CN106027256B - A kind of identity card card reading response system - Google Patents
A kind of identity card card reading response system Download PDFInfo
- Publication number
- CN106027256B CN106027256B CN201610244410.XA CN201610244410A CN106027256B CN 106027256 B CN106027256 B CN 106027256B CN 201610244410 A CN201610244410 A CN 201610244410A CN 106027256 B CN106027256 B CN 106027256B
- Authority
- CN
- China
- Prior art keywords
- card
- data
- control module
- identity card
- safety control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K7/00—Methods or arrangements for sensing record carriers, e.g. for reading patterns
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
Abstract
The invention discloses a kind of identity card card reading response system, the system comprises: certification safety control module for receiving the identity card identification information of identity card card-reading terminal transmission, and is sent to verifying safety control module;Safety control module is verified, for after according to the first of generation the certification factor confirmation identity card legitimacy, request identity card to generate the second certification factor;After identity card is according to the second of generation the certification factor confirmation verifying safety control module legitimacy, safety control module is authenticated, is also used to carry out safety verification to the 6th data packet that identity card card-reading terminal is sent, obtains identity card data ciphertext;Safety control module is verified, is also used to that identity card data ciphertext is decrypted to obtain identity card data clear text;Safety control module is authenticated, is also used to obtain the 7th data packet to identity card data clear text safe handling, and be sent to identity card card-reading terminal.The present invention can simplify identity card card reading response implementation, improve the safety of identity card data communication.
Description
Technical field
The present invention relates to a kind of electronic technology field more particularly to a kind of identity card card reading response systems.
Background technique
Existing ID card information is read in response scheme, and identity card card-reading terminal is needed with the use of verifying security control mould
Block realizes the reading and display of ID card information.For example, bank, station etc. need the industry read using ID card information,
It usually requires in a large amount of identity card card-reading terminal of local layout and verifying safety control module, identity card card-reading terminal and verifying
Also need to be arranged corresponding corresponding relationship between safety control module, system schema realizes more complex, higher cost;Also, it tests
The processing such as additional encryption, signature will not be carried out to the identity card related data of communication by demonstrate,proving safety control module, therefore cause to communicate
Safety it is not high.
Summary of the invention
The present invention is directed to one of at least solve the above problems.
The main purpose of the present invention is to provide a kind of identity card card reading response systems.
In order to achieve the above objectives, technical solution of the present invention is specifically achieved in that
The present invention provides a kind of identity card card reading response systems, comprising: certification safety control module, for receiving identity
The card reading request data package that card-reading terminal is sent is demonstrate,proved, safety verification is carried out to the card reading request data package, safety verification passes through
Afterwards, identity card identification information is obtained, and the identity card identification information is sent to verifying safety control module;The verifying peace
Full control module generates the first certification factor, and the first certification factor is sent out for receiving the identity card identification information
It send to the certification safety control module;The certification safety control module is also used to receive the first certification factor, to institute
It states the first certification factor and carries out safe handling, obtain the first data packet, and first data packet is sent to the identity card
Card-reading terminal;The certification safety control module is also used to receive the second data packet that the identity card card-reading terminal is sent, right
Second data packet carries out safety verification, after safety verification passes through, obtains the first authentication data, and authenticate number for described first
According to being sent to the verifying safety control module;The verifying safety control module is also used to receive first authentication data,
First authentication data is authenticated, after certification passes through, generates certification factor application request, and by the certification factor Shen
It please request to be sent to the certification safety control module;The certification safety control module is also used to receive the certification factor
Application request obtains third data packet to certification factor application request progress safe handling, and by the third data packet
It is sent to the identity card card-reading terminal;The certification safety control module is also used to receive the identity card card-reading terminal hair
The 4th data packet sent carries out safety verification to the 4th data packet, after safety verification passes through, obtains the second certification factor,
And the second certification factor is sent to the verifying safety control module;The verifying safety control module, is also used to connect
The second certification factor is received, the second certification factor is handled, obtains the second authentication data, and described second is recognized
Card data are sent to the certification safety control module;The certification safety control module is also used to receive second certification
Data carry out safe handling to second authentication data, obtain the 5th data packet, and the 5th data packet is sent to institute
State identity card card-reading terminal;The certification safety control module is also used to receive the identity card card-reading terminal is sent the 6th
Data packet carries out safety verification to the 6th data packet, after safety verification passes through, obtains identity card data ciphertext, and by institute
It states identity card data ciphertext and is sent to the verifying safety control module;The verifying safety control module, is also used to receive institute
Identity card data ciphertext is stated, the identity card data ciphertext is decrypted, obtains identity card data clear text, and by the identity
Card data clear text is sent to the certification safety control module;The certification safety control module, is also used to the identity card
Data clear text carries out safe handling, obtains the 7th data packet, and the 7th data packet is sent to the identity card card reading end
End.
In addition, the card reading request data package includes the label of card reading request data ciphertext and the card reading request data ciphertext
Name value;The certification safety control module, specifically for using the First Certificate of the identity card card-reading terminal to the card reading
The signature value of request data ciphertext, which carries out signature verification, asks the card reading using session key in the case where being verified
It asks data ciphertext to be decrypted, obtains the identity card identification information;And/or first data packet includes the first encryption data
With the first signed data;The certification safety control module, be specifically used for using session key to it is described first certification the factor into
Row encryption obtains first encryption data, and using the private key of the certification safety control module to the first encryption number
According to signing, first signed data is obtained;And/or second data packet includes the first ciphertext and first ciphertext
Signature value;The certification safety control module, specifically for using the First Certificate of the identity card card-reading terminal to described
The signature value of first ciphertext carries out signature verification, in the case where being verified, using session key to first ciphertext into
Row decryption, obtains first authentication data;And/or the third data packet includes the second encryption data and the second number of signature
According to;The certification safety control module is obtained specifically for being encrypted using session key to certification factor application request
Second encryption data is signed to second encryption data, and using the private key of the certification safety control module
Name, obtains second signed data;And/or the 4th data packet includes the signature of the second ciphertext and second ciphertext
Value;The certification safety control module, it is close to described second specifically for using the First Certificate of the identity card card-reading terminal
The signature value of text is carried out signature verification and second ciphertext is decrypted using session key in the case where being verified,
Obtain the second certification factor;And/or the 5th data packet includes third encryption data and third signed data;It is described to recognize
Card safety control module is obtained the third and added specifically for being encrypted using session key to second authentication data
Ciphertext data, and signed using the private key of the certification safety control module to the third encryption data, obtain described the
Three signed datas;And/or the 6th data packet includes the signature value of third ciphertext and the third ciphertext;The certification safety
Control module is signed specifically for signature value of the First Certificate using the identity card card-reading terminal to the third ciphertext
Name verifying, in the case where being verified, is decrypted the third ciphertext using session key, obtains the identity card number
According to ciphertext;And/or the 7th data packet includes the 4th encryption data and the 4th signed data;The certification security control mould
Block obtains the 4th encryption data, and make specifically for encrypting using session key to the identity card data clear text
It is signed with the private key of the certification safety control module to the 4th encryption data, obtains the 4th signed data.
In addition, the certification safety control module, be also used to the card reading request data package carry out safety verification it
Before, receive the session key request data package that the identity card card-reading terminal is sent, wherein the session key request data package
First Certificate including the first random factor, the signature value of first random factor and the identity card card-reading terminal;To institute
The legitimacy for stating First Certificate is verified, after being verified, using the First Certificate to first random factor
Signature value carries out signature verification, in the case where signature verification passes through, generates the second random factor;To first random factor
It is encrypted with second random factor, obtains the 5th encryption data, and use the private key of the certification safety control module
It signs to the 5th encryption data, obtains the 5th signed data;It will include the 5th encryption data and the described 5th
8th data packet of signed data is sent to the identity card card-reading terminal;The certification safety control module, is also used in life
After the second random factor, session key is generated according to first random factor and second random factor.
In addition, the certification safety control module, is also used in the card reading number of request for receiving the transmission of identity card card-reading terminal
Before packet, the card seeking request data package that the identity card card-reading terminal is sent is received, wherein the card seeking request data package packet
Include the first card of card seeking request data ciphertext, the signature value of the card seeking request data ciphertext and the identity card card-reading terminal
Book and the second certificate;The legitimacy of the First Certificate is verified, after being verified, using the First Certificate to institute
The signature value for stating card seeking request data ciphertext carries out signature verification and uses the certification of acquisition in the case where signature verification passes through
The card seeking request data ciphertext is decrypted in decruption key, obtains card seeking request data, and the card seeking request data is sent out
It send to the verifying safety control module;The verifying safety control module is also used to receive the card seeking request data, to institute
It states card seeking request data to be responded, generates card seeking request response data, and the card seeking request response data is sent to institute
State certification safety control module;The certification safety control module is also used to receive the card seeking request response data, uses meeting
Card seeking request response data described in words key pair is encrypted, and the 6th encryption data is obtained, using second certificate to described
Session key is encrypted, and obtains session key ciphertext, and using the private key of the certification safety control module to the described 6th
Encryption data and the session key ciphertext are signed, and the 6th signed data is obtained;Card seeking request response data packet is sent
To the identity card card-reading terminal, wherein the card seeking request response data packet includes the 6th encryption data and described the
Six signed datas.
Furthermore, further includes: dispatch server, it is whole for receiving the identity card card reading in the certification safety control module
Before holding the card seeking request data package sent, the identification information of the identity card card-reading terminal is obtained, is read according to the identity card
Whether the identification information judgment of card terminal allows the identity card card-reading terminal reading identity card;Allow the identity card determining
In the case where card-reading terminal reading identity card, after receiving the card seeking request data package that the identity card card-reading terminal is sent,
Working condition inquiry request is sent to cloud authentication database;The cloud authentication database, for receiving the dispatch server hair
The working condition inquiry request sent inquires each certification safety control module in the compass of competency of the dispatch server
Working condition, and query result is sent to the dispatch server;The dispatch server is also used to receive the cloud and recognizes
The query result that database is sent is demonstrate,proved, and according to the query result, a working condition is selected to pacify for idle certification
Full control module;The identification information of the certification safety control module of selection is sent to the identity card card-reading terminal.
In addition, the identification information of the identity card card-reading terminal includes the First Certificate and second certificate;It is described
Whether dispatch server, being judged by the following manner allows the identity card card-reading terminal reading identity card: to first card
The legitimacy of book is verified, if being verified, allows the identity card card-reading terminal reading identity card;If verifying obstructed
It crosses, does not then allow the identity card card-reading terminal reading identity card;And/or the legitimacy of second certificate is verified,
If being verified, allow the identity card card-reading terminal reading identity card;If verifying does not pass through, the identity card is not allowed
Card-reading terminal reading identity card.
In addition, the dispatch server, be also used to select a working condition for idle certification safety control module
Later, authentication code is generated, the authentication code is respectively sent to the identity card card-reading terminal and the cloud authentication database;Institute
Cloud authentication database is stated, is also used to store the authentication code, and when reaching the validity period of the authentication code, deletes the authentication
Code;The card seeking request data package further includes authentication code ciphertext;The certification safety control module is also used to by the card seeking
Request data is sent to before the verifying safety control module, is decrypted to the authentication code ciphertext, is obtained the authentication
Code, inquires in the cloud authentication database whether be stored with the authentication code, if being stored with, continues to execute and ask the card seeking
It asks data to be sent to the operation of the verifying safety control module, otherwise terminates process.
Furthermore, further includes: the certification safety control module is also used to test the identity card identification information to be sent to
After demonstrate,proving safety control module, the identity card identification information is removed;And/or the certification safety control module, it is also used to
Safety verification is carried out to the card reading request data package, it, will be described after obtaining identity card identification information after safety verification passes through
Identity card identification information is sent to dispatch server;And/or dispatch server, for whether judging the identity card identification information
In identity card blacklist, if it is, sending instruction information to the certification safety control module, indicate that the identity card is read
The identity card that card terminal is currently read is illegal.
In addition, the certification safety control module, is also used to carrying out safe handling to the identity card data clear text, obtain
To after the 7th data packet, the identity card data clear text is removed.
In addition, the card seeking request data includes timestamp and/or terminal counter;The certification safety control module,
It is also used to that the card seeking request data ciphertext is decrypted in the certification decruption key using acquisition, obtains card seeking request data
Later, the timestamp and/or terminal counter are sent to dispatch server.
As seen from the above technical solution provided by the invention, the present invention provides a kind of responses of identity card card reading is
System.In identity card card-reading terminal and it is not provided with the verifying safety that the ciphertext data read from identity card can be realized with decryption
Control module, but the setting verifying safety control module in cloud authentication platform, identity card card-reading terminal can be by being linked into cloud
Authentication platform greatly reduces the cost of implementation of user to realize the reading to identity card, especially in bank, station, insurance
Etc. the industry for needing to be implemented ID card information read operation, the identity card card-reading terminal of respective numbers need to be only disposed, is not necessarily to
A large amount of deployment verifying safety control modules again, without a large amount of setting verifying safety control modules and identity card card-reading terminal it
Between corresponding relationship, simplify implementation;Meanwhile certification safety control module is set in cloud authentication platform, pacified using certification
Identity card and verifying safety control module can be improved in the exit passageway established between full control module and identity card card-reading terminal
Between the safety that communicates, guarantee the transmission safety of identity card data.Also, identity card and verifying safety control module pass through the
The interaction of the one certification factor and the second certification factor completes two-way authentication, verifies safety control module to identity card data ciphertext
It is decrypted to obtain identity card data clear text, and is sent to identity card card-reading terminal, to complete the reading of identity card data.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the configuration diagram of identity card card reading response system provided in an embodiment of the present invention.
Specific embodiment
With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete
Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on this
The embodiment of invention, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, belongs to protection scope of the present invention.
In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", "upper", "lower",
The orientation or positional relationship of the instructions such as "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outside" is
It is based on the orientation or positional relationship shown in the drawings, is merely for convenience of description of the present invention and simplification of the description, rather than instruction or dark
Show that signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore should not be understood as pair
Limitation of the invention.In addition, term " first ", " second " are used for description purposes only, it is not understood to indicate or imply opposite
Importance or quantity or position.
In the description of the present invention, it should be noted that unless otherwise clearly defined and limited, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition
Concrete meaning in invention.
The embodiment of the present invention is described in further detail below in conjunction with attached drawing.
Fig. 1 is a kind of structural schematic diagram of identity card card reading response system provided in an embodiment of the present invention.As shown in Figure 1,
Identity card card reading response system provided in this embodiment specifically includes that certification safety control module 10, reads for receiving identity card
The card reading request data package that card terminal is sent carries out safety verification to card reading request data package, after safety verification passes through, obtains body
Part card identification information, and identity card identification information is sent to verifying safety control module 20;Safety control module 20 is verified, is used
In receiving identity card identification information, the first certification factor is generated, and the first certification factor is sent to certification safety control module
10;Safety control module 10 is authenticated, is also used to receive the first certification factor, safe handling is carried out to the first certification factor, is obtained
First data packet, and the first data packet is sent to identity card card-reading terminal;Safety control module 10 is authenticated, is also used to receive body
The second data packet that part card card-reading terminal is sent, carries out safety verification to the second data packet, after safety verification passes through, obtains first
Authentication data, and the first authentication data is sent to verifying safety control module 20;Safety control module 20 is verified, is also used to connect
The first authentication data is received, the first authentication data is authenticated, after certification passes through, generates certification factor application request, and will recognize
Card factor application request is sent to certification safety control module 10;Safety control module 10 is authenticated, is also used to receive the certification factor
Application request carries out safe handling to certification factor application request, obtains third data packet, and third data packet is sent to body
Part card card-reading terminal;Safety control module 10 is authenticated, is also used to receive the 4th data packet of identity card card-reading terminal transmission, to the
Four data packets carry out safety verification, after safety verification passes through, obtain the second certification factor, and the second certification factor is sent to and is tested
Demonstrate,prove safety control module 20;Verify safety control module 20, be also used to receive the second certification factor, to second certification the factor into
Row processing obtains the second authentication data, and the second authentication data is sent to certification safety control module 10;Authenticate security control
Module 10 is also used to receive the second authentication data, carries out safe handling to the second authentication data, obtains the 5th data packet, and will
5th data packet is sent to identity card card-reading terminal;Safety control module 10 is authenticated, is also used to receive identity card card-reading terminal hair
The 6th data packet sent carries out safety verification to the 6th data packet, after safety verification passes through, obtains identity card data ciphertext, and
Identity card data ciphertext is sent to verifying safety control module 20;Safety control module 20 is verified, is also used to receive identity card
Identity card data ciphertext is decrypted in data ciphertext, obtains identity card data clear text, and identity card data clear text is sent to
Authenticate safety control module 10;Safety control module 10 is authenticated, is also used to carry out safe handling to identity card data clear text, obtain
7th data packet, and the 7th data packet is sent to identity card card-reading terminal.
In the present embodiment, identity card identification information is the unique information of identity card, such as sequence number, the use of identity card
The application data of the relevant information of application being arranged in instruction identity card, transport protocol are (for example, transport protocol type, bit
Digit rate, maximum frame size) etc., identity card card-reading terminal can not be needed the Ministry of Public Security and be awarded with the Direct Recognition identity card identification information
The verifying safety control module 20 of power is decrypted.
As a kind of optional embodiment of the present embodiment, card reading request data package includes card reading request data ciphertext and reading
The signature value of card request data ciphertext;Wherein, card reading request data ciphertext is that identity card card-reading terminal utilizes session key to packet
What the card reading request data of the identification information containing identity card was encrypted, the signature value of card reading request data ciphertext is identity card
Card-reading terminal signs to card reading request data ciphertext using the first private key of itself;Specifically, identity card card reading
Terminal calculates card reading request data ciphertext using HASH algorithm and obtains the abstract of card reading request data ciphertext, and utilizes identity card
First private key of card-reading terminal encrypts the abstract of card reading request data ciphertext, obtains the signature of card reading request data ciphertext
Value.Safety control module 10 is authenticated, specifically for using the First Certificate of identity card card-reading terminal to card reading request data ciphertext
Signature value carry out signature verification card reading request data ciphertext is solved using session key in the case where being verified
It is close, obtain identity card identification information;Specifically, First Certificate of the certification safety control module 10 first with identity card card-reading terminal
In the first public key the signature value of card reading request data ciphertext is decrypted, obtain the abstract of card reading request data ciphertext, benefit
The abstract that card reading request data ciphertext is calculated is carried out to the card reading request data ciphertext received with HASH algorithm, will be decrypted
The abstract of obtained card reading request data ciphertext is compared with the abstract for the card reading request data ciphertext being calculated, if phase
Together, then sign test passes through, and otherwise terminates identity card card reading responding process;In the case where being verified, using session key to reading
Card request data ciphertext is decrypted, and obtains identity card identification information.Wherein, First Certificate includes at least identity card card-reading terminal
The first public key, the first public key of identity card card-reading terminal and the first private key of identity card card-reading terminal are a pair of asymmetric close
Key.It can be to card reading request data ciphertext using the first public key of identity card card-reading terminal if authenticating safety control module 10
Signature value is decrypted, then illustrates that the signature value of received card reading request data ciphertext is issued by identity card card-reading terminal,
Its data source is legal;It cannot be to reading using the first public key of identity card card-reading terminal if authenticating safety control module 10
The signature value of card request data ciphertext is decrypted, then illustrates that the signature value of received card reading request data ciphertext is not by identity
Demonstrate,prove card-reading terminal issue, data source be it is illegal, therefore, sign to the signature value of card reading request data ciphertext
The legitimacy of data source can be confirmed in verifying.If card reading request data ciphertext is distorted in transmission process by illegal person,
Safety control module 10 is then authenticated during sign test, HASH can be carried out to the card reading request data ciphertext after distorting and be calculated
Abstract, the abstract and certification safety control module 10 are using the first public key of identity card card-reading terminal to card reading request data ciphertext
The abstract that is decrypted of signature value must be different, cause sign test that can not pass through, therefore, by close to card reading request data
The signature value of text, which carries out sign test, may determine that whether card reading request data ciphertext is tampered, and guarantee that received card reading request data is close
The integrality of text.If certification safety control module 10 cannot be right using the session key that itself just has with identity card card-reading terminal
The card reading request data ciphertext received is decrypted, then illustrates that the card reading request data ciphertext is not identity card card-reading terminal
It issues, therefore, card reading request data ciphertext is decrypted the legitimacy that data source can be confirmed;If third party intercepts
To card reading request data ciphertext, since third party can not obtain certification safety control module 10 and identity card card-reading terminal just has
Session key, therefore card reading request data ciphertext cannot be decrypted, card reading request data can not be obtained, therefore, to card reading
Request data ciphertext, which is decrypted, can prevent card reading request data from illegally being stolen, being read in network transmission, guarantee card reading
The transmission security of request data.It should be noted that the sign test process in the present embodiment can be found in the embodiment, below
The process for being related to sign test no longer will be repeated specifically.
As a kind of optional embodiment of the present embodiment, the system also includes: certification safety control module 10 is also used
In after identity card identification information to be sent to verifying safety control module 20, identity card identification information is removed;And/or certification
Safety control module 10 is also used to carrying out safety verification to card reading request data package, after safety verification passes through, obtains identity card
After identification information, identity card identification information is sent to dispatch server 30;And/or dispatch server 30, for judging body
Whether part card identification information, if it is, sending instruction information to certification safety control module 10, refers in identity card blacklist
The identity card for showing that identity card card-reading terminal is currently read is illegal.In this optional embodiment, dispatch server 30 is equally arranged
On cloud authentication platform;Dispatch server 30 can according to the identification information of identity card identification information, identity card card-reading terminal with
And preset strategy, judge whether that blacklist or control list for the identification information of identity card card-reading terminal is added.
As a kind of optional embodiment of the present embodiment, safety control module 10 is authenticated, is also used to by identity card mark
Know information to be sent to after verifying safety control module 20, removes identity card identification information.It is sent to identity card identification information
To verifying safety control module 20, the identity card identification information after removing decryption immediately in plain text, does not retain any identity card letter
Data are ceased, the privacy and safety of user are protected.
In the present embodiment, before verifying safety control module 20 receives the identity card data ciphertext that identity card is sent, identity
Card should realize two-way authentication with verifying safety control module 20, which is identity card to be ensured and verifying security control
Module 20 is all legal.Verifying safety control module 20 can use certification of the first certification factor realization to identity card;The
The one certification factor can be one or a string of random numbers, can be perhaps one or a string of random characters or a string of random numbers
With any combination of random character.
As a kind of optional embodiment of the present embodiment, the first data packet includes the first encryption data and the first number of signature
According to;Safety control module 10 is authenticated, specifically for encrypting using session key to the first certification factor, obtains the first encryption
Data, and signed using the private key of certification safety control module 10 to the first encryption data, obtain the first signed data;Tool
Body, certification safety control module 10 calculates the first encryption data using HASH algorithm and obtains the abstract of the first encryption data, and
The abstract of first encryption data is encrypted using the private key of certification safety control module 10, obtains the first signed data.Recognize
It demonstrate,proves safety control module 10 and the first data packet comprising the first encryption data and the first signed data is sent to identity card card reading
Terminal.Certification safety control module 10 is encrypted to obtain the first encryption data using session key to the first certification factor, i.e.,
So that third party is intercepted the first encryption data, can not also obtain the first certification factor, it, cannot because of the not no session key of third party
The first encryption data is decrypted using the session key, obtains the first certification factor, only equally there is the session key
Identity card card-reading terminal could decrypt the first encryption data, therefore, the first certification factor can be effectively prevented in network transmission
It is middle illegally to be stolen, read, guarantee the safety of the first certification factor transmission.Safety control module 10 is authenticated by the first number of signature
After being sent to identity card card-reading terminal, identity card card-reading terminal can execute sign test operation, if identity card card-reading terminal utilizes
The first signed data can be decrypted in the public key of certification safety control module 10, then illustrates received first signed data
It is to be issued by certification safety control module 10, data source is legal;If identity card card-reading terminal utilizes certification peace
The first signed data cannot be decrypted in the public key of full control module 10, then illustrates that received first signed data is not by recognizing
Demonstrate,prove safety control module 10 issue, data source be it is illegal, therefore, signing to the first encryption data can make
The legitimacy of identity card card-reading terminal confirmation data source.If the first encryption data is usurped in transmission process by illegal person
Changing, then identity card card-reading terminal can carry out HASH to the first encryption data after distorting and abstract is calculated during sign test,
The abstract is decrypted to obtain using the public key of certification safety control module 10 with identity card card-reading terminal to the first signed data
Abstract must be different, cause sign test that can not pass through, therefore, first can be prevented to add by sign to the first encryption data
Ciphertext data is tampered, and guarantees that identity card card-reading terminal receives the integrality of the first encryption data.In this optional embodiment, need by
The certificate of certification safety control module 10 is sent to identity card card-reading terminal, which includes at least certification safety control module 10
Public key, the private key of the public key and certification safety control module 10 is a pair of of unsymmetrical key, and identity card card-reading terminal can benefit
Signature verification is carried out to the first signed data with the public key, after being verified, recycles session key to the first encryption data
It is decrypted, obtains the first certification factor, and the first certification factor is sent to identity card.It should be noted that the present embodiment
In signature process can be found in the embodiment, the process that signature is referred to below no longer will be repeated specifically.
In the present embodiment, after identity card receives the first certification factor of identity card card-reading terminal transmission, in advance
The Processing Algorithm for the Ministry of Public Security's authorization set handles the first certification factor, obtains the first authentication data, and first is authenticated
Data are sent to identity card card-reading terminal.Identity card card-reading terminal carries out safe handling to the first authentication data, obtains the second number
Certification safety control module 10 is sent to according to packet, and by the second data packet.Wherein, identity card handles the first certification factor
Can use but be not limited to following manner: mode one: identity card carries out MAC to the first certification factor using security key and calculates
To MAC value, MAC value is exactly the first authentication data;Mode two: identity card adds the first certification factor using security key
It is close, the first authentication data is obtained, which is preset configuration in legal identity card, and only legal identity card is
With the security key.
As a kind of optional embodiment of the present embodiment, the second data packet includes the signature of the first ciphertext and the first ciphertext
Value;Wherein, the first ciphertext is encrypted using session key to the first authentication data by identity card card-reading terminal, the
The signature value of one ciphertext is signed using the first private key of itself to the first ciphertext by identity card card-reading terminal.Recognize
Safety control module 10 is demonstrate,proved, is signed specifically for signature value of the First Certificate using identity card card-reading terminal to the first ciphertext
Name verifying, in the case where being verified, is decrypted the first ciphertext using session key, obtains the first authentication data;It is no
Then terminate identity card card reading responding process.If authenticating safety control module 10 using the first public key energy of identity card card-reading terminal
It is enough that the signature value of first ciphertext is decrypted, then illustrate that the signature value of received first ciphertext is sent out by identity card card-reading terminal
Out, data source is legal;If authenticating safety control module 10 utilizes the first public key of identity card card-reading terminal not
Can the signature value to the first ciphertext be decrypted, then illustrate that the signature value of received first ciphertext is not by identity card card-reading terminal
Issue, data source be it is illegal, therefore, carrying out signature verification to the signature value of the first ciphertext can be confirmed that data are come
The legitimacy in source.If the first ciphertext is distorted in transmission process by illegal person, safety control module 10 is authenticated in sign test
In the process, HASH can be carried out to the first ciphertext after distorting and abstract is calculated, 10 benefit of the abstract and certification safety control module
Must be different with the abstract that signature value of the first public key of identity card card-reading terminal to the first ciphertext is decrypted, cause to test
Label can not pass through, and therefore, carrying out sign test by the signature value to the first ciphertext may determine that whether the first ciphertext is tampered, and guarantee
The integrality of received first ciphertext.If the meeting that certification safety control module 10 just has using itself with identity card card-reading terminal
The first ciphertext received cannot be decrypted in words key, illustrate that first ciphertext is not that identity card card-reading terminal issues
, therefore, the first ciphertext is decrypted the legitimacy that data source can be confirmed;If third party is truncated to the first ciphertext,
It, cannot be right due to the session key that third party can not obtain certification safety control module 10 and identity card card-reading terminal just has
First ciphertext is decrypted, and can not obtain the first authentication data, and therefore, the first ciphertext, which is decrypted, can prevent the first certification
Data are illegally stolen in network transmission, are read, and guarantee the transmission security of the first authentication data.
In the present embodiment, the identifying algorithm that verifying safety control module 20 is authorized using the Ministry of Public Security of preset configuration is to reception
To the first authentication data authenticated, if certification pass through, realize the certification to identity card legitimacy, i.e. identity card is
It is true legal;Then certification factor application request is generated, and certification factor application request is sent to certification security control mould
Block 10.Wherein, verifying safety control module 20, which authenticates the first authentication data, can use but be not limited to following manner: side
Formula one: the first certification that verifying safety control module 20 generates itself using security key corresponding with identity card identification information
The factor carries out that MAC value is calculated, and the MAC value being calculated is compared with the first authentication data received, if phase
Together, then the certification of the first authentication data is passed through.Mode two: verifying safety control module 20, which can use to identify with identity card, to be believed
It ceases corresponding security key the first authentication data received is decrypted, obtains the certification factor, and compare what decryption obtained
Whether the first certification factor that the certification factor is generated with itself is identical, if identical, passes through to the certification of the first authentication data.
Mode three: verifying safety control module 20 can use that security key corresponding with identity card identification information generates itself the
The one certification factor is encrypted to obtain authentication data, and compares the authentication data that encryption obtains and the first authentication data received
It is whether identical, if identical, the certification of the first authentication data is passed through.If verifying safety control module 20 to authenticate to first
The certification that data carry out passes through, then illustrates security key that identity card uses and to verify the safety that safety control module 20 uses close
Key is identical, illustrates that identity card is legal identity card, verifies safety control module 20 by authenticating to the first authentication data
It confirmed the legitimacy of identity card.Presupposed information is calculated and identity card identification information in verifying safety control module 20
Corresponding security key.Optionally, if to the first authentication data carry out certification not over, terminate identity card card reading ring
Answer process.
As a kind of optional embodiment of the present embodiment, third data packet includes the second encryption data and the second number of signature
According to;Safety control module 10 is authenticated, specifically for encrypting using session key to certification factor application request, obtains second
Encryption data, and signed using the private key of certification safety control module 10 to the second encryption data, obtain the second number of signature
According to;It authenticates safety control module 10 and the third data packet comprising the second encryption data and the second signed data is sent to identity card
Card-reading terminal.Certification safety control module 10 is encrypted to obtain the second encryption using session key to certification factor application request
Data can not also obtain certification factor application request, because of third party's not meeting even if third party intercepts the second encryption data
Key is talked about, the second encryption data cannot be decrypted using the session key, obtains certification factor application request, only equally
Identity card card-reading terminal with the session key could decrypt the second encryption data, therefore, the certification factor can be effectively prevented
Application request is illegally stolen in network transmission, is read, and guarantees the safety of certification factor application request transmission.Certification safety
After second signed data is sent to identity card card-reading terminal by control module 10, identity card card-reading terminal can execute sign test operation,
If identity card card-reading terminal can be decrypted the second signed data using the public key of certification safety control module 10, say
Bright received second signed data is issued by certification safety control module 10, and data source is legal;If identity
Card card-reading terminal cannot be decrypted the second signed data using the public key of certification safety control module 10, then illustrate received
Second signed data is issued by certification safety control module 10, data source be it is illegal, therefore, to second plus
Ciphertext data, which carries out signature, can make the legitimacy of identity card card-reading terminal confirmation data source.If the second encryption data is being transmitted
Distorted in the process by illegal person, then identity card card-reading terminal during sign test, can to the second encryption data after distorting into
Abstract is calculated in row HASH, and the abstract and identity card card-reading terminal are signed using the public key of certification safety control module 10 to second
The abstract that name data are decrypted must be different, cause sign test that can not pass through, therefore, by carrying out to the second encryption data
Signature can prevent the second encryption data to be tampered, and guarantee that identity card card-reading terminal receives the integrality of the second encryption data.This
In optional embodiment, identity card card-reading terminal can use certification safety control module 10 public key to the second signed data into
Row signature verification recycles session key that the second encryption data is decrypted after being verified, and obtains certification factor application
Request, and certification factor application request is sent to identity card.
In the present embodiment, identity card receives the certification factor application request of identity card card-reading terminal transmission, generates second
The factor is authenticated, and the second certification factor is sent to identity card card-reading terminal.Identity card card-reading terminal is recognized receive second
It demonstrate,proves the factor and carries out safe handling, obtain the 4th data packet, and the 4th data packet is sent to certification safety control module 10.Identity
Card can use certification of the second certification factor realization to verifying safety control module 20.Wherein, the second certification factor can be
One or a string of random numbers can be perhaps any of one or a string of random characters or a string of random numbers and random character
Combination.
As a kind of optional embodiment of the present embodiment, the 4th data packet includes the signature of the second ciphertext and the second ciphertext
Value;Wherein, the second ciphertext is encrypted using session key to the second certification factor by identity card card-reading terminal, the
The signature value of two ciphertexts is signed using the first private key of itself to the second ciphertext by identity card card-reading terminal.Recognize
Safety control module 10 is demonstrate,proved, is signed specifically for signature value of the First Certificate using identity card card-reading terminal to the second ciphertext
Name verifying, in the case where being verified, is decrypted the second ciphertext using session key, obtains the second certification factor;It is no
Then terminate identity card card reading responding process.If authenticating safety control module 10 using the first public key energy of identity card card-reading terminal
It is enough that the signature value of second ciphertext is decrypted, then illustrate that the signature value of received second ciphertext is sent out by identity card card-reading terminal
Out, data source is legal;If authenticating safety control module 10 utilizes the first public key of identity card card-reading terminal not
Can the signature value to the second ciphertext be decrypted, then illustrate that the signature value of received second ciphertext is not by identity card card-reading terminal
Issue, data source be it is illegal, therefore, carrying out signature verification to the signature value of the second ciphertext can be confirmed that data are come
The legitimacy in source.If the second ciphertext is distorted in transmission process by illegal person, safety control module 10 is authenticated in sign test
In the process, HASH can be carried out to the second ciphertext after distorting and abstract is calculated, 10 benefit of the abstract and certification safety control module
Must be different with the abstract that signature value of the first public key of identity card card-reading terminal to the second ciphertext is decrypted, cause to test
Label can not pass through, and therefore, carrying out sign test by the signature value to the second ciphertext may determine that whether the second ciphertext is tampered, and guarantee
The integrality of received second ciphertext.If the meeting that certification safety control module 10 just has using itself with identity card card-reading terminal
The second ciphertext received cannot be decrypted in words key, illustrate that second ciphertext is not that identity card card-reading terminal issues
, therefore, the second ciphertext is decrypted the legitimacy that data source can be confirmed;If third party is truncated to the second ciphertext,
It, cannot be right due to the session key that third party can not obtain certification safety control module 10 and identity card card-reading terminal just has
Second ciphertext is decrypted, and can not obtain the second certification factor, and therefore, the second ciphertext, which is decrypted, can prevent the second certification
The factor is illegally stolen in network transmission, is read, and guarantees the transmission security of the second certification factor.
In the present embodiment, the Processing Algorithm that verifying safety control module 20 is authorized using the Ministry of Public Security of preset configuration is to reception
To second certification the factor handled, obtain the second authentication data, and the second authentication data is sent to certification security control
Module 10.Wherein, verifying safety control module 20, which handles the second certification factor, can use but be not limited to following manner:
Mode one: verifying safety control module 20 carries out the second certification factor using security key corresponding with identity card identification information
MAC value is calculated in MAC, which is exactly the second authentication data;Mode two: verifying safety control module 20 utilizes and identity
The corresponding security key of card identification information encrypts the second certification factor, obtains the second authentication data.Verify security control
Security key corresponding with identity card identification information is calculated to presupposed information in module 20.
As a kind of optional embodiment of the present embodiment, the 5th data packet includes third encryption data and third number of signature
According to;Safety control module 10 is authenticated, specifically for encrypting using session key to the second authentication data, obtains third encryption
Data, and signed using the private key of certification safety control module 10 to third encryption data, obtain third signed data;Recognize
The 5th data packet including third encryption data and third signed data is sent to identity card card reading by card safety control module 10
Terminal.Certification safety control module 10 encrypts the second authentication data using session key to obtain third encryption data, i.e.,
So that third party is intercepted third encryption data, can not also obtain the second authentication data, it, cannot because of the not no session key of third party
Third encryption data is decrypted using the session key, obtains the second authentication data, only equally there is the session key
Identity card card-reading terminal could decrypt third encryption data, therefore, the second authentication data can be effectively prevented in network transmission
It is middle illegally to be stolen, read, guarantee the safety of the second authentication data transmission.Safety control module 10 is authenticated by third number of signature
After being sent to identity card card-reading terminal, identity card card-reading terminal can execute sign test operation, if identity card card-reading terminal utilizes
Third signed data can be decrypted in the public key of certification safety control module 10, then illustrates received third signed data
It is to be issued by certification safety control module 10, data source is legal;If identity card card-reading terminal utilizes certification peace
Third signed data cannot be decrypted in the public key of full control module 10, then illustrates that received third signed data is not by recognizing
Demonstrate,prove safety control module 10 issue, data source be it is illegal, therefore, signing to third encryption data can make
The legitimacy of identity card card-reading terminal confirmation data source.If third encryption data is usurped in transmission process by illegal person
Changing, then identity card card-reading terminal can carry out HASH to the third encryption data after distorting and abstract is calculated during sign test,
The abstract is decrypted to obtain using the public key of certification safety control module 10 with identity card card-reading terminal to third signed data
Abstract must be different, cause sign test that can not pass through, therefore, by signing to third encryption data and can prevent third from adding
Ciphertext data is tampered, and guarantees that identity card card-reading terminal receives the integrality of third encryption data.In this optional embodiment, identity
The public key that card card-reading terminal can use certification safety control module 10 carries out signature verification to third signed data, when verifying is logical
Later, it recycles session key that third encryption data is decrypted, obtains the second authentication data, and the second authentication data is sent out
It send to identity card.
In the present embodiment, after identity card receives the second authentication data of identity card card-reading terminal transmission, first with pre-
Identifying algorithm built in elder generation authenticates the second authentication data, and after certification passes through, and sends body to identity card card-reading terminal
Part card data ciphertext.Wherein, identity card data ciphertext is usually that resident identification card number, name, photo, age, address, card make
With the ciphertext of the data such as the time limit and/or fingerprint.Wherein, identity card authenticates the second authentication data and can use but be not limited to
Following manner: mode one: identity card is calculated using the second certification factor that built-in security key generates itself
The MAC value being calculated is compared by MAC value with the second authentication data received, if identical, to the second certification number
According to certification pass through.Mode two: identity card can use built-in security key and solve to the second authentication data received
It is close, the certification factor is obtained, and compare the obtained certification factor of decryption is generated with itself second whether authenticate the factor identical, if
It is identical, then the certification of the second authentication data is passed through.Mode three: identity card can use built-in security key and generate to itself
The second certification factor encrypted to obtain authentication data, and compare the obtained authentication data of encryption and the second certification for receiving
Whether data are identical, if identical, pass through to the certification of the second authentication data.If identity card authenticates the second authentication data
Pass through, the security key for illustrating that verifying safety control module 20 uses is identical as the security key built in identity card, illustrates to verify
Safety control module 20 is legal verifying safety control module 20, and identity card is by carrying out authenticate-acknowledge to the second authentication data
The legitimacy of verifying safety control module 20.As an alternative embodiment, if to the progress of the second authentication data
Certification is not over then terminating identity card card reading responding process.Identity card card-reading terminal is to the identity card data ciphertext received
Safe handling is carried out, obtains the 6th data packet, and the 6th data packet is sent to certification safety control module 10.It can as one kind
The embodiment of choosing, identity card card-reading terminal can by information included by identity card data ciphertext by a data packet, one
It is secondary to be sent to certification safety control module 10, it is of course also possible to which information included by identity card data ciphertext is passed through multiple numbers
According to packet, it is sent to certification safety control module 10 several times.
Verifying safety control module 20 confirmed the legitimacy of identity card by the first certification factor, and identity card passes through second
The certification factor confirmed to verify the legitimacy of safety control module 20.After two-way authentication passes through, identity card is just to identity card card reading
Terminal sends identity card data ciphertext.
As a kind of optional embodiment of the present embodiment, the 6th data packet includes the signature of third ciphertext and third ciphertext
Value;Wherein, third ciphertext is to be encrypted by identity card card-reading terminal using session key identity card data ciphertext, the
The signature value of three ciphertexts is signed using the first private key of itself to third ciphertext by identity card card-reading terminal.Recognize
Safety control module 10 is demonstrate,proved, is signed specifically for signature value of the First Certificate using identity card card-reading terminal to third ciphertext
Name verifying, in the case where being verified, is decrypted third ciphertext using session key, obtains identity card data ciphertext;
Otherwise terminate identity card card reading responding process.If authenticating safety control module 10 using the first public key of identity card card-reading terminal
Can the signature value to third ciphertext be decrypted, then illustrate that the signature value of received third ciphertext is by identity card card-reading terminal
It issues, data source is legal;If authenticating safety control module 10 using the first public key of identity card card-reading terminal
Cannot the signature value to third ciphertext be decrypted, then illustrate that the signature value of received third ciphertext is not whole by identity card card reading
What end issued, data source be it is illegal, therefore, carrying out signature verification to the signature value of third ciphertext can be confirmed data
The legitimacy in source.If third ciphertext is distorted in transmission process by illegal person, authenticates safety control module 10 and testing
During label, HASH can be carried out to the third ciphertext after distorting and abstract is calculated, the abstract and certification safety control module 10
Must be different using the abstract that the signature value of third ciphertext is decrypted in the first public key of identity card card-reading terminal, cause
Sign test can not pass through, and therefore, carrying out sign test by the signature value to third ciphertext may determine that whether third ciphertext is tampered, and protect
Demonstrate,prove the integrality of received third ciphertext.If certification safety control module 10 just has using itself with identity card card-reading terminal
The third ciphertext received cannot be decrypted in session key, illustrate that the third ciphertext is not that identity card card-reading terminal issues
, therefore, third ciphertext is decrypted the legitimacy that data source can be confirmed;If third party is truncated to third ciphertext,
It, cannot be right due to the session key that third party can not obtain certification safety control module 10 and identity card card-reading terminal just has
Third ciphertext is decrypted, and can not obtain identity card data ciphertext, and therefore, third ciphertext, which is decrypted, can prevent identity card
Data ciphertext is illegally stolen in network transmission, is read, and guarantees the transmission security of identity card data ciphertext.
In the present embodiment, identity card data clear text is usually resident identification card number, name, photo, age, address, card
The plaintext of the data such as service life, fingerprint.
In the present embodiment, after the 7th data packet is sent to identity card card-reading terminal by certification safety control module 10, identity
Card card reading responds successfully, terminates identity card card reading responding process.
As a kind of optional embodiment of the present embodiment, authenticating safety control module 10 can be by identity card data clear text
Included information is once sent to identity card card-reading terminal, it is of course also possible to which identity card data are bright by a data packet
Information included by text is sent to identity card card-reading terminal by multiple data packets several times.
As a kind of optional embodiment of the present embodiment, the 7th data packet includes the 4th encryption data and the 4th number of signature
According to;Safety control module 10 is authenticated, specifically for being encrypted using session key to identity card data clear text, the 4th is obtained and adds
Ciphertext data, and signed using the private key of certification safety control module 10 to the 4th encryption data, obtain the 4th signed data.
The 7th data packet including the 4th encryption data and the 4th signed data is sent to identity card and read by certification safety control module 10
Card terminal.Certification safety control module 10 encrypts identity card data clear text using session key to obtain the 4th encryption number
According to even if third party's the 4th encryption data of interception, can not also obtain identity card data clear text, because the session is not close by third party
Key cannot be decrypted the 4th encryption data using the session key, obtain identity card data clear text, and only equally having should
The identity card card-reading terminal of session key could decrypt the 4th encryption data, therefore, identity card data clear text can be effectively prevented
It illegally stolen, read in network transmission, guarantee the safety of identity card data clear text transmission.Authenticate safety control module 10
After 4th signed data is sent to identity card card-reading terminal, identity card card-reading terminal can execute sign test operation, if identity card
Card-reading terminal can be decrypted the 4th signed data using the public key of certification safety control module 10, then illustrate received the
Four signed datas are issued by certification safety control module 10, and data source is legal;If identity card card-reading terminal
The 4th signed data cannot be decrypted using the public key of certification safety control module 10, then illustrate received 4th signature
Data are issued by certification safety control module 10, data source be it is illegal, therefore, to the 4th encryption data
The legitimacy of identity card card-reading terminal confirmation data source can be made by carrying out signature.If the 4th encryption data is in transmission process
It is distorted by illegal person, then identity card card-reading terminal can carry out HASH to the 4th encryption data after distorting during sign test
Abstract is calculated, the abstract and identity card card-reading terminal utilize the public key of certification safety control module 10 to the 4th signed data
The abstract being decrypted must be different, cause sign test that can not pass through, therefore, can by signing to the 4th encryption data
To prevent the 4th encryption data to be tampered, guarantee that identity card card-reading terminal receives the integrality of the 4th encryption data.This optional reality
It applies in mode, the public key that identity card card-reading terminal can use certification safety control module 10 signs to the 4th signed data
Verifying recycles session key that the 4th encryption data is decrypted, obtains identity card data clear text after being verified.
As a kind of optional embodiment of the present embodiment, safety control module 10 is authenticated, is also used to identity card number
Safe handling is carried out according to plaintext, after obtaining the 7th data packet, removes identity card data clear text.Add by identity card data clear text
After close sending, is removed immediately from inside, ID card information data will not be retained, the privacy and safety of user can be protected.
In the present embodiment, certification safety control module 10 is the safety chip of national Password Management office examination & approval;Verifying safety
Control module 20 is responsible for decryption identity card data ciphertext and obtained identity card data clear text is returned to identity card card-reading terminal,
The special product (SAM module) that safety control module 20 is specified using the Ministry of Public Security is verified, GA 467-2013 " residential identity is met
Results demonstrate,proves safety control module Technical Interface Specification ";Certification safety control module 10 and verifying safety control module 20 are respectively provided with
In cloud authentication platform.
In identity card card-reading terminal in the present embodiment and be not provided with can be real to the ciphertext data read from identity card
The verifying safety control module 20 now decrypted, but setting verifying safety control module 20, identity card are read in cloud authentication platform
Card terminal can greatly reduce the cost of implementation of user, spy by being linked into cloud authentication platform to realize the reading to identity card
It is not to need to be implemented the industry of ID card information read operation in bank, station, insurance etc., need to only disposes the identity of respective numbers
Card-reading terminal is demonstrate,proved, without a large amount of deployment verifying safety control modules 20 again, without a large amount of setting verifying security controls
Corresponding relationship between module 20 and identity card card-reading terminal, simplifies implementation.Meanwhile being arranged in cloud authentication platform and authenticating
Safety control module 10, certification safety control module 10 pacify the identity card related data that identity card card-reading terminal is sent
Full verifying sends data to verifying safety control module 20 again after being verified, and returns to verifying safety control module 20
The response data returned carries out safe handling, then processed data is sent to identity card card-reading terminal, therefore authenticate safety control
Exit passageway is established between molding block 10 and identity card card-reading terminal, identity card and verifying can be improved by the exit passageway
The safety communicated between safety control module 20 guarantees the transmission safety of identity card data.Also, identity card and verifying safety
Control module 20 completes two-way authentication by the interaction of the first certification factor and the second certification factor, verifies safety control module
20 pairs of identity card data ciphertexts are decrypted to obtain identity card data clear text, and are sent to identity card card-reading terminal, to complete
The reading of identity card.
As a kind of optional embodiment of the present embodiment, certification safety control module 10 to card reading request data package into
It before row safety verification, needs to obtain session key, therefore, authenticates safety control module 10, be also used to card reading number of request
Before carrying out safety verification according to packet, the session key request data package that identity card card-reading terminal is sent is received, wherein session key
Request data package includes the First Certificate of the first random factor, the signature value of the first random factor and identity card card-reading terminal;It is right
The legitimacy of First Certificate is verified, and after being verified, is carried out using signature value of the First Certificate to the first random factor
Signature verification generates the second random factor in the case where signature verification passes through;To the first random factor and the second random factor
It is encrypted, obtains the 5th encryption data, and sign to the 5th encryption data using the private key of certification safety control module 10
Name, obtains the 5th signed data;The 8th data packet including the 5th encryption data and the 5th signed data is sent to identity card
Card-reading terminal;Safety control module 10 is authenticated, is also used to after generating the second random factor, according to the first random factor and the
Two random factors generate session key.
In this optional embodiment, the signature value of the first random factor is first private of the identity card card-reading terminal using itself
What key was signed.First random factor can be one or a string of random numbers, or can be one or a string random
Any combination of character or a string of random numbers and random character.
In this optional embodiment, certification safety control module 10 is using root certificate to the first card of identity card card-reading terminal
Book is verified, and if the verification passes, then illustrates that the First Certificate of identity card card-reading terminal is legal.
In this optional embodiment, if certification safety control module 10 utilizes the first public key energy of identity card card-reading terminal
It is enough that the signature value of first random factor is decrypted, then illustrate that the signature value of received first random factor is read by identity card
What card terminal issued, data source is legal;If authenticating safety control module 10 using the of identity card card-reading terminal
One public key cannot the signature value to the first random factor be decrypted, then illustrate that the signature value of received first random factor is not
Issued by identity card card-reading terminal, data source be it is illegal, therefore, the signature value of the first random factor is signed
The legitimacy of data source can be confirmed in name verifying.If the first random factor is distorted in transmission process by illegal person,
Safety control module 10 is authenticated during sign test, HASH can be carried out to the first random factor after distorting and abstract is calculated,
The abstract and certification safety control module 10 utilize the first public key of identity card card-reading terminal to the signature value of the first random factor
The abstract being decrypted must be different, cause sign test that can not pass through, therefore, by the signature value to the first random factor into
Row sign test may determine that whether the first random factor is tampered, and guarantee the integrality of received first random factor.
In this optional embodiment, the second random factor can be one or a string of random numbers, or can for one or
Any combination of a string of random characters or a string of random numbers and random character.
In this optional embodiment, if certification safety control module 10 does not have the sign test of the signature value of the first random factor
Pass through, then terminates session key request responding process.
In this optional embodiment, certification safety control module 10 using preset algorithm to the first random factor and second with
The machine factor generates session key.
In this optional embodiment, certification safety control module 10 is using the First Certificate of identity card card-reading terminal to first
Random factor and the second random factor are encrypted, and the 5th encryption data is obtained.It is close using session to authenticate safety control module 10
Key is encrypted to obtain the 5th encryption data to the first random factor and the second random factor, even if the 5th encryption of third party's interception
Data can not also obtain the first random factor and the second random factor, cannot be using should because of the not no session key of third party
The 5th encryption data is decrypted in session key, obtains the first random factor and the second random factor, and only equally having should
The identity card card-reading terminal of session key could decrypt the 5th encryption data, therefore, can be effectively prevented the first random factor and
Second random factor is illegally stolen in network transmission, is read, and guarantees what the first random factor and the second random factor transmitted
Safety.After 5th signed data is sent to identity card card-reading terminal by certification safety control module 10, identity card card-reading terminal
Sign test operation can be executed, if identity card card-reading terminal can be to the 5th number of signature using the public key of certification safety control module 10
According to being decrypted, then illustrate that received 5th signed data is issued by certification safety control module 10, data source is
Legal;If identity card card-reading terminal cannot solve the 5th signed data using the public key of certification safety control module 10
It is close, then illustrate that received 5th signed data is issued by certification safety control module 10, data source is illegal
, therefore, the legitimacy of identity card card-reading terminal confirmation data source can be made by signing to the 5th encryption data.If the
Five encryption datas are distorted in transmission process by illegal person, then identity card card-reading terminal during sign test, can be to distorting after
The 5th encryption data carry out HASH abstract be calculated, the abstract and identity card card-reading terminal are using authenticating safety control module
The abstract that the 5th signed data is decrypted in 10 public key must be different, cause sign test that can not pass through, therefore, by right
5th encryption data, which carries out signature, can prevent the 5th encryption data to be tampered, and guarantee that identity card card-reading terminal receives the 5th encryption
The integrality of data.
In this optional embodiment, after identity card card-reading terminal receives the 8th data packet, certification security control mould is utilized
The public key of block 10 carries out signature verification to the 5th signed data, private using the first of identity card card-reading terminal after being verified
The 5th encryption data is decrypted in key, obtains the first random factor and the second random factor, decryption is obtained first random
The factor is compared with the first random factor that itself is generated, if identical, illustrates that authenticating safety control module 10 has received
To the first random factor and authenticate what received first random factor of safety control module 10 was generated with identity card card-reading terminal
First random factor is identical, and identity card card-reading terminal is using algorithm identical with above-mentioned preset algorithm to the first random factor and the
Two random factors are calculated, and session key identical with the certification session key of safety control module 10 is generated, in this way, certification
The phase that safety control module 10 can carry out identity card by the Session key establishment exit passageway with identity card card-reading terminal
Data transmission is closed, can be improved the safety of data transmission;If it is not the same, then illustrating that certification safety control module 10 is received
The first random factor that first random factor is generated with identity card card-reading terminal is different, identity card card-reading terminal and certification peace
Not phase is calculated to respective first random factor and the second random factor using identical preset algorithm in full control module 10
Two same session keys, identity card card-reading terminal and certification safety control module 10 cannot decrypt the encryption number that other side sends
According to.
As a kind of optional embodiment of the present embodiment, safety control module 10 is authenticated, is also used to receiving identity card
Before the card reading request data package that card-reading terminal is sent, the card seeking request data package that identity card card-reading terminal is sent is received, wherein
Card seeking request data package includes card seeking request data ciphertext, the signature value and identity card card-reading terminal of card seeking request data ciphertext
First Certificate and the second certificate;The legitimacy of First Certificate is verified, after being verified, using First Certificate to seeking
The signature value of card request data ciphertext carries out signature verification, in the case where signature verification passes through, is decrypted using the certification of acquisition
Key pair card seeking request data ciphertext is decrypted, and obtains card seeking request data, and card seeking request data is sent to verifying safety
Control module 20;Safety control module 20 is verified, is also used to receive card seeking request data, card seeking request data is responded,
Card seeking request response data is generated, and card seeking request response data is sent to certification safety control module 10;Certification safety control
Molding block 10 is also used to receive card seeking request response data, is encrypted, is obtained to card seeking request response data using session key
To the 6th encryption data, session key is encrypted using the second certificate, obtains session key ciphertext, and use certification safety
The private key of control module 10 signs to the 6th encryption data and session key ciphertext, obtains the 6th signed data;By card seeking
Request response data packet is sent to identity card card-reading terminal, wherein card seeking request response data packet include the 6th encryption data and
6th signed data.
In this optional embodiment, card seeking request data ciphertext is to utilize authenticated encryption key pair by identity card card-reading terminal
Card seeking request data is encrypted, and the signature value of card seeking request data ciphertext is to utilize itself by identity card card-reading terminal
The first private key signed to card seeking request data ciphertext.
Optionally, First Certificate and the second certificate can be identical certificate, be also possible to different certificates.
Optionally, card seeking request data includes timestamp and/or terminal counter;Safety control module 10 is authenticated, is also used
Card seeking request data ciphertext is decrypted in the certification decruption key using acquisition, it, will after obtaining card seeking request data
Timestamp and/or terminal counter are sent to dispatch server 30.Dispatch server 30 can be according to timestamp, terminal count
The information such as device carry out the frequency control and blacklist automatic capture of identity card card-reading terminal, and by suspicious identity card card-reading terminal
Blacklist is added.
In this optional embodiment, certification safety control module 10 is using root certificate to the first card of identity card card-reading terminal
Book is verified, and if the verification passes, then illustrates that the First Certificate of identity card card-reading terminal is legal.
In this optional embodiment, if certification safety control module 10 utilizes the first public key energy of identity card card-reading terminal
It is enough that the signature value of card seeking request data ciphertext is decrypted, then illustrate received card seeking request data ciphertext signature value be by
What identity card card-reading terminal issued;It cannot be right using the first public key of identity card card-reading terminal if authenticating safety control module 10
The signature value of card seeking request data ciphertext is decrypted, then illustrates that the signature value of received card seeking request data ciphertext is not by body
Part card card-reading terminal issues, and therefore, carrying out signature verification to the signature value of card seeking request data ciphertext can be confirmed that data are come
The legitimacy in source.If card seeking request data ciphertext is distorted in transmission process by illegal person, safety control module is authenticated
10 during sign test, can carry out HASH to the card seeking request data ciphertext after distorting and abstract is calculated, the abstract and certification
Safety control module 10 is decrypted the signature value of card seeking request data ciphertext using the first public key of identity card card-reading terminal
Obtained abstract must be different, cause sign test that can not pass through, therefore, tested by the signature value to card seeking request data ciphertext
Label may determine that whether card seeking request data ciphertext is tampered, and guarantee the integrality of received card seeking request data ciphertext.If
Certification safety control module 10 cannot ask the card seeking received with the session key that identity card card-reading terminal just has using itself
It asks data ciphertext to be decrypted, illustrates that the card seeking request data ciphertext is not what identity card card-reading terminal issued, therefore, to seeking
The legitimacy that data source can be confirmed is decrypted in card request data ciphertext;If third party is truncated to card seeking, request data is close
Text, due to the session key that third party can not obtain certification safety control module 10 and identity card card-reading terminal just has, no
Card seeking request data ciphertext can be decrypted, card seeking request data can not be obtained, therefore, card seeking request data ciphertext is carried out
Decryption can prevent card seeking request data from illegally being stolen, being read in network transmission, and correctly read card seeking request data.
In this optional embodiment, certification safety control module 10 will decrypt card seeking request data ciphertext, need to obtain and recognize
Decruption key is demonstrate,proved, which can be identical key, i.e. symmetric key with above-mentioned authenticated encryption key.Acquisition is recognized
Card decruption key can use but be not limited to following manner: mode one: certification decruption key preset configuration is in certification security control
In module 10, authenticated encryption key also preset configuration in identity card card-reading terminal.Mode two: certification safety control module 10 obtains
Take the protection key of certification decruption key ciphertext and cloud authentication database 40;Wherein, certification decruption key ciphertext is cloud certification number
It is encrypted according to the authenticated encryption key of each identity card card-reading terminal of the protection key pair in library 40, authenticates security control
Module 10 is decrypted using protection key pair certification decruption key ciphertext, obtains certification decruption key;Cloud authentication database
40 are arranged in cloud authentication platform.After receiving data of the identity card card-reading terminal using the encryption of authenticated encryption key for the first time,
Certification safety control module 10 carries out the data that the identity card card-reading terminal received is sent for the first time using certification decruption key
Decryption guarantees the safety of the transmission data of certification safety control module 10 and identity card card-reading terminal;In the present embodiment, it seeks
Card request data ciphertext is the data that identity card card-reading terminal is sent for the first time.
In this optional embodiment, session key can use but be not limited to following manner and be obtained: mode one: certification
Safety control module 10 generates session key at random, and session key is random factor;Optionally, session key can for one or
A string of random numbers can be perhaps one or any combination of a string of random characters or a string of random numbers and random character;Meeting
Key is talked about as the key being randomly generated, is not easy to be stolen by illegal person.Mode two: pre- in 10 inside of certification safety control module
Session key is first set.Mode three: certification safety control module 10 and identity card card-reading terminal generate arranging key through consultation,
Using arranging key as session key, existing negotiation mode is can be used in specific machinery of consultation, is not limited specifically in the present embodiment
It is fixed.
In this optional embodiment, certification safety control module 10 carries out card seeking request response data using session key
Encryption obtains the 6th encryption data, even if third party intercepts the 6th encryption data, can not also obtain card seeking request response data, because
For the not no session key of third party, the 6th encryption data cannot be decrypted using the session key, obtain card seeking request
Response data only equally could decrypt the 6th encryption data with the identity card card-reading terminal of the session key, therefore, can be with
It effectively prevent card seeking request response data illegally to be stolen, read in network transmission, guarantees the transmission of card seeking request response data
Safety.After 6th signed data is sent to identity card card-reading terminal by certification safety control module 10, identity card card reading is whole
End can execute sign test operation, if identity card card-reading terminal can be signed using the public key of certification safety control module 10 to the 6th
Data are decrypted, then illustrate that received 6th signed data is issued by certification safety control module 10, data source
It is legal;If identity card card-reading terminal cannot carry out the 6th signed data using the public key of certification safety control module 10
Decryption, then illustrate that received 6th signed data is issued by certification safety control module 10, data source is not conform to
Method, therefore, the legitimacy of identity card card-reading terminal confirmation data source can be made by signing to the 6th encryption data.If
6th encryption data is distorted in transmission process by illegal person, then identity card card-reading terminal, can be to distorting during sign test
The 6th encryption data afterwards carries out HASH and abstract is calculated, and the abstract and identity card card-reading terminal utilize certification security control
The abstract that the 6th signed data is decrypted in the public key of module 10 must be different, cause sign test that can not pass through, and therefore, lead to
Crossing to sign to the 6th encryption data can prevent the 6th encryption data to be tampered, and guarantee that identity card card-reading terminal receives the 6th
The integrality of encryption data.
In this optional embodiment, safety control module 10 are authenticated using certification decruption key to identity card card-reading terminal
The data (such as card seeking request data package of the present embodiment) sent for the first time are decrypted, and utilize the session newly obtained close
Key carries out enciphering/deciphering processing to the subsequent data sent or received, in this way, can establish data safety with identity card card-reading terminal
Channel, improve data transfer safety.
In this optional embodiment, identity card card-reading terminal is asked receiving the card seeking sent of certification safety control module 10
After seeking response data packet, signature verification is carried out to the 6th signed data using the public key of certification safety control module 10, is being verified
By rear, using the second private key of identity card card-reading terminal (in second private key and the second certificate of identity card card-reading terminal
Second public key is a pair of of unsymmetrical key) session key ciphertext is decrypted, session key is obtained, session key pair is recycled
6th encryption data is decrypted, and obtains card seeking request response data;The session key is stored, it later can be close by session
Key establishes exit passageway, and the related data for carrying out identity card with certification safety control module 10 is transmitted, and guarantees the peace of data transmission
Quan Xing.
Optionally, dispatch server 30 are also used to receive the transmission of identity card card-reading terminal in certification safety control module 10
Card seeking request data package before, receive identity card card-reading terminal access cloud authentication platform request, obtain identity card card reading
Whether the identification information of terminal allows identity card card-reading terminal to read identity according to the identification information judgment of identity card card-reading terminal
Card;In the case where determining allows identity card card-reading terminal reading identity card, seeking for identity card card-reading terminal transmission is being received
After card request data package, working condition inquiry request is sent to cloud authentication database 40;Cloud authentication database 40 is adjusted for receiving
The working condition inquiry request that server 30 is sent is spent, each certification safety in the compass of competency of query scheduling server 30
The working condition of control module 10, and query result is sent to dispatch server 30;Dispatch server 30 is also used to receive
The query result that cloud authentication database 40 is sent, and according to query result, select a working condition for idle certification safety
Control module 10;The identification information of the certification safety control module 10 of selection is sent to identity card card-reading terminal.Wherein, it dispatches
Whether server 30 can be judged by the following manner allows identity card card-reading terminal reading identity card: identity card card-reading terminal
Identification information includes First Certificate and the second certificate;It can use root certificate to verify the legitimacy of First Certificate, if testing
Card passes through, then allows identity card card-reading terminal reading identity card;If verifying does not pass through, identity card card-reading terminal is not allowed to read
Identity card;And/or can use root certificate and the legitimacy of the second certificate is verified, if being verified, allow identity card
Card-reading terminal reading identity card;If verifying does not pass through, identity card card-reading terminal reading identity card is not allowed.
Optionally, dispatch server 30, be also used to select a working condition for idle certification safety control module
After 10, authentication code is generated, authentication code is respectively sent to identity card card-reading terminal and cloud authentication database 40;Cloud authentication data
Library 40 is also used to store authentication code, and when reaching the validity period of authentication code, deletes authentication code;Card seeking request data package is also wrapped
Include authentication code ciphertext;Safety control module 10 is authenticated, is also used to card seeking request data being sent to verifying safety control module
Before 20, authentication code ciphertext is decrypted, obtains authentication code, inquires in cloud authentication database 40 whether be stored with authentication code,
If being stored with, the operation that card seeking request data is sent to verifying safety control module 20 is continued to execute, process is otherwise terminated.
Specifically, dispatch server 30 is by generation after distribution port is to the certification safety control module 10 of working condition free time
Authentication code is separately sent to be stored in identity card card-reading terminal and cloud authentication database 40, and identity card card-reading terminal, which utilizes, recognizes
Card encryption key encrypts the authentication code, obtains authentication code ciphertext;It is close using certification decryption to authenticate safety control module 10
The authentication code ciphertext is decrypted in key, obtains authentication code, sends inquiry request to cloud authentication database 40, inquiry cloud authenticates number
According to the authentication code whether is stored in library 40, if being stored with, card seeking request data is sent to verifying safety control module, it is no
Then terminate card seeking responding process.Wherein, which has timeliness, and when being more than scheduled duration, cloud authentication database 40 is just
It will be deleted the authentication code of storage, authentication code failure, above-mentioned inquiry operation failure terminates transaction response, therefore, authentication code energy is arranged
Whether enough identification transaction are legal, therefore, it is determined that whether continuous business responds, guarantee the safety of identity card card reading responding process.It should
Authentication code can be one or a string of random numbers, perhaps can for one or a string of random characters or a string of random numbers and with
Any combination of machine character, is not especially limited in the present embodiment.
In the present embodiment, certification safety control module 10 can directly be read by cable network or wireless network and identity card
Card terminal is directly communicated, and the communication number with identity card card-reading terminal can also be sent or received by dispatch server 30
According to.If certification safety control module 10 does not have communication interface, need through third party, such as dispatch server 30, into
The forwarding or switching of row communication data, without directly being carried out with equipment such as identity card card-reading terminal, verifying safety control modules 20
Communication.When receiving the communication data comprising signed data by dispatch server 30, if in communication data including number of signature
According to, signature verification can be carried out to the data that identity card card-reading terminal is sent by dispatch server 30, it can also be by certification safety
Control module 10 carries out signature verification, is not construed as limiting in the present embodiment.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes
It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion
Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable
Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention
Embodiment person of ordinary skill in the field understood.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned
In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage
Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware
Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal
Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene
Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium
In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in a processing module
It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as
Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer
In read/write memory medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any
One or more embodiment or examples in can be combined in any suitable manner.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example
Property, it is not considered as limiting the invention, those skilled in the art are not departing from the principle of the present invention and objective
In the case where can make changes, modifications, alterations, and variations to the above described embodiments within the scope of the invention.The scope of the present invention
By appended claims and its equivalent limit.
Claims (10)
1. a kind of identity card card reading response system characterized by comprising
Safety control module is authenticated, for receiving the card reading request data package of identity card card-reading terminal transmission, the card reading is asked
It asks data packet to carry out safety verification, after safety verification passes through, obtains identity card identification information, and by the identity card identification information
It is sent to verifying safety control module;
The verifying safety control module generates the first certification factor, and will be described for receiving the identity card identification information
The first certification factor is sent to the certification safety control module;
The certification safety control module is also used to receive the first certification factor, pacifies to the first certification factor
Full processing, obtains the first data packet, and first data packet is sent to the identity card card-reading terminal;
The certification safety control module is also used to receive the second data packet that the identity card card-reading terminal is sent, to described
Second data packet carries out safety verification, after safety verification passes through, obtains the first authentication data, and first authentication data is sent out
It send to the verifying safety control module;
The verifying safety control module is also used to receive first authentication data, recognizes first authentication data
Card after certification passes through, generates certification factor application request, and certification factor application request is sent to the certification safety
Control module;
The certification safety control module is also used to receive the certification factor application request, asks to the certification factor application
Carry out safe handling is asked, obtains third data packet, and the third data packet is sent to the identity card card-reading terminal;
The certification safety control module is also used to receive the 4th data packet that the identity card card-reading terminal is sent, to described
4th data packet carries out safety verification, after safety verification passes through, obtains the second certification factor, and the second certification factor is sent out
It send to the verifying safety control module;
The verifying safety control module is also used to receive the second certification factor, at the second certification factor
Reason, obtains the second authentication data, and second authentication data is sent to the certification safety control module;
The certification safety control module is also used to receive second authentication data, pacifies to second authentication data
Full processing, obtains the 5th data packet, and the 5th data packet is sent to the identity card card-reading terminal;
The certification safety control module is also used to receive the 6th data packet that the identity card card-reading terminal is sent, to described
6th data packet carries out safety verification, after safety verification passes through, obtains identity card data ciphertext, and the identity card data are close
Text is sent to the verifying safety control module;
The verifying safety control module is also used to receive the identity card data ciphertext, to the identity card data ciphertext into
Row decryption, obtains identity card data clear text, and the identity card data clear text is sent to the certification safety control module;
The certification safety control module is also used to carry out safe handling to the identity card data clear text, obtains the 7th data
Packet, and the 7th data packet is sent to the identity card card-reading terminal.
2. system according to claim 1, which is characterized in that
The card reading request data package includes the signature value of card reading request data ciphertext and the card reading request data ciphertext;
The certification safety control module asks the card reading specifically for the First Certificate using the identity card card-reading terminal
It asks the signature value of data ciphertext to carry out signature verification to request the card reading using session key in the case where being verified
Data ciphertext is decrypted, and obtains the identity card identification information;And/or
First data packet includes the first encryption data and the first signed data;
The certification safety control module is obtained specifically for being encrypted using session key to the first certification factor
First encryption data, and signed using the private key of the certification safety control module to first encryption data,
Obtain first signed data;And/or
Second data packet includes the signature value of the first ciphertext and first ciphertext;
The certification safety control module, it is close to described first specifically for using the First Certificate of the identity card card-reading terminal
The signature value of text is carried out signature verification and first ciphertext is decrypted using session key in the case where being verified,
Obtain first authentication data;And/or
The third data packet includes the second encryption data and the second signed data;
The certification safety control module, specifically for being encrypted using session key to certification factor application request,
Second encryption data is obtained, and second encryption data is signed using the private key of the certification safety control module
Name, obtains second signed data;And/or
4th data packet includes the signature value of the second ciphertext and second ciphertext;
The certification safety control module, it is close to described second specifically for using the First Certificate of the identity card card-reading terminal
The signature value of text is carried out signature verification and second ciphertext is decrypted using session key in the case where being verified,
Obtain the second certification factor;And/or
5th data packet includes third encryption data and third signed data;
The certification safety control module is obtained specifically for being encrypted using session key to second authentication data
The third encryption data, and signed using the private key of the certification safety control module to the third encryption data,
Obtain the third signed data;And/or
6th data packet includes the signature value of third ciphertext and the third ciphertext;
The certification safety control module, specifically for using the First Certificate of the identity card card-reading terminal close to the third
The signature value of text is carried out signature verification and the third ciphertext is decrypted using session key in the case where being verified,
Obtain the identity card data ciphertext;And/or
7th data packet includes the 4th encryption data and the 4th signed data;
The certification safety control module is obtained specifically for being encrypted using session key to the identity card data clear text
The 4th encryption data is signed to the 4th encryption data, and using the private key of the certification safety control module
Name, obtains the 4th signed data.
3. system according to claim 1 or 2, it is characterised in that:
The certification safety control module is also used to before carrying out safety verification to the card reading request data package, receives institute
State the session key request data package of identity card card-reading terminal transmission, wherein the session key request data package includes first
The First Certificate of random factor, the signature value of first random factor and the identity card card-reading terminal;To first card
The legitimacy of book is verified, after being verified, using the First Certificate to the signature value of first random factor into
Row signature verification generates the second random factor in the case where signature verification passes through;To first random factor and described
Two random factors are encrypted, and obtain the 5th encryption data, and using the private key of the certification safety control module to described the
Five encryption datas are signed, and the 5th signed data is obtained;It will include the 5th encryption data and the 5th signed data
The 8th data packet be sent to the identity card card-reading terminal;
The certification safety control module is also used to after generating the second random factor, according to first random factor and
Second random factor generates session key.
4. system according to claim 1 or 2, it is characterised in that:
The certification safety control module is also used to before receiving the card reading request data package that identity card card-reading terminal is sent,
Receive the card seeking request data package that the identity card card-reading terminal is sent, wherein the card seeking request data package includes that card seeking is asked
Seek the First Certificate and second of data ciphertext, the signature value of the card seeking request data ciphertext and the identity card card-reading terminal
Certificate;The legitimacy of the First Certificate is verified, after being verified, the card seeking is asked using the First Certificate
It asks the signature value of data ciphertext to carry out signature verification and uses the certification decruption key of acquisition in the case where signature verification passes through
The card seeking request data ciphertext is decrypted, card seeking request data is obtained, the card seeking request data is sent to described
Verify safety control module;
The verifying safety control module is also used to receive the card seeking request data, rings to the card seeking request data
It answers, generates card seeking request response data, and the card seeking request response data is sent to the certification safety control module;
The certification safety control module is also used to receive the card seeking request response data, is sought using session key to described
Card request response data is encrypted, and the 6th encryption data is obtained, and is added using second certificate to the session key
It is close, obtain session key ciphertext, and using the private key of the certification safety control module to the 6th encryption data and described
Session key ciphertext is signed, and the 6th signed data is obtained;Card seeking request response data packet is sent to the identity card to read
Card terminal, wherein the card seeking request response data packet includes the 6th encryption data and the 6th signed data.
5. system according to claim 4, which is characterized in that further include:
Dispatch server, for receiving the card seeking request that the identity card card-reading terminal is sent in the certification safety control module
Before data packet, the identification information of the identity card card-reading terminal is obtained, according to the identification information of the identity card card-reading terminal
Determine whether the identity card card-reading terminal reading identity card;The identity card card-reading terminal is allowed to read identity determining
In the case where card, after receiving the card seeking request data package that the identity card card-reading terminal is sent, sent out to cloud authentication database
Send working condition inquiry request;
The cloud authentication database, the working condition inquiry request sent for receiving the dispatch server, inquires institute
The working condition of each certification safety control module in the compass of competency of dispatch server is stated, and query result is sent to institute
State dispatch server;
The dispatch server is also used to receive the query result that the cloud authentication database is sent, and is looked into according to described
It askes as a result, selecting a working condition for idle certification safety control module;By the certification safety control module of selection
Identification information be sent to the identity card card-reading terminal.
6. system according to claim 5, which is characterized in that the identification information of the identity card card-reading terminal includes described
First Certificate and second certificate;Whether the dispatch server, being judged by the following manner allows the identity card card reading
Terminal reading identity card:
The legitimacy of the First Certificate is verified, if being verified, the identity card card-reading terminal is allowed to read body
Part card;If verifying does not pass through, the identity card card-reading terminal reading identity card is not allowed;And/or
The legitimacy of second certificate is verified, if being verified, the identity card card-reading terminal is allowed to read body
Part card;If verifying does not pass through, the identity card card-reading terminal reading identity card is not allowed.
7. system according to claim 5 or 6, it is characterised in that:
The dispatch server is also used to after selecting certification safety control module of the working condition for the free time, generates
The authentication code is respectively sent to the identity card card-reading terminal and the cloud authentication database by authentication code;
The cloud authentication database is also used to store the authentication code, and when reaching the validity period of the authentication code, deletes institute
State authentication code;
The card seeking request data package further includes authentication code ciphertext;
The certification safety control module is also used to the card seeking request data being sent to the verifying safety control module
Before, the authentication code ciphertext is decrypted, obtains the authentication code, inquired in the cloud authentication database and whether be stored with
The authentication code continues to execute the card seeking request data being sent to the verifying safety control module if being stored with
Operation, otherwise terminates process.
8. according to claim 1, the described in any item systems in 2,5 or 6, which is characterized in that further include:
The certification safety control module, be also used to by the identity card identification information be sent to verifying safety control module it
Afterwards, the identity card identification information is removed;And/or
The certification safety control module is also used to carrying out safety verification to the card reading request data package, and safety verification is logical
Later, after obtaining identity card identification information, the identity card identification information is sent to dispatch server;And/or
Dispatch server, for judging the identity card identification information whether in identity card blacklist, if it is, to described
It authenticates safety control module and sends instruction information, the identity card for indicating that the identity card card-reading terminal is currently read is illegal.
9. according to claim 1, the described in any item systems in 2,5 or 6, it is characterised in that:
The certification safety control module is also used to carrying out safe handling to the identity card data clear text, obtains the 7th number
After packet, the identity card data clear text is removed.
10. system according to claim 4, it is characterised in that:
The card seeking request data includes timestamp and/or terminal counter;
The certification safety control module is also used in the certification decruption key using acquisition to the card seeking request data ciphertext
It is decrypted, after obtaining card seeking request data, the timestamp and/or terminal counter is sent to dispatch server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610244410.XA CN106027256B (en) | 2016-04-18 | 2016-04-18 | A kind of identity card card reading response system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610244410.XA CN106027256B (en) | 2016-04-18 | 2016-04-18 | A kind of identity card card reading response system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106027256A CN106027256A (en) | 2016-10-12 |
CN106027256B true CN106027256B (en) | 2019-06-28 |
Family
ID=57081462
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610244410.XA Active CN106027256B (en) | 2016-04-18 | 2016-04-18 | A kind of identity card card reading response system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106027256B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109639412A (en) * | 2018-12-05 | 2019-04-16 | 成都卫士通信息产业股份有限公司 | A kind of communication means, system and electronic equipment and storage medium |
CN109902481B (en) * | 2019-03-07 | 2021-10-26 | 北京深思数盾科技股份有限公司 | Encryption lock authentication method for encryption equipment and encryption equipment |
CN113259307A (en) * | 2021-01-11 | 2021-08-13 | 深圳市雄帝科技股份有限公司 | Certificate reading method and system of shared security authentication terminal |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104700057A (en) * | 2015-04-02 | 2015-06-10 | 山东信通电子股份有限公司 | Sharable resources type resident identification card reading achievement method and resident identification card reader |
CN104715218A (en) * | 2015-04-02 | 2015-06-17 | 山东信通电子股份有限公司 | Network card-reading terminal for resident identification cards |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9319401B2 (en) * | 2014-01-27 | 2016-04-19 | Bank Of America Corporation | System and method for cross-channel authentication |
-
2016
- 2016-04-18 CN CN201610244410.XA patent/CN106027256B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104700057A (en) * | 2015-04-02 | 2015-06-10 | 山东信通电子股份有限公司 | Sharable resources type resident identification card reading achievement method and resident identification card reader |
CN104715218A (en) * | 2015-04-02 | 2015-06-17 | 山东信通电子股份有限公司 | Network card-reading terminal for resident identification cards |
Also Published As
Publication number | Publication date |
---|---|
CN106027256A (en) | 2016-10-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101300808B (en) | Method and arrangement for secure autentication | |
CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
CN106656510B (en) | A kind of encryption key acquisition methods and system | |
CN101588245B (en) | Method of identity authentication, system and memory device thereof | |
US20150349960A1 (en) | Two factor authentication using a protected pin-like passcode | |
CN109309565A (en) | A kind of method and device of safety certification | |
CN104283688B (en) | A kind of USBKey security certification systems and safety certifying method | |
CN105989386B (en) | A kind of method and apparatus for reading and writing radio frequency identification card | |
CN103201998A (en) | Data processing for securing local resources in a mobile device | |
CN104468126B (en) | A kind of safe communication system and method | |
CN109474419A (en) | A kind of living body portrait photo encryption and decryption method and encrypting and deciphering system | |
CN105991650A (en) | Secret key acquisition method and identity card information transmission method and system | |
CN109831311A (en) | A kind of server validation method, system, user terminal and readable storage medium storing program for executing | |
CN106789024A (en) | A kind of remote de-locking method, device and system | |
CN108964897A (en) | Identity authorization system and method based on group communication | |
CN106022081A (en) | Card reading method for identity-card card-reading terminal, and terminal and system for identity-card card-reading | |
CN106101160A (en) | A kind of system login method and device | |
US20120284787A1 (en) | Personal Secured Access Devices | |
CN106027457A (en) | Identity card information transmission method and system | |
CN106027256B (en) | A kind of identity card card reading response system | |
CN105024813A (en) | Server, user equipment and interactive method of the user equipment and the server | |
CN105635164B (en) | The method and apparatus of safety certification | |
CN110445782A (en) | A kind of multi-media safety broadcast control system and method | |
CN107070918A (en) | A kind of network application login method and system | |
CN103944721A (en) | Method and device for protecting terminal data security on basis of web |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220408 Address after: Tiantianrong building, No. 1, Zhongguancun, Beiqing Road, Haidian District, Beijing 100094 Patentee after: TENDYRON Corp. Address before: 100086 room 603, building 12, taiyueyuan, Haidian District, Beijing Patentee before: Li Ming |
|
TR01 | Transfer of patent right |