

S106: cloud authentication platform receives the 3rd transmission data that identity card card-reading terminal sends, and wherein the 3rd transmission data are by body Part card card-reading terminal is obtained by the identity card ciphertext that session key identity card card-reading terminal obtains；

In the present embodiment, after confirming session key between identity card card-reading terminal and cloud authentication platform, it is possible to pass through session Key carries out data transmission.In specific implementation process, the ID card information that identity card card-reading terminal reads is usually ciphertext form, Identity card card-reading terminal cannot show the plaintext of ID card information, and therefore, identity card card-reading terminal needs to send identity card ciphertext It is authenticated to cloud authentication platform, and during sending, in order to ensure the safety of identity card ciphertext, identity card card-reading terminal First use session key that the encryption of identity card ciphertext obtains the 3rd transmission data, then the 3rd transmission data are sent to cloud authentication platform.

S107: cloud authentication platform, to utilizing session key to be decrypted the 3rd transmission data, obtains identity card ciphertext, and to body Part card ciphertext is decrypted, and obtains identity card in plain text, and utilizes session key to be encrypted identity card in plain text to obtain the 4th transmission Data.

In the present embodiment, after cloud authentication platform receives the 3rd transmission data, first use session key that the 3rd transmission data are carried out Deciphering obtains identity card ciphertext, then checking security module identity card ciphertext sent to cloud authentication platform is decrypted and obtains identity Prove literary composition.In order to ensure identity card safety in plain text, cloud authentication platform first uses session key that identity card plain text encryption obtains the Four transmission data, then the 4th transmission data are sent to identity card card-reading terminal.

4th transmission data are sent to identity card card-reading terminal by S108: cloud authentication platform.

In the present embodiment, the 4th transmission data are sent to identity card card-reading terminal by cloud authentication platform, and identity card card-reading terminal receives After the 4th transmission data, use session key that the 4th transmission data are decrypted thus obtain identity card in plain text, thus realize Identity card card-reading terminal is to identity card acquisition in plain text.In specific implementation process, identity card card-reading terminal can have display screen, By identity card display in plain text at display screen, in order to user reads.

Key is used by a kind of authentication ids system medium cloud authentication platform provided by the present embodiment, it is ensured that identity card The reliability of the key in Verification System, it is ensured that the safety of identity information in identity card reading process.

In an optional embodiment of the present embodiment, before step S101, cloud authentication platform can also obtain this and use The occupation mode information of PKI of the first double secret key and the attribute information of PKI of this first double secret key used；Cloud certification Whether platform judges the attribute information of the occupation mode information of the PKI of this first double secret key used and the PKI of the first double secret key Unanimously, if unanimously, then perform step S101, otherwise, do not perform step S101.

In specific implementation process, safety information all has an attribute information, and attribute information can use several byte representation, such as, The attribute information of the PKI of the first double secret key is " 01 ", for representing that the PKI of the first double secret key is for sign test；Second double secret key The attribute information of PKI is " 10 ", for representing that the second double secret key is used for deciphering；The attribute information of the private key of the 3rd double secret key is " 11 ", For representing that the 3rd double secret key is used for signing.

And before cloud authentication platform uses safety information, the occupation mode letter of this safety information used that cloud authentication platform obtains Breath can also be with 2 byte representations, and such as, the occupation mode of this safety information used is for sign test, then this uses The occupation mode information of safety information be " 01 "；The occupation mode of this safety information used is that then this makes for deciphering The occupation mode information of safety information be " 10 "；This occupation mode of safety information used is for signing, then this The occupation mode information of the safety information used is " 11 ".

Cloud authentication platform judges that the occupation mode information of this safety information used is the most consistent with the attribute information of safety information, If consistent, then cloud authentication platform can use this safety information, and otherwise, cloud authentication platform refusal uses this safety information.Such as, This safety information used is the PKI of the first double secret key, and this safety information used is used for sign test, then this peace used The occupation mode information of full information is " 01 ", and the attribute information of the PKI of the first double secret key is " 01 ", and the two is consistent, then cloud Authentication platform can use the PKI of the first double secret key.The most such as, this safety information used is the PKI of the second double secret key, This safety information used is used for signing, then the occupation mode information of this safety information used is " 11 ", and the second key To PKI for deciphering, its attribute information be " 10 ", and the two is inconsistent, then cloud authentication platform refusal use the second key To PKI.

Therefore, before cloud authentication platform uses the PKI of the first double secret key, first obtain the PKI of this first double secret key used Occupation mode information and the attribute information of PKI of this first double secret key used also judge this first double secret key used The occupation mode information of PKI is the most consistent with the attribute information of the PKI of the first double secret key, if unanimously, cloud authentication platform is the most permissible Use the PKI of the first double secret key.

By the optional embodiment of the present embodiment, by the attribute of the PKI of the first double secret key is defined, such as, can only enter The PKI of the first double secret key of row sign test cannot be used for data encryption or deciphering calculating or the double secret key that can only be encrypted or decipher Cannot be used for data signature or sign test calculates, the occupation mode of the PKI of the first double secret key is checked by cloud authentication platform so that Cloud authentication platform directly refuses the occupation mode being not allowed to, it is ensured that the normal use of the PKI of the first double secret key.

In an optional embodiment of the present embodiment, before step S101, this can also be used by cloud authentication platform In the RAM of the safety chip that the PKI of the first double secret key is stored in cloud authentication platform, after step slol, i.e. put down in cloud certification After platform makes to be finished the PKI of the first double secret key, cloud authentication platform by the PKI of the first double secret key from the safe core of Card Reader cloud authentication platform The RAM of sheet removes.In specific implementation process, when the safety chip of cloud authentication platform uses the PKI of the first double secret key, meeting Being temporarily stored in the RAM of safety chip by the PKI of the first double secret key, the application relevant when the PKI of the first double secret key uses After completing, cloud authentication platform forces to remove the PKI of this first double secret key from safety chip internal RAM.Pass through the present embodiment Optional embodiment, it is ensured that the RAM of safety chip does not haves the residual data of safety information, it is to avoid safe hidden Suffer from.

In an optional embodiment of the present embodiment, before step S101, cloud authentication platform can also obtain cloud certification and put down Platform customer identification information, and obtain the result of customer identification information, if the result is correct, then perform step S101. In specific implementation process, customer identification information can be PIN code, fingerprint, iris, face etc..Log in cloud first user to recognize During card platform, user is by physical button and/or virtual key input PIN code, or passes through the noctovisor scan of cloud authentication platform Region carries out the typing of fingerprint, iris or face.Cloud authentication platform is started working each time, is required for customer identification information true Recognize so that cloud authentication platform obtains just starting working after user authorizes, it is ensured that the safe handling of cloud authentication platform.

In an optional embodiment of the present embodiment, before step S101, cloud authentication platform obtains cloud authentication platform and uses Family identifies information, and, cloud authentication platform also obtain the maximum mistake access times of this customer identification information used and this The currently used number of times of the customer identification information of secondary use；Cloud authentication platform judges currently making of this customer identification information used With number of times whether less than the maximum mistake access times of this customer identification information used, the most then perform S101, otherwise, Do not perform step S101.

In specific implementation process, the maximum mistake access times of customer identification information can be with 1 byte representation, such as, user The maximum mistake access times of identification information are " 3 ", are 3 times for representing the maximum mistake access times of customer identification information. And during cloud authentication platform use customer identification information, the currently used number of times of this customer identification information used of acquisition can also With 1 byte representation, such as, this uses customer identification information and is to use customer identification information for the 2nd time, then originally The currently used number of times of the customer identification information of secondary use is " 2 ".

Cloud authentication platform judges whether the currently used number of times of this customer identification information used is less than the maximum of customer identification information Mistake access times, the most then cloud authentication platform can use this customer identification information, and verifies customer identification information, Otherwise, this customer identification information is verified by cloud authentication platform refusal.Such as, this use customer identification information and Be to use customer identification information for the 2nd time, then the access times of this customer identification information used are " 2 ", and user identifies letter The maximum mistake access times of breath are 3 times, and owing to 2 less than 3, then cloud authentication platform can use customer identification information, and right Customer identification information is verified.The most such as, this uses customer identification information and is that the 4th uses user to identify letter Breath, then the currently used number of times of this customer identification information used is " 4 ", and the maximum mistake use time of customer identification information Number is 3 times, and owing to 4 not less than 3, then customer identification information is verified by cloud authentication platform refusal.

It addition, in specific implementation process, when cloud authentication platform uses customer identification information, this user used of acquisition identifies The currently used number of times of information can be counted by enumerator, uses customer identification information the most each time, this customer identification information Corresponding enumerator all can increase by 1 time.Such as, before this uses customer identification information, customer identification information is used 1 time, rolling counters forward is " 1 ", and when this re-uses customer identification information, rolling counters forward is " 2 ", then this uses The currently used number of times of customer identification information is " 2 ".Cloud authentication platform judges the enumerator of this customer identification information used Whether counting is less than the wrong access times of the maximum of customer identification information, the most then cloud authentication platform can use this user to identify Information, and customer identification information is verified, otherwise, this customer identification information is verified by cloud authentication platform refusal.Example As, before this uses customer identification information, customer identification information is used 1 time, and rolling counters forward is " 1 ", this When re-using customer identification information, rolling counters forward is " 2 ", and the maximum mistake access times of customer identification information are 3 times, Owing to 2 less than 3, then cloud authentication platform can use customer identification information, and verifies customer identification information.

By the optional embodiment of the present embodiment, by limiting the maximum mistake access times of customer identification information so that user After the access times of identification information exceed maximum mistake access times, the application that this customer identification information is relevant will be locked, thus Prevent the illegal exploration to cloud authentication platform.

In an optional embodiment of the present embodiment, before step S103, cloud authentication platform can also obtain this and use The occupation mode information of PKI of the second double secret key and the attribute information of PKI of this second double secret key used；Cloud certification Whether platform judges the attribute information of the occupation mode information of the PKI of this second double secret key used and the PKI of the second double secret key Unanimously, if unanimously, then perform step S103, otherwise, do not perform step S103.This process and above-mentioned examination the first double secret key The occupation mode of PKI is similar to, and does not repeats them here.

In an optional embodiment of the present embodiment, before step S103, this can also be used by cloud authentication platform In the RAM of the safety chip that the PKI of the second double secret key is stored in cloud authentication platform, after step s 103, i.e. put down in cloud certification After platform makes to be finished the PKI of the second double secret key, cloud authentication platform by the PKI of the second double secret key from the safety chip of cloud authentication platform RAM removes.This process is similar with the process of above-mentioned storage the PKI removing the first double secret key, does not repeats them here.

In an optional embodiment of the present embodiment, before step S104, cloud authentication platform can also obtain this and use The occupation mode information of private key of the 3rd double secret key and the attribute information of private key of this 3rd double secret key used；Cloud certification Whether platform judges the attribute information of the occupation mode information of the private key of this 3rd double secret key used and the private key of the 3rd double secret key Unanimously, if unanimously, then perform step S104, otherwise, do not perform step S104.This process and above-mentioned examination the first double secret key The occupation mode of PKI is similar to, and does not repeats them here.

In an optional embodiment of the present embodiment, before step S104, this can also be used by cloud authentication platform In the RAM of the safety chip that the private key of the 3rd double secret key is stored in cloud authentication platform, after step s 104, i.e. put down in cloud certification After platform makes to be finished the private key of the 3rd double secret key, cloud authentication platform by the private key of the 3rd double secret key from the safety chip of cloud authentication platform RAM removes.This process is similar with the process of above-mentioned storage the PKI removing the first double secret key, does not repeats them here.

The method that a kind of authentication ids system medium cloud authentication platform provided by the present embodiment uses key, it is ensured that safety letter The reliability of breath, it is ensured that the safety of identity information in identity card reading process.Further, during the use of key, By key is carried out control of authority, it is achieved that the occupation mode of key is checked, it is ensured that the normal use of key.

Fig. 2 is the structural representation of the authentication ids system medium cloud authentication platform of the embodiment of the present invention 1, as in figure 2 it is shown, should Cloud authentication platform includes: communication module 21 and certification safety control module 22.

Communication module 21, for receiving the first transmission data that identity card card-reading terminal sends, wherein, first transfers data to less Including the public key certificate of the second double secret key, the public key certificate of the first double secret key, first add confidential information, the first signing messages, wherein, First to add confidential information be that identity card card-reading terminal uses the PKI of the first double secret key to be encrypted session key solicited message to obtain, First signing messages is that identity card card-reading terminal uses the private key of the first double secret key to add confidential information to first to carry out signature and obtain；By Two transmission data are sent to identity card card-reading terminal, wherein, the second public key certificate transferring data to include less the 3rd double secret key, First encryption session key, the second signing messages；Receive the 3rd transmission data that identity card card-reading terminal sends, wherein, the 3rd Transmission data are that the identity card ciphertext that identity card card-reading terminal is obtained by session key identity card card-reading terminal obtains；Will 4th transmission data are sent to identity card card-reading terminal；

Certification safety control module 22, for obtaining the PKI of the first double secret key according to the public key certificate of the first double secret key, and uses The PKI of the first double secret key carries out sign test to the first signing messages, if sign test result is correct, cloud authentication platform is close according to certification deciphering Key adds confidential information and is decrypted and obtains the second information first；Generate session key；Public key certificate according to the second double secret key obtains The PKI of the second double secret key, and use the PKI of the second double secret key that session key is encrypted to obtain the first encryption session key； The private key using the 3rd double secret key carries out signature to the first encryption session key and obtains the second signing messages；Utilize session key to Three transmission data are decrypted, and obtain identity card ciphertext, and are decrypted identity card ciphertext, obtain identity card in plain text, and profit With session key identity card is encrypted in plain text and obtains the 4th transmission data.

By the cloud authentication platform in a kind of authentication ids system that the present embodiment provides, key is used, it is ensured that identity The reliability of the key in card Verification System, it is ensured that the safety of identity information in identity card reading process.

In the present embodiment, due to the PKI of the first double secret key be sign test key, private key be signature key, therefore, identity card Card Reader Terminal uses the private key of the first double secret key that identity card card-reading terminal is sent to the first of communication module 21 to add confidential information and sign After obtain the first signing messages, and the first signing messages carried send to communication module 21 in the first transmission data, communicate mould After block 21 receives the first transmission data, certification safety control module 22 can obtain the according to the public key certificate of the first double secret key The PKI of one double secret key, so that the first signing messages being carried out sign test with the PKI of the first double secret key, if sign test result is correct, Illustrate that the first signing messages strictly identity card card-reading terminal is sent to cloud authentication platform, and during transmission not by Distort, it is achieved thereby that the identity of identity card card-reading terminal is verified by cloud authentication platform.Therefore, if sign test result is correct, Certification safety control module 22 adds confidential information according to certification decruption key and is decrypted and obtains the second information first.

In the present embodiment, due to the PKI of the second double secret key be encryption key, private key be decruption key, therefore, certification is controlled safely Molding block 22 obtains the PKI of the second double secret key according to the public key certificate of the second double secret key, and uses the PKI of the second double secret key to meeting Words key is encrypted and obtains the first encryption session key, after identity card card-reading terminal receives the first encryption session key, and identity First encryption session key can be decrypted and obtains session key according to the private key of the second double secret key by card card-reading terminal, it is therefore prevented that Session cipher key delivery is destroyed by cloud authentication platform to during identity card card-reading terminal, thus ensure that identity card Card Reader is eventually The session key that termination receives is safe.

In the present embodiment, certification safety control module 22 can call random number interface and obtain the random number of a preseting length, as Session key.The preseting length of this random number can be 16 bytes can also be other length, as use RC4 cryptographic algorithm then It can be 1-256 byte.Preferably, RC4 cryptographic algorithm is used.Pass through between identity card card-reading terminal and cloud authentication platform Session key carries out data transmission, it is ensured that the safety of data transmission link.

In the present embodiment, the 3rd double secret key is unsymmetrical key pair, wherein, the 3rd double secret key include the 3rd double secret key PKI and The private key of the 3rd double secret key.The PKI of the 3rd double secret key be sign test key, private key be signature key.In specific implementation process, recognize Card safety control module 22 uses the private key of the 3rd double secret key to enter the first encryption session key being sent to identity card card-reading terminal Row signature obtains the second signing messages, and after identity card card-reading terminal receives the second signing messages, identity card card-reading terminal uses the The PKI of three double secret key carries out sign test to the second signing messages, if sign test result is correct, illustrates that the second signing messages is strictly certification Safety control module 22 is sent to identity card card-reading terminal, and is not tampered with during transmission, it is achieved thereby that body The identity of cloud authentication platform is verified by part card card-reading terminal.

In an optional embodiment of the present embodiment, before certification safety control module 22 uses the private key of the 3rd double secret key, Need first to obtain the 3rd double secret key.In specific implementation process, it can be certification that certification safety control module 22 obtains the 3rd double secret key Safety control module 22 obtains the 3rd double secret key from outside, it is also possible to be that certification safety control module 22 is internally generated the 3rd key Right.It it is safe to ensure the 3rd double secret key that certification safety control module 22 obtains, it is preferred that certification safety control module 22 are internally generated the 3rd double secret key.By the optional embodiment of the present embodiment, owing to certification safety control module is internally generated Three double secret key, the private key of the 3rd double secret key can not derive, and the PKI of the 3rd double secret key can carry and export in public key certificate, logical Cross the mode using cloud authentication platform to be internally generated so that private key can not be revealed, it is ensured that the safety of the 3rd double secret key.

In another optional embodiment of the present embodiment, the second transmission data are sent to identity card Card Reader eventually by communication module 21 End, certification safety control module 22 needs first to obtain the public key certificate of the 3rd double secret key.In specific implementation process, certification is controlled safely The certificate that molding block 22 obtains all is signed and issued by digital certificate server, and digital certificate server is usually certificate visa-granting office, Certificate visa-granting office generates user according to information, the public key information of user, the signature of authority office and the effect duration etc. of visa-granting office Public key certificate.

In specific implementation process, if certification safety control module 22 is internally generated the 3rd double secret key, certification safety control module During the public key certificate that 22 obtain the 3rd double secret key, communication module 21 needs to send to digital certificate clothes the PKI of the 3rd double secret key Business device, digital certificate server is according to the information of visa-granting office, the public key information of the 3rd double secret key, the signature of authority office and has The effect phases etc. carry out digital certificate and sign and issue operation and generate the public key certificate of the 3rd double secret key the PKI of described 3rd double secret key, and by the The public key certificate of three double secret key sends to communication module 21；If certification safety control module 22 obtains the 3rd double secret key from outside, While obtaining, so also obtain the public key certificate of the 3rd double secret key generated.

By the optional embodiment of the present embodiment, certification safety control module, can by obtaining the public key certificate of the 3rd double secret key It is sent to identity card card-reading terminal so that identity card card-reading terminal uses the 3rd double secret key with the public key certificate by the 3rd double secret key The PKI information to receiving carries out sign test, so that identity card card-reading terminal confirms the identity of cloud authentication platform.

In the present embodiment, after confirming session key between identity card card-reading terminal and cloud authentication platform, it is possible to pass through session Key carries out data transmission.In specific implementation process, the ID card information that identity card card-reading terminal reads is usually ciphertext form, Identity card card-reading terminal cannot show the plaintext of ID card information, and therefore, identity card card-reading terminal needs to send identity card ciphertext It is authenticated to the certification safety control module 22 of cloud authentication platform, and during sending, in order to ensure identity card ciphertext Safety, identity card card-reading terminal first uses session key that the encryption of identity card ciphertext obtains the 3rd transmission data, then transmits the 3rd Data are sent to the communication module 21 of cloud authentication platform.

In the present embodiment, after communication module 21 receives the 3rd transmission data, certification safety control module 22 first uses session close 3rd transmission data are decrypted and obtain identity card ciphertext by key, then identity card ciphertext is sent the checking safety to cloud authentication platform Module is decrypted and obtains identity card in plain text.In order to ensure identity card safety in plain text, certification safety control module 22 first uses meeting Words double secret key identity card plain text encryption obtains the 4th transmission data, then by communication module 21, the 4th transmission data is sent to identity Card card-reading terminal.After identity card card-reading terminal receives the 4th transmission data, use session key that the 4th transmission data are solved It is close thus obtain identity card in plain text, it is achieved thereby that identity card card-reading terminal is to identity card acquisition in plain text.In specific implementation process, Identity card card-reading terminal can have display screen, by identity card display in plain text at display screen, in order to user reads.

By the cloud authentication platform in a kind of authentication ids system that the present embodiment provides, it is ensured that in authentication ids system The reliability of key, it is ensured that the safety of identity information in identity card reading process.

In an optional embodiment of the present embodiment, cloud authentication platform also includes acquisition module 23, as shown in Figure 3.Obtain Module 23 can obtain cloud authentication platform customer identification information, and obtains the result of customer identification information, if the result is Correctly, then communication module 21 receives the first transmission data that identity card card-reading terminal sends.In specific implementation process, user identifies Information can be PIN code, fingerprint, iris, face etc..When user logs in cloud authentication platform first, user is pressed by physics Key and/or virtual key input PIN code, or carry out fingerprint, iris or face by the noctovisor scan region of cloud authentication platform Typing.Cloud authentication platform is started working each time, is required for confirming customer identification information so that cloud authentication platform is used Just start working after authorizing in family, it is ensured that the safe handling of cloud authentication platform.

In an optional embodiment of the present embodiment, cloud authentication platform also includes control of authority module 24, as shown in Figure 3. Acquisition module 23 obtains cloud authentication platform customer identification information, and, control of authority module 24 also obtains this use used Family identifies maximum mistake access times and the currently used number of times of this customer identification information used of information；Control of authority mould Block 24 judges that whether less than this customer identification information used the most currently used number of times of this customer identification information used Serious mistake access times, the most then communication module 21 receives the first transmission data that identity card card-reading terminal sends, otherwise, logical Letter module 21 does not receive the first transmission data that identity card card-reading terminal sends.

In specific implementation process, the maximum mistake access times of customer identification information can be with 1 byte representation, such as, user The maximum mistake access times of identification information are " 3 ", are 3 times for representing the maximum mistake access times of customer identification information. And acquisition module 23 is when using customer identification information, control of authority module 24 obtains the current of this customer identification information used Access times can also be with 1 byte representation, and such as, this uses customer identification information and is to use user the 2nd time Identification information, then the currently used number of times of this customer identification information used is " 2 ".

Control of authority module 24 judges that whether the currently used number of times of this customer identification information used is less than customer identification information Maximum mistake access times, the most then acquisition module 23 can use customer identification information, and carries out customer identification information Checking, otherwise, acquisition module 23 is refused to verify this customer identification information.Such as, this uses user to identify letter Breath and be to use customer identification information for the 2nd time, then these access times of customer identification information used are " 2 ", and user The maximum mistake access times of identification information are 3 times, and owing to 2 less than 3, then acquisition module 23 can use customer identification information, And customer identification information is verified.The most such as, this uses customer identification information and is that the 4th uses user to know Other information, then the currently used number of times of this customer identification information used is " 4 ", and the maximum mistake of customer identification information makes Being 3 times with number of times, owing to 4 not less than 3, then acquisition module 23 is refused to verify customer identification information.

It addition, in specific implementation process, when acquisition module 23 uses customer identification information, the basis that control of authority module 24 obtains The currently used number of times of the customer identification information of secondary use can be counted by enumerator, uses customer identification information the most each time, The enumerator that this customer identification information is corresponding all can increase by 1 time.Such as, before this uses customer identification information, user identifies Information is used 1 time, and rolling counters forward is " 1 ", and when this re-uses customer identification information, rolling counters forward is " 2 ", Then the currently used number of times of this customer identification information used is " 2 ".Control of authority module 24 judges that this user used knows Whether the counting of the enumerator of other information is less than the wrong access times of the maximum of customer identification information, the most then acquisition module 23 can To use customer identification information, and verifying customer identification information, otherwise, acquisition module 23 is refused this user is identified letter Breath is verified.Such as, before this obtains customer identification information, customer identification information has been acquired 1 time, counter counts Number is " 1 ", and when this obtains customer identification information again, rolling counters forward is " 2 ", and the maximum mistake of customer identification information makes Being 3 times with number of times, owing to 2 less than 3, then acquisition module 23 can use customer identification information, and enters customer identification information Row checking.

In another optional embodiment of the present embodiment, cloud authentication platform also includes control of authority module 24, and control of authority can Thinking that the purposes of the control of authority module 24 safety information to using is checked, wherein safety information may include that the first key To PKI, the PKI of the second double secret key and the private key of the 3rd double secret key.

I.e. control of authority module 24 is additionally operable to before certification safety control module 22 uses safety information, and control of authority module 24 obtains Take the occupation mode information of this safety information used；Control of authority module 24 uses safety at certification safety control module 22 During information, obtain the attribute information of this safety information used；Control of authority module 24 judges this safety information used Occupation mode information is the most consistent with the attribute information of safety information, if unanimously, then certification safety control module 22 uses safe letter Breath.

In specific implementation process, each safety information also includes attribute information, for representing the attribute of safety information.Such as, The attribute information of the PKI of the first double secret key is used for sign test for the PKI representing the first double secret key, and it is close that acquisition module 23 obtains first The PKI attribute information of the first double secret key is also obtained after the PKI of key pair；The attribute information of the PKI of the second double secret key is for expression the The PKI of two double secret key is used for deciphering, and acquisition module 23 also obtains the PKI of the second double secret key after obtaining the PKI of the second double secret key Attribute information；The attribute information of the private key of the 3rd double secret key is used for signing for the private key representing the 3rd double secret key, acquisition module 23 The attribute information of the private key of the 3rd double secret key is also obtained after obtaining the private key of the 3rd double secret key；.

In specific implementation process, control of authority module 24 carries out control of authority to the safety information used and can be: certification is controlled safely Before molding block 22 uses safety information, control of authority module 24 also obtains the occupation mode information of this safety information used, Before the PKI that authentication authorization and accounting safety control module 22 uses the first double secret key, control of authority module 24 also obtains first that this uses The occupation mode information of the PKI of double secret key, control of authority mould before the PKI that certification safety control module 22 uses the second double secret key Block 24 also obtains the occupation mode information of the PKI of this second double secret key used, and certification safety control module 22 uses the 3rd Before the private key of double secret key, control of authority module 24 also obtains the occupation mode information of the private key of this 3rd double secret key used.Power Limit control module 24 judges that the occupation mode information of this safety information used is the most consistent with the attribute information of safety information, if Unanimously, then performing subsequent operation, otherwise, identity card card-reading terminal refusal performs subsequent operation.

In specific implementation process, the attribute information of safety information can use several byte representation, such as, the PKI of the first double secret key Attribute information is " 10 ", for representing that the PKI of the first double secret key is for sign test；The attribute information of the PKI of the second double secret key is " 11 ", For representing that the PKI of the second double secret key is for deciphering；The attribute information of the private key of the 3rd double secret key is " 01 ", for representing the 3rd The private key of double secret key is used for signing.

And before certification safety control module 22 uses safety information, this safety letter used that control of authority module 24 obtains The occupation mode information of breath can also be with 2 byte representations, and such as, the occupation mode of this safety information used is for testing Sign, then the occupation mode information of this safety information used is " 10 "；This occupation mode of safety information used be for Deciphering, then the occupation mode information of this safety information used is " 11 "；The occupation mode of this safety information used is to use In signature, then the occupation mode information of this safety information used is " 01 ".

Control of authority module 24 judge the occupation mode information of this safety information used whether with the attribute information of safety information Unanimously, if unanimously, then certification safety control module 22 uses safety information, and otherwise, certification safety control module 22 refusal makes Use safety information.Such as, this safety information used is the PKI of the first double secret key, and this safety information used is used for testing Sign, then the occupation mode information of this safety information used is " 10 ", and the attribute information of the PKI of the first double secret key is " 10 ", The two is consistent, then certification safety control module 22 uses safety information.The most such as, this safety information used is the second key To PKI, this safety information used is used for signing, then this occupation mode information of safety information used is " 01 ", And the PKI of the second double secret key is for deciphering, its attribute information is " 11 ", and the two is inconsistent, then certification safety control module 22 refusals use safety information.

By the optional embodiment of the present embodiment, by the attribute of safety information is defined, the such as key can only signed Cannot be used for data encryption or deciphering calculating or the double secret key that can only be encrypted or decipher cannot be used for data signature or sign test meter Calculating, the occupation mode of safety information is checked by cloud authentication platform so that cloud authentication platform directly refuses the use being not allowed to Mode, it is ensured that the normal use of safety information.

In another optional embodiment of the present embodiment, cloud authentication platform can also include RAM module 25, such as Fig. 3 institute Show.The authority of the control of authority module 24 safety information to using can be that certification safety control module 22 uses safety information Time, the safety information that this is used by control of authority module 24 is stored in RAM module；Certification safety control module 22 uses After safety information, the safety information that this is used by control of authority module 24 is removed from RAM module.

In specific implementation process, when certification safety control module 22 uses safety information, safety can be believed by control of authority module 24 Breath is temporarily stored in RAM module 25, and after the application that safety information is relevant has used, control of authority module 24 is forced This safety information is removed from RAM module 25.Such as, certification safety control module 22 uses the PKI of the first double secret key to enter Before row sign test, control of authority module 24 can read the PKI of the first double secret key from the storage address of the PKI of the first double secret key, and It is deposited in RAM module, after certification safety control module 22 uses the PKI of the first double secret key, this first double secret key The application of PKI used, then control of authority module 24 is by its Compulsory Removal from RAM module 25.

By the optional embodiment of the present embodiment, it is ensured that RAM module does not haves the residual data of safety information, keeps away Exempt from potential safety hazard.

In another optional embodiment of the present embodiment, cloud authentication platform can also include DBM 26 and authorization module 27, as shown in Figure 3.Authentication authorization and accounting safety control module 22 adds confidential information according to certification decruption key and is decrypted and obtains first Before two information, certification safety control module 22 needs first to obtain certification decruption key.Preferably, the PKI of the first double secret key is Symmetric key, identity card card-reading terminal and cloud authentication platform all can obtain identical symmetry from the data server of cloud authentication platform Algorithm generates the PKI of the first double secret key.

In specific implementation process, DBM 26 stores the algorithm of the PKI generating the first double secret key, certification security control mould Block 22 is when the database server application authentication decruption key of cloud authentication platform, and DBM 26 gives certification security control mould Block 22 distributes the ciphertext of a certification decruption key, wherein, this certification decruption key and identity card card-reading terminal apllied first The PKI of double secret key is corresponding；Certification safety control module 22 is for the plaintext of access authentication decruption key, certification security control mould To authorization module 27, block 22 applies for that authorizes a decruption key, wherein, this mandate decruption key is used for decrypted authentication decruption key Ciphertext；Authorization module 27 judges the occupation mode of certification decruption key, if by certification, then gives certification safety control module 22 distribution one authorize decruption key；Certification safety control module 22 uses and authorizes the decruption key ciphertext to certification decruption key It is decrypted the plaintext obtaining certification decruption key, thus certification safety control module 22 obtains certification decruption key.

By the optional embodiment of the present embodiment, certification safety control module 22, after authorization module 27 authorizes, just can obtain Take certification decruption key, it is therefore prevented that the illegal use to the key algorithm in DBM 26.

In sum, by the cloud authentication platform in the authentication ids system that the present embodiment provides, by cloud authentication platform to close Key uses, it is ensured that key leans on property, it is ensured that the safety of identity information in identity card reading process.Further, exist During the use of key, by key is carried out control of authority, it is achieved that the occupation mode of key is checked, it is ensured that The normal use of key.

Any process described otherwise above or method describe and are construed as in flow chart or at this, represent include one or The module of code, fragment or the part of the executable instruction of the more steps for realizing specific logical function or process, and The scope of the preferred embodiment of the present invention includes other realization, wherein can not be by order that is shown or that discuss, including root According to involved function by basic mode simultaneously or in the opposite order, performing function, this should be by embodiments of the invention institute Belong to those skilled in the art to be understood.

Those skilled in the art are appreciated that it is permissible for realizing all or part of step that above-described embodiment method carries Instructing relevant hardware by program to complete, described program can be stored in a kind of computer-readable recording medium, this journey Sequence upon execution, including one or a combination set of the step of embodiment of the method.

In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " concrete example ", Or specific features, structure, material or the feature that the description of " some examples " etc. means to combine this embodiment or example describes comprises In at least one embodiment or example of the present invention.In this manual, the schematic representation to above-mentioned term not necessarily refers to It is identical embodiment or example.And, the specific features of description, structure, material or feature can at any one or Multiple embodiments or example combine in an appropriate manner.

Although above it has been shown and described that embodiments of the invention, it is to be understood that above-described embodiment is exemplary, Being not considered as limiting the invention, those of ordinary skill in the art is in the case of without departing from the principle of the present invention and objective Above-described embodiment can be changed within the scope of the invention, revise, replace and modification.The scope of the present invention is by appended power Profit requires and equivalent limits.

Claims

1. the cloud authentication platform in an authentication ids system, it is characterised in that including:

Communication module, for receiving the first transmission data that identity card card-reading terminal sends, wherein, described first transfers data to Include the public key certificate of the second double secret key, the public key certificate of the first double secret key less, first add confidential information, the first signing messages, its In, described first to add confidential information be that described identity card card-reading terminal uses the PKI of the first double secret key to enter session key solicited message Row encryption obtains, and described first signing messages is that described identity card card-reading terminal uses the private key of the first double secret key to add described first Confidential information carries out signature and obtains；Second transmission data are sent to described identity card card-reading terminal, wherein, described second transmission number According at least including the public key certificate of the 3rd double secret key, the first encryption session key, the second signing messages；Receive described identity card to read The 3rd transmission data that card terminal sends, wherein, described 3rd transmission data are that described identity card card-reading terminal is by described session The identity card ciphertext that the key described identity card card-reading terminal of encryption obtains obtains；4th transmission data are sent to described identity card Card-reading terminal；

Certification safety control module, for obtaining the PKI of the first double secret key according to the public key certificate of described first double secret key, and makes With the PKI of described first double secret key, described first signing messages being carried out sign test, if sign test result is correct, described certification is controlled safely Molding tuber adds confidential information according to certification decruption key and is decrypted and obtains the second information first；Generate session key；According to described The public key certificate of the second double secret key obtains the PKI of the second double secret key, and uses the PKI of described second double secret key close to described session Key is encrypted and obtains the first encryption session key；Described first encryption session key is signed by the private key using the 3rd double secret key Name obtains the second signing messages；Utilize described session key that the 3rd transmission data are decrypted, obtain identity card ciphertext, and right Identity card ciphertext is decrypted, and obtains identity card in plain text, and utilizes described session key to be encrypted described identity card in plain text To described 4th transmission data.

Cloud authentication platform the most according to claim 1, it is characterised in that described cloud authentication platform also includes acquisition module；

Described acquisition module is additionally operable to obtain customer identification information and obtain the result of described customer identification information, if checking knot Fruit is correct, and the most described communication module receives the first transmission data that identity card card-reading terminal sends.

Identity card card-reading terminal the most according to claim 2, it is characterised in that described cloud certification also includes control of authority mould Block；

Described control of authority module, before receiving, at described communication module, the first transmission data that identity card card-reading terminal sends, Obtain the maximum mistake access times of this described customer identification information used and this described customer identification information used Currently used number of times；

Described control of authority module judges that whether the currently used number of times of this described customer identification information used described is less than this The maximum mistake access times of the described customer identification information used, the most described communication module receives identity card card-reading terminal The the first transmission data sent.

4. according to the cloud authentication platform described in any one of claims 1 to 3, it is characterised in that described cloud authentication platform also includes Control of authority module；

Described control of authority module, for when described certification security module uses the PKI of the first double secret key, obtains this and uses The occupation mode information of PKI of described first double secret key and the attribute information of PKI of this described first double secret key used；

Described control of authority module judges the occupation mode information of the PKI of this described first double secret key used described and described the The attribute information of the PKI of one double secret key is the most consistent, if unanimously, the most described certification security module uses the PKI of the first double secret key.

5. according to the cloud authentication platform described in any one of Claims 1-4, it is characterised in that described cloud authentication platform also includes DBM and authorization module；

Described certification safety control module is to described DBM application authentication decruption key；

Described DBM distributes the certification decruption key of an encryption to described certification safety control module；

Described certification safety control module is used for deciphering the solution of the certification decruption key of described encryption to described authorization module application one Decryption key；

Described certification safety control module use described decruption key the certification decruption key of described encryption is decrypted obtain described Certification decruption key.

6. according to the cloud authentication platform described in any one of claim 1 to 5, it is characterised in that described cloud authentication platform also includes Described control of authority module；

Described control of authority module, for when described certification safety control module uses certification decruption key, obtains this and uses The occupation mode information of described certification decruption key and the attribute information of this described certification decruption key used；

Described control of authority module judges the occupation mode information of this described certification decruption key used described and described certification solution The attribute information of decryption key is the most consistent, if unanimously, the most described certification safety control module uses certification decruption key.

7. according to the cloud authentication platform described in any one of claim 1 to 6, it is characterised in that described cloud authentication platform also includes Control of authority module；

Described control of authority module, for when described certification security module uses the PKI of the second double secret key, obtains this and uses The occupation mode information of PKI of described second double secret key and the attribute information of PKI of this described second double secret key used；

Described control of authority module judges the occupation mode information of the PKI of this described second double secret key used described and described the The attribute information of the PKI of two double secret key is the most consistent, if unanimously, the most described certification security module uses the PKI of the second double secret key.

8. according to the cloud authentication platform described in any one of claim 1 to 7, it is characterised in that described cloud authentication platform also includes Control of authority module；

Described control of authority module, during for using the private key of the 3rd double secret key in described certification security module, obtains this and uses The occupation mode information of private key of described 3rd double secret key and the attribute information of private key of this described 3rd double secret key used；

Described control of authority module judges the occupation mode information of the private key of this described 3rd double secret key used described and described the The attribute information of the private key of three double secret key is the most consistent, if unanimously, the most described certification security module uses the private key of the 3rd double secret key.