CN106027256B - A kind of identity card card reading response system - Google Patents

Abstract

The invention discloses a kind of identity card card reading response system, the system comprises: certification safety control module for receiving the identity card identification information of identity card card-reading terminal transmission, and is sent to verifying safety control module；Safety control module is verified, for after according to the first of generation the certification factor confirmation identity card legitimacy, request identity card to generate the second certification factor；After identity card is according to the second of generation the certification factor confirmation verifying safety control module legitimacy, safety control module is authenticated, is also used to carry out safety verification to the 6th data packet that identity card card-reading terminal is sent, obtains identity card data ciphertext；Safety control module is verified, is also used to that identity card data ciphertext is decrypted to obtain identity card data clear text；Safety control module is authenticated, is also used to obtain the 7th data packet to identity card data clear text safe handling, and be sent to identity card card-reading terminal.The present invention can simplify identity card card reading response implementation, improve the safety of identity card data communication.

Description

A kind of identity card card reading response system

Technical field

The present invention relates to a kind of electronic technology field more particularly to a kind of identity card card reading response systems.

Background technique

Existing ID card information is read in response scheme, and identity card card-reading terminal is needed with the use of verifying security control mould Block realizes the reading and display of ID card information.For example, bank, station etc. need the industry read using ID card information, It usually requires in a large amount of identity card card-reading terminal of local layout and verifying safety control module, identity card card-reading terminal and verifying Also need to be arranged corresponding corresponding relationship between safety control module, system schema realizes more complex, higher cost；Also, it tests The processing such as additional encryption, signature will not be carried out to the identity card related data of communication by demonstrate,proving safety control module, therefore cause to communicate Safety it is not high.

Summary of the invention

The present invention is directed to one of at least solve the above problems.

The main purpose of the present invention is to provide a kind of identity card card reading response systems.

In order to achieve the above objectives, technical solution of the present invention is specifically achieved in that

The present invention provides a kind of identity card card reading response systems, comprising: certification safety control module, for receiving identity The card reading request data package that card-reading terminal is sent is demonstrate,proved, safety verification is carried out to the card reading request data package, safety verification passes through Afterwards, identity card identification information is obtained, and the identity card identification information is sent to verifying safety control module；The verifying peace Full control module generates the first certification factor, and the first certification factor is sent out for receiving the identity card identification information It send to the certification safety control module；The certification safety control module is also used to receive the first certification factor, to institute It states the first certification factor and carries out safe handling, obtain the first data packet, and first data packet is sent to the identity card Card-reading terminal；The certification safety control module is also used to receive the second data packet that the identity card card-reading terminal is sent, right Second data packet carries out safety verification, after safety verification passes through, obtains the first authentication data, and authenticate number for described first According to being sent to the verifying safety control module；The verifying safety control module is also used to receive first authentication data, First authentication data is authenticated, after certification passes through, generates certification factor application request, and by the certification factor Shen It please request to be sent to the certification safety control module；The certification safety control module is also used to receive the certification factor Application request obtains third data packet to certification factor application request progress safe handling, and by the third data packet It is sent to the identity card card-reading terminal；The certification safety control module is also used to receive the identity card card-reading terminal hair The 4th data packet sent carries out safety verification to the 4th data packet, after safety verification passes through, obtains the second certification factor, And the second certification factor is sent to the verifying safety control module；The verifying safety control module, is also used to connect The second certification factor is received, the second certification factor is handled, obtains the second authentication data, and described second is recognized Card data are sent to the certification safety control module；The certification safety control module is also used to receive second certification Data carry out safe handling to second authentication data, obtain the 5th data packet, and the 5th data packet is sent to institute State identity card card-reading terminal；The certification safety control module is also used to receive the identity card card-reading terminal is sent the 6th Data packet carries out safety verification to the 6th data packet, after safety verification passes through, obtains identity card data ciphertext, and by institute It states identity card data ciphertext and is sent to the verifying safety control module；The verifying safety control module, is also used to receive institute Identity card data ciphertext is stated, the identity card data ciphertext is decrypted, obtains identity card data clear text, and by the identity Card data clear text is sent to the certification safety control module；The certification safety control module, is also used to the identity card Data clear text carries out safe handling, obtains the 7th data packet, and the 7th data packet is sent to the identity card card reading end End.

In addition, the card reading request data package includes the label of card reading request data ciphertext and the card reading request data ciphertext Name value；The certification safety control module, specifically for using the First Certificate of the identity card card-reading terminal to the card reading The signature value of request data ciphertext, which carries out signature verification, asks the card reading using session key in the case where being verified It asks data ciphertext to be decrypted, obtains the identity card identification information；And/or first data packet includes the first encryption data With the first signed data；The certification safety control module, be specifically used for using session key to it is described first certification the factor into Row encryption obtains first encryption data, and using the private key of the certification safety control module to the first encryption number According to signing, first signed data is obtained；And/or second data packet includes the first ciphertext and first ciphertext Signature value；The certification safety control module, specifically for using the First Certificate of the identity card card-reading terminal to described The signature value of first ciphertext carries out signature verification, in the case where being verified, using session key to first ciphertext into Row decryption, obtains first authentication data；And/or the third data packet includes the second encryption data and the second number of signature According to；The certification safety control module is obtained specifically for being encrypted using session key to certification factor application request Second encryption data is signed to second encryption data, and using the private key of the certification safety control module Name, obtains second signed data；And/or the 4th data packet includes the signature of the second ciphertext and second ciphertext Value；The certification safety control module, it is close to described second specifically for using the First Certificate of the identity card card-reading terminal The signature value of text is carried out signature verification and second ciphertext is decrypted using session key in the case where being verified, Obtain the second certification factor；And/or the 5th data packet includes third encryption data and third signed data；It is described to recognize Card safety control module is obtained the third and added specifically for being encrypted using session key to second authentication data Ciphertext data, and signed using the private key of the certification safety control module to the third encryption data, obtain described the Three signed datas；And/or the 6th data packet includes the signature value of third ciphertext and the third ciphertext；The certification safety Control module is signed specifically for signature value of the First Certificate using the identity card card-reading terminal to the third ciphertext Name verifying, in the case where being verified, is decrypted the third ciphertext using session key, obtains the identity card number According to ciphertext；And/or the 7th data packet includes the 4th encryption data and the 4th signed data；The certification security control mould Block obtains the 4th encryption data, and make specifically for encrypting using session key to the identity card data clear text It is signed with the private key of the certification safety control module to the 4th encryption data, obtains the 4th signed data.

In addition, the certification safety control module, be also used to the card reading request data package carry out safety verification it Before, receive the session key request data package that the identity card card-reading terminal is sent, wherein the session key request data package First Certificate including the first random factor, the signature value of first random factor and the identity card card-reading terminal；To institute The legitimacy for stating First Certificate is verified, after being verified, using the First Certificate to first random factor Signature value carries out signature verification, in the case where signature verification passes through, generates the second random factor；To first random factor It is encrypted with second random factor, obtains the 5th encryption data, and use the private key of the certification safety control module It signs to the 5th encryption data, obtains the 5th signed data；It will include the 5th encryption data and the described 5th 8th data packet of signed data is sent to the identity card card-reading terminal；The certification safety control module, is also used in life After the second random factor, session key is generated according to first random factor and second random factor.

In addition, the certification safety control module, is also used in the card reading number of request for receiving the transmission of identity card card-reading terminal Before packet, the card seeking request data package that the identity card card-reading terminal is sent is received, wherein the card seeking request data package packet Include the first card of card seeking request data ciphertext, the signature value of the card seeking request data ciphertext and the identity card card-reading terminal Book and the second certificate；The legitimacy of the First Certificate is verified, after being verified, using the First Certificate to institute The signature value for stating card seeking request data ciphertext carries out signature verification and uses the certification of acquisition in the case where signature verification passes through The card seeking request data ciphertext is decrypted in decruption key, obtains card seeking request data, and the card seeking request data is sent out It send to the verifying safety control module；The verifying safety control module is also used to receive the card seeking request data, to institute It states card seeking request data to be responded, generates card seeking request response data, and the card seeking request response data is sent to institute State certification safety control module；The certification safety control module is also used to receive the card seeking request response data, uses meeting Card seeking request response data described in words key pair is encrypted, and the 6th encryption data is obtained, using second certificate to described Session key is encrypted, and obtains session key ciphertext, and using the private key of the certification safety control module to the described 6th Encryption data and the session key ciphertext are signed, and the 6th signed data is obtained；Card seeking request response data packet is sent To the identity card card-reading terminal, wherein the card seeking request response data packet includes the 6th encryption data and described the Six signed datas.

Furthermore, further includes: dispatch server, it is whole for receiving the identity card card reading in the certification safety control module Before holding the card seeking request data package sent, the identification information of the identity card card-reading terminal is obtained, is read according to the identity card Whether the identification information judgment of card terminal allows the identity card card-reading terminal reading identity card；Allow the identity card determining In the case where card-reading terminal reading identity card, after receiving the card seeking request data package that the identity card card-reading terminal is sent, Working condition inquiry request is sent to cloud authentication database；The cloud authentication database, for receiving the dispatch server hair The working condition inquiry request sent inquires each certification safety control module in the compass of competency of the dispatch server Working condition, and query result is sent to the dispatch server；The dispatch server is also used to receive the cloud and recognizes The query result that database is sent is demonstrate,proved, and according to the query result, a working condition is selected to pacify for idle certification Full control module；The identification information of the certification safety control module of selection is sent to the identity card card-reading terminal.

In addition, the identification information of the identity card card-reading terminal includes the First Certificate and second certificate；It is described Whether dispatch server, being judged by the following manner allows the identity card card-reading terminal reading identity card: to first card The legitimacy of book is verified, if being verified, allows the identity card card-reading terminal reading identity card；If verifying obstructed It crosses, does not then allow the identity card card-reading terminal reading identity card；And/or the legitimacy of second certificate is verified, If being verified, allow the identity card card-reading terminal reading identity card；If verifying does not pass through, the identity card is not allowed Card-reading terminal reading identity card.

In addition, the dispatch server, be also used to select a working condition for idle certification safety control module Later, authentication code is generated, the authentication code is respectively sent to the identity card card-reading terminal and the cloud authentication database；Institute Cloud authentication database is stated, is also used to store the authentication code, and when reaching the validity period of the authentication code, deletes the authentication Code；The card seeking request data package further includes authentication code ciphertext；The certification safety control module is also used to by the card seeking Request data is sent to before the verifying safety control module, is decrypted to the authentication code ciphertext, is obtained the authentication Code, inquires in the cloud authentication database whether be stored with the authentication code, if being stored with, continues to execute and ask the card seeking It asks data to be sent to the operation of the verifying safety control module, otherwise terminates process.

Furthermore, further includes: the certification safety control module is also used to test the identity card identification information to be sent to After demonstrate,proving safety control module, the identity card identification information is removed；And/or the certification safety control module, it is also used to Safety verification is carried out to the card reading request data package, it, will be described after obtaining identity card identification information after safety verification passes through Identity card identification information is sent to dispatch server；And/or dispatch server, for whether judging the identity card identification information In identity card blacklist, if it is, sending instruction information to the certification safety control module, indicate that the identity card is read The identity card that card terminal is currently read is illegal.

In addition, the certification safety control module, is also used to carrying out safe handling to the identity card data clear text, obtain To after the 7th data packet, the identity card data clear text is removed.

In addition, the card seeking request data includes timestamp and/or terminal counter；The certification safety control module, It is also used to that the card seeking request data ciphertext is decrypted in the certification decruption key using acquisition, obtains card seeking request data Later, the timestamp and/or terminal counter are sent to dispatch server.

As seen from the above technical solution provided by the invention, the present invention provides a kind of responses of identity card card reading is System.In identity card card-reading terminal and it is not provided with the verifying safety that the ciphertext data read from identity card can be realized with decryption Control module, but the setting verifying safety control module in cloud authentication platform, identity card card-reading terminal can be by being linked into cloud Authentication platform greatly reduces the cost of implementation of user to realize the reading to identity card, especially in bank, station, insurance Etc. the industry for needing to be implemented ID card information read operation, the identity card card-reading terminal of respective numbers need to be only disposed, is not necessarily to A large amount of deployment verifying safety control modules again, without a large amount of setting verifying safety control modules and identity card card-reading terminal it Between corresponding relationship, simplify implementation；Meanwhile certification safety control module is set in cloud authentication platform, pacified using certification Identity card and verifying safety control module can be improved in the exit passageway established between full control module and identity card card-reading terminal Between the safety that communicates, guarantee the transmission safety of identity card data.Also, identity card and verifying safety control module pass through the The interaction of the one certification factor and the second certification factor completes two-way authentication, verifies safety control module to identity card data ciphertext It is decrypted to obtain identity card data clear text, and is sent to identity card card-reading terminal, to complete the reading of identity card data.

Detailed description of the invention

In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.

Fig. 1 is the configuration diagram of identity card card reading response system provided in an embodiment of the present invention.

Specific embodiment

With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on this The embodiment of invention, every other implementation obtained by those of ordinary skill in the art without making creative efforts Example, belongs to protection scope of the present invention.

In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", "upper", "lower", The orientation or positional relationship of the instructions such as "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outside" is It is based on the orientation or positional relationship shown in the drawings, is merely for convenience of description of the present invention and simplification of the description, rather than instruction or dark Show that signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore should not be understood as pair Limitation of the invention.In addition, term " first ", " second " are used for description purposes only, it is not understood to indicate or imply opposite Importance or quantity or position.

In the description of the present invention, it should be noted that unless otherwise clearly defined and limited, term " installation ", " phase Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected；It can To be mechanical connection, it is also possible to be electrically connected；It can be directly connected, can also can be indirectly connected through an intermediary Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition Concrete meaning in invention.

The embodiment of the present invention is described in further detail below in conjunction with attached drawing.

Fig. 1 is a kind of structural schematic diagram of identity card card reading response system provided in an embodiment of the present invention.As shown in Figure 1, Identity card card reading response system provided in this embodiment specifically includes that certification safety control module 10, reads for receiving identity card The card reading request data package that card terminal is sent carries out safety verification to card reading request data package, after safety verification passes through, obtains body Part card identification information, and identity card identification information is sent to verifying safety control module 20；Safety control module 20 is verified, is used In receiving identity card identification information, the first certification factor is generated, and the first certification factor is sent to certification safety control module 10；Safety control module 10 is authenticated, is also used to receive the first certification factor, safe handling is carried out to the first certification factor, is obtained First data packet, and the first data packet is sent to identity card card-reading terminal；Safety control module 10 is authenticated, is also used to receive body The second data packet that part card card-reading terminal is sent, carries out safety verification to the second data packet, after safety verification passes through, obtains first Authentication data, and the first authentication data is sent to verifying safety control module 20；Safety control module 20 is verified, is also used to connect The first authentication data is received, the first authentication data is authenticated, after certification passes through, generates certification factor application request, and will recognize Card factor application request is sent to certification safety control module 10；Safety control module 10 is authenticated, is also used to receive the certification factor Application request carries out safe handling to certification factor application request, obtains third data packet, and third data packet is sent to body Part card card-reading terminal；Safety control module 10 is authenticated, is also used to receive the 4th data packet of identity card card-reading terminal transmission, to the Four data packets carry out safety verification, after safety verification passes through, obtain the second certification factor, and the second certification factor is sent to and is tested Demonstrate,prove safety control module 20；Verify safety control module 20, be also used to receive the second certification factor, to second certification the factor into Row processing obtains the second authentication data, and the second authentication data is sent to certification safety control module 10；Authenticate security control Module 10 is also used to receive the second authentication data, carries out safe handling to the second authentication data, obtains the 5th data packet, and will 5th data packet is sent to identity card card-reading terminal；Safety control module 10 is authenticated, is also used to receive identity card card-reading terminal hair The 6th data packet sent carries out safety verification to the 6th data packet, after safety verification passes through, obtains identity card data ciphertext, and Identity card data ciphertext is sent to verifying safety control module 20；Safety control module 20 is verified, is also used to receive identity card Identity card data ciphertext is decrypted in data ciphertext, obtains identity card data clear text, and identity card data clear text is sent to Authenticate safety control module 10；Safety control module 10 is authenticated, is also used to carry out safe handling to identity card data clear text, obtain 7th data packet, and the 7th data packet is sent to identity card card-reading terminal.

In the present embodiment, identity card identification information is the unique information of identity card, such as sequence number, the use of identity card The application data of the relevant information of application being arranged in instruction identity card, transport protocol are (for example, transport protocol type, bit Digit rate, maximum frame size) etc., identity card card-reading terminal can not be needed the Ministry of Public Security and be awarded with the Direct Recognition identity card identification information The verifying safety control module 20 of power is decrypted.

As a kind of optional embodiment of the present embodiment, card reading request data package includes card reading request data ciphertext and reading The signature value of card request data ciphertext；Wherein, card reading request data ciphertext is that identity card card-reading terminal utilizes session key to packet What the card reading request data of the identification information containing identity card was encrypted, the signature value of card reading request data ciphertext is identity card Card-reading terminal signs to card reading request data ciphertext using the first private key of itself；Specifically, identity card card reading Terminal calculates card reading request data ciphertext using HASH algorithm and obtains the abstract of card reading request data ciphertext, and utilizes identity card First private key of card-reading terminal encrypts the abstract of card reading request data ciphertext, obtains the signature of card reading request data ciphertext Value.Safety control module 10 is authenticated, specifically for using the First Certificate of identity card card-reading terminal to card reading request data ciphertext Signature value carry out signature verification card reading request data ciphertext is solved using session key in the case where being verified It is close, obtain identity card identification information；Specifically, First Certificate of the certification safety control module 10 first with identity card card-reading terminal In the first public key the signature value of card reading request data ciphertext is decrypted, obtain the abstract of card reading request data ciphertext, benefit The abstract that card reading request data ciphertext is calculated is carried out to the card reading request data ciphertext received with HASH algorithm, will be decrypted The abstract of obtained card reading request data ciphertext is compared with the abstract for the card reading request data ciphertext being calculated, if phase Together, then sign test passes through, and otherwise terminates identity card card reading responding process；In the case where being verified, using session key to reading Card request data ciphertext is decrypted, and obtains identity card identification information.Wherein, First Certificate includes at least identity card card-reading terminal The first public key, the first public key of identity card card-reading terminal and the first private key of identity card card-reading terminal are a pair of asymmetric close Key.It can be to card reading request data ciphertext using the first public key of identity card card-reading terminal if authenticating safety control module 10 Signature value is decrypted, then illustrates that the signature value of received card reading request data ciphertext is issued by identity card card-reading terminal, Its data source is legal；It cannot be to reading using the first public key of identity card card-reading terminal if authenticating safety control module 10 The signature value of card request data ciphertext is decrypted, then illustrates that the signature value of received card reading request data ciphertext is not by identity Demonstrate,prove card-reading terminal issue, data source be it is illegal, therefore, sign to the signature value of card reading request data ciphertext The legitimacy of data source can be confirmed in verifying.If card reading request data ciphertext is distorted in transmission process by illegal person, Safety control module 10 is then authenticated during sign test, HASH can be carried out to the card reading request data ciphertext after distorting and be calculated Abstract, the abstract and certification safety control module 10 are using the first public key of identity card card-reading terminal to card reading request data ciphertext The abstract that is decrypted of signature value must be different, cause sign test that can not pass through, therefore, by close to card reading request data The signature value of text, which carries out sign test, may determine that whether card reading request data ciphertext is tampered, and guarantee that received card reading request data is close The integrality of text.If certification safety control module 10 cannot be right using the session key that itself just has with identity card card-reading terminal The card reading request data ciphertext received is decrypted, then illustrates that the card reading request data ciphertext is not identity card card-reading terminal It issues, therefore, card reading request data ciphertext is decrypted the legitimacy that data source can be confirmed；If third party intercepts To card reading request data ciphertext, since third party can not obtain certification safety control module 10 and identity card card-reading terminal just has Session key, therefore card reading request data ciphertext cannot be decrypted, card reading request data can not be obtained, therefore, to card reading Request data ciphertext, which is decrypted, can prevent card reading request data from illegally being stolen, being read in network transmission, guarantee card reading The transmission security of request data.It should be noted that the sign test process in the present embodiment can be found in the embodiment, below The process for being related to sign test no longer will be repeated specifically.

As a kind of optional embodiment of the present embodiment, the system also includes: certification safety control module 10 is also used In after identity card identification information to be sent to verifying safety control module 20, identity card identification information is removed；And/or certification Safety control module 10 is also used to carrying out safety verification to card reading request data package, after safety verification passes through, obtains identity card After identification information, identity card identification information is sent to dispatch server 30；And/or dispatch server 30, for judging body Whether part card identification information, if it is, sending instruction information to certification safety control module 10, refers in identity card blacklist The identity card for showing that identity card card-reading terminal is currently read is illegal.In this optional embodiment, dispatch server 30 is equally arranged On cloud authentication platform；Dispatch server 30 can according to the identification information of identity card identification information, identity card card-reading terminal with And preset strategy, judge whether that blacklist or control list for the identification information of identity card card-reading terminal is added.

As a kind of optional embodiment of the present embodiment, safety control module 10 is authenticated, is also used to by identity card mark Know information to be sent to after verifying safety control module 20, removes identity card identification information.It is sent to identity card identification information To verifying safety control module 20, the identity card identification information after removing decryption immediately in plain text, does not retain any identity card letter Data are ceased, the privacy and safety of user are protected.

In the present embodiment, before verifying safety control module 20 receives the identity card data ciphertext that identity card is sent, identity Card should realize two-way authentication with verifying safety control module 20, which is identity card to be ensured and verifying security control Module 20 is all legal.Verifying safety control module 20 can use certification of the first certification factor realization to identity card；The The one certification factor can be one or a string of random numbers, can be perhaps one or a string of random characters or a string of random numbers With any combination of random character.

As a kind of optional embodiment of the present embodiment, the first data packet includes the first encryption data and the first number of signature According to；Safety control module 10 is authenticated, specifically for encrypting using session key to the first certification factor, obtains the first encryption Data, and signed using the private key of certification safety control module 10 to the first encryption data, obtain the first signed data；Tool Body, certification safety control module 10 calculates the first encryption data using HASH algorithm and obtains the abstract of the first encryption data, and The abstract of first encryption data is encrypted using the private key of certification safety control module 10, obtains the first signed data.Recognize It demonstrate,proves safety control module 10 and the first data packet comprising the first encryption data and the first signed data is sent to identity card card reading Terminal.Certification safety control module 10 is encrypted to obtain the first encryption data using session key to the first certification factor, i.e., So that third party is intercepted the first encryption data, can not also obtain the first certification factor, it, cannot because of the not no session key of third party The first encryption data is decrypted using the session key, obtains the first certification factor, only equally there is the session key Identity card card-reading terminal could decrypt the first encryption data, therefore, the first certification factor can be effectively prevented in network transmission It is middle illegally to be stolen, read, guarantee the safety of the first certification factor transmission.Safety control module 10 is authenticated by the first number of signature After being sent to identity card card-reading terminal, identity card card-reading terminal can execute sign test operation, if identity card card-reading terminal utilizes The first signed data can be decrypted in the public key of certification safety control module 10, then illustrates received first signed data It is to be issued by certification safety control module 10, data source is legal；If identity card card-reading terminal utilizes certification peace The first signed data cannot be decrypted in the public key of full control module 10, then illustrates that received first signed data is not by recognizing Demonstrate,prove safety control module 10 issue, data source be it is illegal, therefore, signing to the first encryption data can make The legitimacy of identity card card-reading terminal confirmation data source.If the first encryption data is usurped in transmission process by illegal person Changing, then identity card card-reading terminal can carry out HASH to the first encryption data after distorting and abstract is calculated during sign test, The abstract is decrypted to obtain using the public key of certification safety control module 10 with identity card card-reading terminal to the first signed data Abstract must be different, cause sign test that can not pass through, therefore, first can be prevented to add by sign to the first encryption data Ciphertext data is tampered, and guarantees that identity card card-reading terminal receives the integrality of the first encryption data.In this optional embodiment, need by The certificate of certification safety control module 10 is sent to identity card card-reading terminal, which includes at least certification safety control module 10 Public key, the private key of the public key and certification safety control module 10 is a pair of of unsymmetrical key, and identity card card-reading terminal can benefit Signature verification is carried out to the first signed data with the public key, after being verified, recycles session key to the first encryption data It is decrypted, obtains the first certification factor, and the first certification factor is sent to identity card.It should be noted that the present embodiment In signature process can be found in the embodiment, the process that signature is referred to below no longer will be repeated specifically.

In the present embodiment, after identity card receives the first certification factor of identity card card-reading terminal transmission, in advance The Processing Algorithm for the Ministry of Public Security's authorization set handles the first certification factor, obtains the first authentication data, and first is authenticated Data are sent to identity card card-reading terminal.Identity card card-reading terminal carries out safe handling to the first authentication data, obtains the second number Certification safety control module 10 is sent to according to packet, and by the second data packet.Wherein, identity card handles the first certification factor Can use but be not limited to following manner: mode one: identity card carries out MAC to the first certification factor using security key and calculates To MAC value, MAC value is exactly the first authentication data；Mode two: identity card adds the first certification factor using security key It is close, the first authentication data is obtained, which is preset configuration in legal identity card, and only legal identity card is With the security key.

As a kind of optional embodiment of the present embodiment, the second data packet includes the signature of the first ciphertext and the first ciphertext Value；Wherein, the first ciphertext is encrypted using session key to the first authentication data by identity card card-reading terminal, the The signature value of one ciphertext is signed using the first private key of itself to the first ciphertext by identity card card-reading terminal.Recognize Safety control module 10 is demonstrate,proved, is signed specifically for signature value of the First Certificate using identity card card-reading terminal to the first ciphertext Name verifying, in the case where being verified, is decrypted the first ciphertext using session key, obtains the first authentication data；It is no Then terminate identity card card reading responding process.If authenticating safety control module 10 using the first public key energy of identity card card-reading terminal It is enough that the signature value of first ciphertext is decrypted, then illustrate that the signature value of received first ciphertext is sent out by identity card card-reading terminal Out, data source is legal；If authenticating safety control module 10 utilizes the first public key of identity card card-reading terminal not Can the signature value to the first ciphertext be decrypted, then illustrate that the signature value of received first ciphertext is not by identity card card-reading terminal Issue, data source be it is illegal, therefore, carrying out signature verification to the signature value of the first ciphertext can be confirmed that data are come The legitimacy in source.If the first ciphertext is distorted in transmission process by illegal person, safety control module 10 is authenticated in sign test In the process, HASH can be carried out to the first ciphertext after distorting and abstract is calculated, 10 benefit of the abstract and certification safety control module Must be different with the abstract that signature value of the first public key of identity card card-reading terminal to the first ciphertext is decrypted, cause to test Label can not pass through, and therefore, carrying out sign test by the signature value to the first ciphertext may determine that whether the first ciphertext is tampered, and guarantee The integrality of received first ciphertext.If the meeting that certification safety control module 10 just has using itself with identity card card-reading terminal The first ciphertext received cannot be decrypted in words key, illustrate that first ciphertext is not that identity card card-reading terminal issues , therefore, the first ciphertext is decrypted the legitimacy that data source can be confirmed；If third party is truncated to the first ciphertext, It, cannot be right due to the session key that third party can not obtain certification safety control module 10 and identity card card-reading terminal just has First ciphertext is decrypted, and can not obtain the first authentication data, and therefore, the first ciphertext, which is decrypted, can prevent the first certification Data are illegally stolen in network transmission, are read, and guarantee the transmission security of the first authentication data.

In the present embodiment, the identifying algorithm that verifying safety control module 20 is authorized using the Ministry of Public Security of preset configuration is to reception To the first authentication data authenticated, if certification pass through, realize the certification to identity card legitimacy, i.e. identity card is It is true legal；Then certification factor application request is generated, and certification factor application request is sent to certification security control mould Block 10.Wherein, verifying safety control module 20, which authenticates the first authentication data, can use but be not limited to following manner: side Formula one: the first certification that verifying safety control module 20 generates itself using security key corresponding with identity card identification information The factor carries out that MAC value is calculated, and the MAC value being calculated is compared with the first authentication data received, if phase Together, then the certification of the first authentication data is passed through.Mode two: verifying safety control module 20, which can use to identify with identity card, to be believed It ceases corresponding security key the first authentication data received is decrypted, obtains the certification factor, and compare what decryption obtained Whether the first certification factor that the certification factor is generated with itself is identical, if identical, passes through to the certification of the first authentication data. Mode three: verifying safety control module 20 can use that security key corresponding with identity card identification information generates itself the The one certification factor is encrypted to obtain authentication data, and compares the authentication data that encryption obtains and the first authentication data received It is whether identical, if identical, the certification of the first authentication data is passed through.If verifying safety control module 20 to authenticate to first The certification that data carry out passes through, then illustrates security key that identity card uses and to verify the safety that safety control module 20 uses close Key is identical, illustrates that identity card is legal identity card, verifies safety control module 20 by authenticating to the first authentication data It confirmed the legitimacy of identity card.Presupposed information is calculated and identity card identification information in verifying safety control module 20 Corresponding security key.Optionally, if to the first authentication data carry out certification not over, terminate identity card card reading ring Answer process.

As a kind of optional embodiment of the present embodiment, third data packet includes the second encryption data and the second number of signature According to；Safety control module 10 is authenticated, specifically for encrypting using session key to certification factor application request, obtains second Encryption data, and signed using the private key of certification safety control module 10 to the second encryption data, obtain the second number of signature According to；It authenticates safety control module 10 and the third data packet comprising the second encryption data and the second signed data is sent to identity card Card-reading terminal.Certification safety control module 10 is encrypted to obtain the second encryption using session key to certification factor application request Data can not also obtain certification factor application request, because of third party's not meeting even if third party intercepts the second encryption data Key is talked about, the second encryption data cannot be decrypted using the session key, obtains certification factor application request, only equally Identity card card-reading terminal with the session key could decrypt the second encryption data, therefore, the certification factor can be effectively prevented Application request is illegally stolen in network transmission, is read, and guarantees the safety of certification factor application request transmission.Certification safety After second signed data is sent to identity card card-reading terminal by control module 10, identity card card-reading terminal can execute sign test operation, If identity card card-reading terminal can be decrypted the second signed data using the public key of certification safety control module 10, say Bright received second signed data is issued by certification safety control module 10, and data source is legal；If identity Card card-reading terminal cannot be decrypted the second signed data using the public key of certification safety control module 10, then illustrate received Second signed data is issued by certification safety control module 10, data source be it is illegal, therefore, to second plus Ciphertext data, which carries out signature, can make the legitimacy of identity card card-reading terminal confirmation data source.If the second encryption data is being transmitted Distorted in the process by illegal person, then identity card card-reading terminal during sign test, can to the second encryption data after distorting into Abstract is calculated in row HASH, and the abstract and identity card card-reading terminal are signed using the public key of certification safety control module 10 to second The abstract that name data are decrypted must be different, cause sign test that can not pass through, therefore, by carrying out to the second encryption data Signature can prevent the second encryption data to be tampered, and guarantee that identity card card-reading terminal receives the integrality of the second encryption data.This In optional embodiment, identity card card-reading terminal can use certification safety control module 10 public key to the second signed data into Row signature verification recycles session key that the second encryption data is decrypted after being verified, and obtains certification factor application Request, and certification factor application request is sent to identity card.

In the present embodiment, identity card receives the certification factor application request of identity card card-reading terminal transmission, generates second The factor is authenticated, and the second certification factor is sent to identity card card-reading terminal.Identity card card-reading terminal is recognized receive second It demonstrate,proves the factor and carries out safe handling, obtain the 4th data packet, and the 4th data packet is sent to certification safety control module 10.Identity Card can use certification of the second certification factor realization to verifying safety control module 20.Wherein, the second certification factor can be One or a string of random numbers can be perhaps any of one or a string of random characters or a string of random numbers and random character Combination.

As a kind of optional embodiment of the present embodiment, the 4th data packet includes the signature of the second ciphertext and the second ciphertext Value；Wherein, the second ciphertext is encrypted using session key to the second certification factor by identity card card-reading terminal, the The signature value of two ciphertexts is signed using the first private key of itself to the second ciphertext by identity card card-reading terminal.Recognize Safety control module 10 is demonstrate,proved, is signed specifically for signature value of the First Certificate using identity card card-reading terminal to the second ciphertext Name verifying, in the case where being verified, is decrypted the second ciphertext using session key, obtains the second certification factor；It is no Then terminate identity card card reading responding process.If authenticating safety control module 10 using the first public key energy of identity card card-reading terminal It is enough that the signature value of second ciphertext is decrypted, then illustrate that the signature value of received second ciphertext is sent out by identity card card-reading terminal Out, data source is legal；If authenticating safety control module 10 utilizes the first public key of identity card card-reading terminal not Can the signature value to the second ciphertext be decrypted, then illustrate that the signature value of received second ciphertext is not by identity card card-reading terminal Issue, data source be it is illegal, therefore, carrying out signature verification to the signature value of the second ciphertext can be confirmed that data are come The legitimacy in source.If the second ciphertext is distorted in transmission process by illegal person, safety control module 10 is authenticated in sign test In the process, HASH can be carried out to the second ciphertext after distorting and abstract is calculated, 10 benefit of the abstract and certification safety control module Must be different with the abstract that signature value of the first public key of identity card card-reading terminal to the second ciphertext is decrypted, cause to test Label can not pass through, and therefore, carrying out sign test by the signature value to the second ciphertext may determine that whether the second ciphertext is tampered, and guarantee The integrality of received second ciphertext.If the meeting that certification safety control module 10 just has using itself with identity card card-reading terminal The second ciphertext received cannot be decrypted in words key, illustrate that second ciphertext is not that identity card card-reading terminal issues , therefore, the second ciphertext is decrypted the legitimacy that data source can be confirmed；If third party is truncated to the second ciphertext, It, cannot be right due to the session key that third party can not obtain certification safety control module 10 and identity card card-reading terminal just has Second ciphertext is decrypted, and can not obtain the second certification factor, and therefore, the second ciphertext, which is decrypted, can prevent the second certification The factor is illegally stolen in network transmission, is read, and guarantees the transmission security of the second certification factor.

In the present embodiment, the Processing Algorithm that verifying safety control module 20 is authorized using the Ministry of Public Security of preset configuration is to reception To second certification the factor handled, obtain the second authentication data, and the second authentication data is sent to certification security control Module 10.Wherein, verifying safety control module 20, which handles the second certification factor, can use but be not limited to following manner: Mode one: verifying safety control module 20 carries out the second certification factor using security key corresponding with identity card identification information MAC value is calculated in MAC, which is exactly the second authentication data；Mode two: verifying safety control module 20 utilizes and identity The corresponding security key of card identification information encrypts the second certification factor, obtains the second authentication data.Verify security control Security key corresponding with identity card identification information is calculated to presupposed information in module 20.

As a kind of optional embodiment of the present embodiment, the 5th data packet includes third encryption data and third number of signature According to；Safety control module 10 is authenticated, specifically for encrypting using session key to the second authentication data, obtains third encryption Data, and signed using the private key of certification safety control module 10 to third encryption data, obtain third signed data；Recognize The 5th data packet including third encryption data and third signed data is sent to identity card card reading by card safety control module 10 Terminal.Certification safety control module 10 encrypts the second authentication data using session key to obtain third encryption data, i.e., So that third party is intercepted third encryption data, can not also obtain the second authentication data, it, cannot because of the not no session key of third party Third encryption data is decrypted using the session key, obtains the second authentication data, only equally there is the session key Identity card card-reading terminal could decrypt third encryption data, therefore, the second authentication data can be effectively prevented in network transmission It is middle illegally to be stolen, read, guarantee the safety of the second authentication data transmission.Safety control module 10 is authenticated by third number of signature After being sent to identity card card-reading terminal, identity card card-reading terminal can execute sign test operation, if identity card card-reading terminal utilizes Third signed data can be decrypted in the public key of certification safety control module 10, then illustrates received third signed data It is to be issued by certification safety control module 10, data source is legal；If identity card card-reading terminal utilizes certification peace Third signed data cannot be decrypted in the public key of full control module 10, then illustrates that received third signed data is not by recognizing Demonstrate,prove safety control module 10 issue, data source be it is illegal, therefore, signing to third encryption data can make The legitimacy of identity card card-reading terminal confirmation data source.If third encryption data is usurped in transmission process by illegal person Changing, then identity card card-reading terminal can carry out HASH to the third encryption data after distorting and abstract is calculated during sign test, The abstract is decrypted to obtain using the public key of certification safety control module 10 with identity card card-reading terminal to third signed data Abstract must be different, cause sign test that can not pass through, therefore, by signing to third encryption data and can prevent third from adding Ciphertext data is tampered, and guarantees that identity card card-reading terminal receives the integrality of third encryption data.In this optional embodiment, identity The public key that card card-reading terminal can use certification safety control module 10 carries out signature verification to third signed data, when verifying is logical Later, it recycles session key that third encryption data is decrypted, obtains the second authentication data, and the second authentication data is sent out It send to identity card.

In the present embodiment, after identity card receives the second authentication data of identity card card-reading terminal transmission, first with pre- Identifying algorithm built in elder generation authenticates the second authentication data, and after certification passes through, and sends body to identity card card-reading terminal Part card data ciphertext.Wherein, identity card data ciphertext is usually that resident identification card number, name, photo, age, address, card make With the ciphertext of the data such as the time limit and/or fingerprint.Wherein, identity card authenticates the second authentication data and can use but be not limited to Following manner: mode one: identity card is calculated using the second certification factor that built-in security key generates itself The MAC value being calculated is compared by MAC value with the second authentication data received, if identical, to the second certification number According to certification pass through.Mode two: identity card can use built-in security key and solve to the second authentication data received It is close, the certification factor is obtained, and compare the obtained certification factor of decryption is generated with itself second whether authenticate the factor identical, if It is identical, then the certification of the second authentication data is passed through.Mode three: identity card can use built-in security key and generate to itself The second certification factor encrypted to obtain authentication data, and compare the obtained authentication data of encryption and the second certification for receiving Whether data are identical, if identical, pass through to the certification of the second authentication data.If identity card authenticates the second authentication data Pass through, the security key for illustrating that verifying safety control module 20 uses is identical as the security key built in identity card, illustrates to verify Safety control module 20 is legal verifying safety control module 20, and identity card is by carrying out authenticate-acknowledge to the second authentication data The legitimacy of verifying safety control module 20.As an alternative embodiment, if to the progress of the second authentication data Certification is not over then terminating identity card card reading responding process.Identity card card-reading terminal is to the identity card data ciphertext received Safe handling is carried out, obtains the 6th data packet, and the 6th data packet is sent to certification safety control module 10.It can as one kind The embodiment of choosing, identity card card-reading terminal can by information included by identity card data ciphertext by a data packet, one It is secondary to be sent to certification safety control module 10, it is of course also possible to which information included by identity card data ciphertext is passed through multiple numbers According to packet, it is sent to certification safety control module 10 several times.

Verifying safety control module 20 confirmed the legitimacy of identity card by the first certification factor, and identity card passes through second The certification factor confirmed to verify the legitimacy of safety control module 20.After two-way authentication passes through, identity card is just to identity card card reading Terminal sends identity card data ciphertext.

As a kind of optional embodiment of the present embodiment, the 6th data packet includes the signature of third ciphertext and third ciphertext Value；Wherein, third ciphertext is to be encrypted by identity card card-reading terminal using session key identity card data ciphertext, the The signature value of three ciphertexts is signed using the first private key of itself to third ciphertext by identity card card-reading terminal.Recognize Safety control module 10 is demonstrate,proved, is signed specifically for signature value of the First Certificate using identity card card-reading terminal to third ciphertext Name verifying, in the case where being verified, is decrypted third ciphertext using session key, obtains identity card data ciphertext； Otherwise terminate identity card card reading responding process.If authenticating safety control module 10 using the first public key of identity card card-reading terminal Can the signature value to third ciphertext be decrypted, then illustrate that the signature value of received third ciphertext is by identity card card-reading terminal It issues, data source is legal；If authenticating safety control module 10 using the first public key of identity card card-reading terminal Cannot the signature value to third ciphertext be decrypted, then illustrate that the signature value of received third ciphertext is not whole by identity card card reading What end issued, data source be it is illegal, therefore, carrying out signature verification to the signature value of third ciphertext can be confirmed data The legitimacy in source.If third ciphertext is distorted in transmission process by illegal person, authenticates safety control module 10 and testing During label, HASH can be carried out to the third ciphertext after distorting and abstract is calculated, the abstract and certification safety control module 10 Must be different using the abstract that the signature value of third ciphertext is decrypted in the first public key of identity card card-reading terminal, cause Sign test can not pass through, and therefore, carrying out sign test by the signature value to third ciphertext may determine that whether third ciphertext is tampered, and protect Demonstrate,prove the integrality of received third ciphertext.If certification safety control module 10 just has using itself with identity card card-reading terminal The third ciphertext received cannot be decrypted in session key, illustrate that the third ciphertext is not that identity card card-reading terminal issues , therefore, third ciphertext is decrypted the legitimacy that data source can be confirmed；If third party is truncated to third ciphertext, It, cannot be right due to the session key that third party can not obtain certification safety control module 10 and identity card card-reading terminal just has Third ciphertext is decrypted, and can not obtain identity card data ciphertext, and therefore, third ciphertext, which is decrypted, can prevent identity card Data ciphertext is illegally stolen in network transmission, is read, and guarantees the transmission security of identity card data ciphertext.

In the present embodiment, identity card data clear text is usually resident identification card number, name, photo, age, address, card The plaintext of the data such as service life, fingerprint.

In the present embodiment, after the 7th data packet is sent to identity card card-reading terminal by certification safety control module 10, identity Card card reading responds successfully, terminates identity card card reading responding process.

As a kind of optional embodiment of the present embodiment, authenticating safety control module 10 can be by identity card data clear text Included information is once sent to identity card card-reading terminal, it is of course also possible to which identity card data are bright by a data packet Information included by text is sent to identity card card-reading terminal by multiple data packets several times.

As a kind of optional embodiment of the present embodiment, the 7th data packet includes the 4th encryption data and the 4th number of signature According to；Safety control module 10 is authenticated, specifically for being encrypted using session key to identity card data clear text, the 4th is obtained and adds Ciphertext data, and signed using the private key of certification safety control module 10 to the 4th encryption data, obtain the 4th signed data. The 7th data packet including the 4th encryption data and the 4th signed data is sent to identity card and read by certification safety control module 10 Card terminal.Certification safety control module 10 encrypts identity card data clear text using session key to obtain the 4th encryption number According to even if third party's the 4th encryption data of interception, can not also obtain identity card data clear text, because the session is not close by third party Key cannot be decrypted the 4th encryption data using the session key, obtain identity card data clear text, and only equally having should The identity card card-reading terminal of session key could decrypt the 4th encryption data, therefore, identity card data clear text can be effectively prevented It illegally stolen, read in network transmission, guarantee the safety of identity card data clear text transmission.Authenticate safety control module 10 After 4th signed data is sent to identity card card-reading terminal, identity card card-reading terminal can execute sign test operation, if identity card Card-reading terminal can be decrypted the 4th signed data using the public key of certification safety control module 10, then illustrate received the Four signed datas are issued by certification safety control module 10, and data source is legal；If identity card card-reading terminal The 4th signed data cannot be decrypted using the public key of certification safety control module 10, then illustrate received 4th signature Data are issued by certification safety control module 10, data source be it is illegal, therefore, to the 4th encryption data The legitimacy of identity card card-reading terminal confirmation data source can be made by carrying out signature.If the 4th encryption data is in transmission process It is distorted by illegal person, then identity card card-reading terminal can carry out HASH to the 4th encryption data after distorting during sign test Abstract is calculated, the abstract and identity card card-reading terminal utilize the public key of certification safety control module 10 to the 4th signed data The abstract being decrypted must be different, cause sign test that can not pass through, therefore, can by signing to the 4th encryption data To prevent the 4th encryption data to be tampered, guarantee that identity card card-reading terminal receives the integrality of the 4th encryption data.This optional reality It applies in mode, the public key that identity card card-reading terminal can use certification safety control module 10 signs to the 4th signed data Verifying recycles session key that the 4th encryption data is decrypted, obtains identity card data clear text after being verified.

As a kind of optional embodiment of the present embodiment, safety control module 10 is authenticated, is also used to identity card number Safe handling is carried out according to plaintext, after obtaining the 7th data packet, removes identity card data clear text.Add by identity card data clear text After close sending, is removed immediately from inside, ID card information data will not be retained, the privacy and safety of user can be protected.

In the present embodiment, certification safety control module 10 is the safety chip of national Password Management office examination & approval；Verifying safety Control module 20 is responsible for decryption identity card data ciphertext and obtained identity card data clear text is returned to identity card card-reading terminal, The special product (SAM module) that safety control module 20 is specified using the Ministry of Public Security is verified, GA 467-2013 " residential identity is met Results demonstrate,proves safety control module Technical Interface Specification "；Certification safety control module 10 and verifying safety control module 20 are respectively provided with In cloud authentication platform.

In identity card card-reading terminal in the present embodiment and be not provided with can be real to the ciphertext data read from identity card The verifying safety control module 20 now decrypted, but setting verifying safety control module 20, identity card are read in cloud authentication platform Card terminal can greatly reduce the cost of implementation of user, spy by being linked into cloud authentication platform to realize the reading to identity card It is not to need to be implemented the industry of ID card information read operation in bank, station, insurance etc., need to only disposes the identity of respective numbers Card-reading terminal is demonstrate,proved, without a large amount of deployment verifying safety control modules 20 again, without a large amount of setting verifying security controls Corresponding relationship between module 20 and identity card card-reading terminal, simplifies implementation.Meanwhile being arranged in cloud authentication platform and authenticating Safety control module 10, certification safety control module 10 pacify the identity card related data that identity card card-reading terminal is sent Full verifying sends data to verifying safety control module 20 again after being verified, and returns to verifying safety control module 20 The response data returned carries out safe handling, then processed data is sent to identity card card-reading terminal, therefore authenticate safety control Exit passageway is established between molding block 10 and identity card card-reading terminal, identity card and verifying can be improved by the exit passageway The safety communicated between safety control module 20 guarantees the transmission safety of identity card data.Also, identity card and verifying safety Control module 20 completes two-way authentication by the interaction of the first certification factor and the second certification factor, verifies safety control module 20 pairs of identity card data ciphertexts are decrypted to obtain identity card data clear text, and are sent to identity card card-reading terminal, to complete The reading of identity card.

As a kind of optional embodiment of the present embodiment, certification safety control module 10 to card reading request data package into It before row safety verification, needs to obtain session key, therefore, authenticates safety control module 10, be also used to card reading number of request Before carrying out safety verification according to packet, the session key request data package that identity card card-reading terminal is sent is received, wherein session key Request data package includes the First Certificate of the first random factor, the signature value of the first random factor and identity card card-reading terminal；It is right The legitimacy of First Certificate is verified, and after being verified, is carried out using signature value of the First Certificate to the first random factor Signature verification generates the second random factor in the case where signature verification passes through；To the first random factor and the second random factor It is encrypted, obtains the 5th encryption data, and sign to the 5th encryption data using the private key of certification safety control module 10 Name, obtains the 5th signed data；The 8th data packet including the 5th encryption data and the 5th signed data is sent to identity card Card-reading terminal；Safety control module 10 is authenticated, is also used to after generating the second random factor, according to the first random factor and the Two random factors generate session key.

In this optional embodiment, the signature value of the first random factor is first private of the identity card card-reading terminal using itself What key was signed.First random factor can be one or a string of random numbers, or can be one or a string random Any combination of character or a string of random numbers and random character.

In this optional embodiment, certification safety control module 10 is using root certificate to the first card of identity card card-reading terminal Book is verified, and if the verification passes, then illustrates that the First Certificate of identity card card-reading terminal is legal.

In this optional embodiment, if certification safety control module 10 utilizes the first public key energy of identity card card-reading terminal It is enough that the signature value of first random factor is decrypted, then illustrate that the signature value of received first random factor is read by identity card What card terminal issued, data source is legal；If authenticating safety control module 10 using the of identity card card-reading terminal One public key cannot the signature value to the first random factor be decrypted, then illustrate that the signature value of received first random factor is not Issued by identity card card-reading terminal, data source be it is illegal, therefore, the signature value of the first random factor is signed The legitimacy of data source can be confirmed in name verifying.If the first random factor is distorted in transmission process by illegal person, Safety control module 10 is authenticated during sign test, HASH can be carried out to the first random factor after distorting and abstract is calculated, The abstract and certification safety control module 10 utilize the first public key of identity card card-reading terminal to the signature value of the first random factor The abstract being decrypted must be different, cause sign test that can not pass through, therefore, by the signature value to the first random factor into Row sign test may determine that whether the first random factor is tampered, and guarantee the integrality of received first random factor.

In this optional embodiment, the second random factor can be one or a string of random numbers, or can for one or Any combination of a string of random characters or a string of random numbers and random character.

In this optional embodiment, if certification safety control module 10 does not have the sign test of the signature value of the first random factor Pass through, then terminates session key request responding process.

In this optional embodiment, certification safety control module 10 using preset algorithm to the first random factor and second with The machine factor generates session key.

In this optional embodiment, certification safety control module 10 is using the First Certificate of identity card card-reading terminal to first Random factor and the second random factor are encrypted, and the 5th encryption data is obtained.It is close using session to authenticate safety control module 10 Key is encrypted to obtain the 5th encryption data to the first random factor and the second random factor, even if the 5th encryption of third party's interception Data can not also obtain the first random factor and the second random factor, cannot be using should because of the not no session key of third party The 5th encryption data is decrypted in session key, obtains the first random factor and the second random factor, and only equally having should The identity card card-reading terminal of session key could decrypt the 5th encryption data, therefore, can be effectively prevented the first random factor and Second random factor is illegally stolen in network transmission, is read, and guarantees what the first random factor and the second random factor transmitted Safety.After 5th signed data is sent to identity card card-reading terminal by certification safety control module 10, identity card card-reading terminal Sign test operation can be executed, if identity card card-reading terminal can be to the 5th number of signature using the public key of certification safety control module 10 According to being decrypted, then illustrate that received 5th signed data is issued by certification safety control module 10, data source is Legal；If identity card card-reading terminal cannot solve the 5th signed data using the public key of certification safety control module 10 It is close, then illustrate that received 5th signed data is issued by certification safety control module 10, data source is illegal , therefore, the legitimacy of identity card card-reading terminal confirmation data source can be made by signing to the 5th encryption data.If the Five encryption datas are distorted in transmission process by illegal person, then identity card card-reading terminal during sign test, can be to distorting after The 5th encryption data carry out HASH abstract be calculated, the abstract and identity card card-reading terminal are using authenticating safety control module The abstract that the 5th signed data is decrypted in 10 public key must be different, cause sign test that can not pass through, therefore, by right 5th encryption data, which carries out signature, can prevent the 5th encryption data to be tampered, and guarantee that identity card card-reading terminal receives the 5th encryption The integrality of data.

In this optional embodiment, after identity card card-reading terminal receives the 8th data packet, certification security control mould is utilized The public key of block 10 carries out signature verification to the 5th signed data, private using the first of identity card card-reading terminal after being verified The 5th encryption data is decrypted in key, obtains the first random factor and the second random factor, decryption is obtained first random The factor is compared with the first random factor that itself is generated, if identical, illustrates that authenticating safety control module 10 has received To the first random factor and authenticate what received first random factor of safety control module 10 was generated with identity card card-reading terminal First random factor is identical, and identity card card-reading terminal is using algorithm identical with above-mentioned preset algorithm to the first random factor and the Two random factors are calculated, and session key identical with the certification session key of safety control module 10 is generated, in this way, certification The phase that safety control module 10 can carry out identity card by the Session key establishment exit passageway with identity card card-reading terminal Data transmission is closed, can be improved the safety of data transmission；If it is not the same, then illustrating that certification safety control module 10 is received The first random factor that first random factor is generated with identity card card-reading terminal is different, identity card card-reading terminal and certification peace Not phase is calculated to respective first random factor and the second random factor using identical preset algorithm in full control module 10 Two same session keys, identity card card-reading terminal and certification safety control module 10 cannot decrypt the encryption number that other side sends According to.

As a kind of optional embodiment of the present embodiment, safety control module 10 is authenticated, is also used to receiving identity card Before the card reading request data package that card-reading terminal is sent, the card seeking request data package that identity card card-reading terminal is sent is received, wherein Card seeking request data package includes card seeking request data ciphertext, the signature value and identity card card-reading terminal of card seeking request data ciphertext First Certificate and the second certificate；The legitimacy of First Certificate is verified, after being verified, using First Certificate to seeking The signature value of card request data ciphertext carries out signature verification, in the case where signature verification passes through, is decrypted using the certification of acquisition Key pair card seeking request data ciphertext is decrypted, and obtains card seeking request data, and card seeking request data is sent to verifying safety Control module 20；Safety control module 20 is verified, is also used to receive card seeking request data, card seeking request data is responded, Card seeking request response data is generated, and card seeking request response data is sent to certification safety control module 10；Certification safety control Molding block 10 is also used to receive card seeking request response data, is encrypted, is obtained to card seeking request response data using session key To the 6th encryption data, session key is encrypted using the second certificate, obtains session key ciphertext, and use certification safety The private key of control module 10 signs to the 6th encryption data and session key ciphertext, obtains the 6th signed data；By card seeking Request response data packet is sent to identity card card-reading terminal, wherein card seeking request response data packet include the 6th encryption data and 6th signed data.

In this optional embodiment, card seeking request data ciphertext is to utilize authenticated encryption key pair by identity card card-reading terminal Card seeking request data is encrypted, and the signature value of card seeking request data ciphertext is to utilize itself by identity card card-reading terminal The first private key signed to card seeking request data ciphertext.

Optionally, First Certificate and the second certificate can be identical certificate, be also possible to different certificates.

Optionally, card seeking request data includes timestamp and/or terminal counter；Safety control module 10 is authenticated, is also used Card seeking request data ciphertext is decrypted in the certification decruption key using acquisition, it, will after obtaining card seeking request data Timestamp and/or terminal counter are sent to dispatch server 30.Dispatch server 30 can be according to timestamp, terminal count The information such as device carry out the frequency control and blacklist automatic capture of identity card card-reading terminal, and by suspicious identity card card-reading terminal Blacklist is added.

In this optional embodiment, certification safety control module 10 is using root certificate to the first card of identity card card-reading terminal Book is verified, and if the verification passes, then illustrates that the First Certificate of identity card card-reading terminal is legal.

In this optional embodiment, if certification safety control module 10 utilizes the first public key energy of identity card card-reading terminal It is enough that the signature value of card seeking request data ciphertext is decrypted, then illustrate received card seeking request data ciphertext signature value be by What identity card card-reading terminal issued；It cannot be right using the first public key of identity card card-reading terminal if authenticating safety control module 10 The signature value of card seeking request data ciphertext is decrypted, then illustrates that the signature value of received card seeking request data ciphertext is not by body Part card card-reading terminal issues, and therefore, carrying out signature verification to the signature value of card seeking request data ciphertext can be confirmed that data are come The legitimacy in source.If card seeking request data ciphertext is distorted in transmission process by illegal person, safety control module is authenticated 10 during sign test, can carry out HASH to the card seeking request data ciphertext after distorting and abstract is calculated, the abstract and certification Safety control module 10 is decrypted the signature value of card seeking request data ciphertext using the first public key of identity card card-reading terminal Obtained abstract must be different, cause sign test that can not pass through, therefore, tested by the signature value to card seeking request data ciphertext Label may determine that whether card seeking request data ciphertext is tampered, and guarantee the integrality of received card seeking request data ciphertext.If Certification safety control module 10 cannot ask the card seeking received with the session key that identity card card-reading terminal just has using itself It asks data ciphertext to be decrypted, illustrates that the card seeking request data ciphertext is not what identity card card-reading terminal issued, therefore, to seeking The legitimacy that data source can be confirmed is decrypted in card request data ciphertext；If third party is truncated to card seeking, request data is close Text, due to the session key that third party can not obtain certification safety control module 10 and identity card card-reading terminal just has, no Card seeking request data ciphertext can be decrypted, card seeking request data can not be obtained, therefore, card seeking request data ciphertext is carried out Decryption can prevent card seeking request data from illegally being stolen, being read in network transmission, and correctly read card seeking request data.

In this optional embodiment, certification safety control module 10 will decrypt card seeking request data ciphertext, need to obtain and recognize Decruption key is demonstrate,proved, which can be identical key, i.e. symmetric key with above-mentioned authenticated encryption key.Acquisition is recognized Card decruption key can use but be not limited to following manner: mode one: certification decruption key preset configuration is in certification security control In module 10, authenticated encryption key also preset configuration in identity card card-reading terminal.Mode two: certification safety control module 10 obtains Take the protection key of certification decruption key ciphertext and cloud authentication database 40；Wherein, certification decruption key ciphertext is cloud certification number It is encrypted according to the authenticated encryption key of each identity card card-reading terminal of the protection key pair in library 40, authenticates security control Module 10 is decrypted using protection key pair certification decruption key ciphertext, obtains certification decruption key；Cloud authentication database 40 are arranged in cloud authentication platform.After receiving data of the identity card card-reading terminal using the encryption of authenticated encryption key for the first time, Certification safety control module 10 carries out the data that the identity card card-reading terminal received is sent for the first time using certification decruption key Decryption guarantees the safety of the transmission data of certification safety control module 10 and identity card card-reading terminal；In the present embodiment, it seeks Card request data ciphertext is the data that identity card card-reading terminal is sent for the first time.

In this optional embodiment, session key can use but be not limited to following manner and be obtained: mode one: certification Safety control module 10 generates session key at random, and session key is random factor；Optionally, session key can for one or A string of random numbers can be perhaps one or any combination of a string of random characters or a string of random numbers and random character；Meeting Key is talked about as the key being randomly generated, is not easy to be stolen by illegal person.Mode two: pre- in 10 inside of certification safety control module Session key is first set.Mode three: certification safety control module 10 and identity card card-reading terminal generate arranging key through consultation, Using arranging key as session key, existing negotiation mode is can be used in specific machinery of consultation, is not limited specifically in the present embodiment It is fixed.

In this optional embodiment, certification safety control module 10 carries out card seeking request response data using session key Encryption obtains the 6th encryption data, even if third party intercepts the 6th encryption data, can not also obtain card seeking request response data, because For the not no session key of third party, the 6th encryption data cannot be decrypted using the session key, obtain card seeking request Response data only equally could decrypt the 6th encryption data with the identity card card-reading terminal of the session key, therefore, can be with It effectively prevent card seeking request response data illegally to be stolen, read in network transmission, guarantees the transmission of card seeking request response data Safety.After 6th signed data is sent to identity card card-reading terminal by certification safety control module 10, identity card card reading is whole End can execute sign test operation, if identity card card-reading terminal can be signed using the public key of certification safety control module 10 to the 6th Data are decrypted, then illustrate that received 6th signed data is issued by certification safety control module 10, data source It is legal；If identity card card-reading terminal cannot carry out the 6th signed data using the public key of certification safety control module 10 Decryption, then illustrate that received 6th signed data is issued by certification safety control module 10, data source is not conform to Method, therefore, the legitimacy of identity card card-reading terminal confirmation data source can be made by signing to the 6th encryption data.If 6th encryption data is distorted in transmission process by illegal person, then identity card card-reading terminal, can be to distorting during sign test The 6th encryption data afterwards carries out HASH and abstract is calculated, and the abstract and identity card card-reading terminal utilize certification security control The abstract that the 6th signed data is decrypted in the public key of module 10 must be different, cause sign test that can not pass through, and therefore, lead to Crossing to sign to the 6th encryption data can prevent the 6th encryption data to be tampered, and guarantee that identity card card-reading terminal receives the 6th The integrality of encryption data.

In this optional embodiment, safety control module 10 are authenticated using certification decruption key to identity card card-reading terminal The data (such as card seeking request data package of the present embodiment) sent for the first time are decrypted, and utilize the session newly obtained close Key carries out enciphering/deciphering processing to the subsequent data sent or received, in this way, can establish data safety with identity card card-reading terminal Channel, improve data transfer safety.

In this optional embodiment, identity card card-reading terminal is asked receiving the card seeking sent of certification safety control module 10 After seeking response data packet, signature verification is carried out to the 6th signed data using the public key of certification safety control module 10, is being verified By rear, using the second private key of identity card card-reading terminal (in second private key and the second certificate of identity card card-reading terminal Second public key is a pair of of unsymmetrical key) session key ciphertext is decrypted, session key is obtained, session key pair is recycled 6th encryption data is decrypted, and obtains card seeking request response data；The session key is stored, it later can be close by session Key establishes exit passageway, and the related data for carrying out identity card with certification safety control module 10 is transmitted, and guarantees the peace of data transmission Quan Xing.

Optionally, dispatch server 30 are also used to receive the transmission of identity card card-reading terminal in certification safety control module 10 Card seeking request data package before, receive identity card card-reading terminal access cloud authentication platform request, obtain identity card card reading Whether the identification information of terminal allows identity card card-reading terminal to read identity according to the identification information judgment of identity card card-reading terminal Card；In the case where determining allows identity card card-reading terminal reading identity card, seeking for identity card card-reading terminal transmission is being received After card request data package, working condition inquiry request is sent to cloud authentication database 40；Cloud authentication database 40 is adjusted for receiving The working condition inquiry request that server 30 is sent is spent, each certification safety in the compass of competency of query scheduling server 30 The working condition of control module 10, and query result is sent to dispatch server 30；Dispatch server 30 is also used to receive The query result that cloud authentication database 40 is sent, and according to query result, select a working condition for idle certification safety Control module 10；The identification information of the certification safety control module 10 of selection is sent to identity card card-reading terminal.Wherein, it dispatches Whether server 30 can be judged by the following manner allows identity card card-reading terminal reading identity card: identity card card-reading terminal Identification information includes First Certificate and the second certificate；It can use root certificate to verify the legitimacy of First Certificate, if testing Card passes through, then allows identity card card-reading terminal reading identity card；If verifying does not pass through, identity card card-reading terminal is not allowed to read Identity card；And/or can use root certificate and the legitimacy of the second certificate is verified, if being verified, allow identity card Card-reading terminal reading identity card；If verifying does not pass through, identity card card-reading terminal reading identity card is not allowed.

Optionally, dispatch server 30, be also used to select a working condition for idle certification safety control module After 10, authentication code is generated, authentication code is respectively sent to identity card card-reading terminal and cloud authentication database 40；Cloud authentication data Library 40 is also used to store authentication code, and when reaching the validity period of authentication code, deletes authentication code；Card seeking request data package is also wrapped Include authentication code ciphertext；Safety control module 10 is authenticated, is also used to card seeking request data being sent to verifying safety control module Before 20, authentication code ciphertext is decrypted, obtains authentication code, inquires in cloud authentication database 40 whether be stored with authentication code, If being stored with, the operation that card seeking request data is sent to verifying safety control module 20 is continued to execute, process is otherwise terminated. Specifically, dispatch server 30 is by generation after distribution port is to the certification safety control module 10 of working condition free time Authentication code is separately sent to be stored in identity card card-reading terminal and cloud authentication database 40, and identity card card-reading terminal, which utilizes, recognizes Card encryption key encrypts the authentication code, obtains authentication code ciphertext；It is close using certification decryption to authenticate safety control module 10 The authentication code ciphertext is decrypted in key, obtains authentication code, sends inquiry request to cloud authentication database 40, inquiry cloud authenticates number According to the authentication code whether is stored in library 40, if being stored with, card seeking request data is sent to verifying safety control module, it is no Then terminate card seeking responding process.Wherein, which has timeliness, and when being more than scheduled duration, cloud authentication database 40 is just It will be deleted the authentication code of storage, authentication code failure, above-mentioned inquiry operation failure terminates transaction response, therefore, authentication code energy is arranged Whether enough identification transaction are legal, therefore, it is determined that whether continuous business responds, guarantee the safety of identity card card reading responding process.It should Authentication code can be one or a string of random numbers, perhaps can for one or a string of random characters or a string of random numbers and with Any combination of machine character, is not especially limited in the present embodiment.

In the present embodiment, certification safety control module 10 can directly be read by cable network or wireless network and identity card Card terminal is directly communicated, and the communication number with identity card card-reading terminal can also be sent or received by dispatch server 30 According to.If certification safety control module 10 does not have communication interface, need through third party, such as dispatch server 30, into The forwarding or switching of row communication data, without directly being carried out with equipment such as identity card card-reading terminal, verifying safety control modules 20 Communication.When receiving the communication data comprising signed data by dispatch server 30, if in communication data including number of signature According to, signature verification can be carried out to the data that identity card card-reading terminal is sent by dispatch server 30, it can also be by certification safety Control module 10 carries out signature verification, is not construed as limiting in the present embodiment.

Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention Embodiment person of ordinary skill in the field understood.

It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..

Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.

It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in a processing module It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer In read/write memory medium.

Storage medium mentioned above can be read-only memory, disk or CD etc..

In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiment or examples in can be combined in any suitable manner.

Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example Property, it is not considered as limiting the invention, those skilled in the art are not departing from the principle of the present invention and objective In the case where can make changes, modifications, alterations, and variations to the above described embodiments within the scope of the invention.The scope of the present invention By appended claims and its equivalent limit.

Claims (10)

1. a kind of identity card card reading response system characterized by comprising

Safety control module is authenticated, for receiving the card reading request data package of identity card card-reading terminal transmission, the card reading is asked It asks data packet to carry out safety verification, after safety verification passes through, obtains identity card identification information, and by the identity card identification information It is sent to verifying safety control module；

The verifying safety control module generates the first certification factor, and will be described for receiving the identity card identification information The first certification factor is sent to the certification safety control module；

The certification safety control module is also used to receive the first certification factor, pacifies to the first certification factor Full processing, obtains the first data packet, and first data packet is sent to the identity card card-reading terminal；

The certification safety control module is also used to receive the second data packet that the identity card card-reading terminal is sent, to described Second data packet carries out safety verification, after safety verification passes through, obtains the first authentication data, and first authentication data is sent out It send to the verifying safety control module；

The verifying safety control module is also used to receive first authentication data, recognizes first authentication data Card after certification passes through, generates certification factor application request, and certification factor application request is sent to the certification safety Control module；

The certification safety control module is also used to receive the certification factor application request, asks to the certification factor application Carry out safe handling is asked, obtains third data packet, and the third data packet is sent to the identity card card-reading terminal；

The certification safety control module is also used to receive the 4th data packet that the identity card card-reading terminal is sent, to described 4th data packet carries out safety verification, after safety verification passes through, obtains the second certification factor, and the second certification factor is sent out It send to the verifying safety control module；

The verifying safety control module is also used to receive the second certification factor, at the second certification factor Reason, obtains the second authentication data, and second authentication data is sent to the certification safety control module；

The certification safety control module is also used to receive second authentication data, pacifies to second authentication data Full processing, obtains the 5th data packet, and the 5th data packet is sent to the identity card card-reading terminal；

The certification safety control module is also used to receive the 6th data packet that the identity card card-reading terminal is sent, to described 6th data packet carries out safety verification, after safety verification passes through, obtains identity card data ciphertext, and the identity card data are close Text is sent to the verifying safety control module；

The verifying safety control module is also used to receive the identity card data ciphertext, to the identity card data ciphertext into Row decryption, obtains identity card data clear text, and the identity card data clear text is sent to the certification safety control module；

The certification safety control module is also used to carry out safe handling to the identity card data clear text, obtains the 7th data Packet, and the 7th data packet is sent to the identity card card-reading terminal.

2. system according to claim 1, which is characterized in that

The card reading request data package includes the signature value of card reading request data ciphertext and the card reading request data ciphertext；

The certification safety control module asks the card reading specifically for the First Certificate using the identity card card-reading terminal It asks the signature value of data ciphertext to carry out signature verification to request the card reading using session key in the case where being verified Data ciphertext is decrypted, and obtains the identity card identification information；And/or

First data packet includes the first encryption data and the first signed data；

The certification safety control module is obtained specifically for being encrypted using session key to the first certification factor First encryption data, and signed using the private key of the certification safety control module to first encryption data, Obtain first signed data；And/or

Second data packet includes the signature value of the first ciphertext and first ciphertext；

The certification safety control module, it is close to described first specifically for using the First Certificate of the identity card card-reading terminal The signature value of text is carried out signature verification and first ciphertext is decrypted using session key in the case where being verified, Obtain first authentication data；And/or

The third data packet includes the second encryption data and the second signed data；

The certification safety control module, specifically for being encrypted using session key to certification factor application request, Second encryption data is obtained, and second encryption data is signed using the private key of the certification safety control module Name, obtains second signed data；And/or

4th data packet includes the signature value of the second ciphertext and second ciphertext；

The certification safety control module, it is close to described second specifically for using the First Certificate of the identity card card-reading terminal The signature value of text is carried out signature verification and second ciphertext is decrypted using session key in the case where being verified, Obtain the second certification factor；And/or

5th data packet includes third encryption data and third signed data；

The certification safety control module is obtained specifically for being encrypted using session key to second authentication data The third encryption data, and signed using the private key of the certification safety control module to the third encryption data, Obtain the third signed data；And/or

6th data packet includes the signature value of third ciphertext and the third ciphertext；

The certification safety control module, specifically for using the First Certificate of the identity card card-reading terminal close to the third The signature value of text is carried out signature verification and the third ciphertext is decrypted using session key in the case where being verified, Obtain the identity card data ciphertext；And/or

7th data packet includes the 4th encryption data and the 4th signed data；

The certification safety control module is obtained specifically for being encrypted using session key to the identity card data clear text The 4th encryption data is signed to the 4th encryption data, and using the private key of the certification safety control module Name, obtains the 4th signed data.

3. system according to claim 1 or 2, it is characterised in that:

The certification safety control module is also used to before carrying out safety verification to the card reading request data package, receives institute State the session key request data package of identity card card-reading terminal transmission, wherein the session key request data package includes first The First Certificate of random factor, the signature value of first random factor and the identity card card-reading terminal；To first card The legitimacy of book is verified, after being verified, using the First Certificate to the signature value of first random factor into Row signature verification generates the second random factor in the case where signature verification passes through；To first random factor and described Two random factors are encrypted, and obtain the 5th encryption data, and using the private key of the certification safety control module to described the Five encryption datas are signed, and the 5th signed data is obtained；It will include the 5th encryption data and the 5th signed data The 8th data packet be sent to the identity card card-reading terminal；

The certification safety control module is also used to after generating the second random factor, according to first random factor and Second random factor generates session key.

4. system according to claim 1 or 2, it is characterised in that:

The certification safety control module is also used to before receiving the card reading request data package that identity card card-reading terminal is sent, Receive the card seeking request data package that the identity card card-reading terminal is sent, wherein the card seeking request data package includes that card seeking is asked Seek the First Certificate and second of data ciphertext, the signature value of the card seeking request data ciphertext and the identity card card-reading terminal Certificate；The legitimacy of the First Certificate is verified, after being verified, the card seeking is asked using the First Certificate It asks the signature value of data ciphertext to carry out signature verification and uses the certification decruption key of acquisition in the case where signature verification passes through The card seeking request data ciphertext is decrypted, card seeking request data is obtained, the card seeking request data is sent to described Verify safety control module；

The verifying safety control module is also used to receive the card seeking request data, rings to the card seeking request data It answers, generates card seeking request response data, and the card seeking request response data is sent to the certification safety control module；

The certification safety control module is also used to receive the card seeking request response data, is sought using session key to described Card request response data is encrypted, and the 6th encryption data is obtained, and is added using second certificate to the session key It is close, obtain session key ciphertext, and using the private key of the certification safety control module to the 6th encryption data and described Session key ciphertext is signed, and the 6th signed data is obtained；Card seeking request response data packet is sent to the identity card to read Card terminal, wherein the card seeking request response data packet includes the 6th encryption data and the 6th signed data.

5. system according to claim 4, which is characterized in that further include:

Dispatch server, for receiving the card seeking request that the identity card card-reading terminal is sent in the certification safety control module Before data packet, the identification information of the identity card card-reading terminal is obtained, according to the identification information of the identity card card-reading terminal Determine whether the identity card card-reading terminal reading identity card；The identity card card-reading terminal is allowed to read identity determining In the case where card, after receiving the card seeking request data package that the identity card card-reading terminal is sent, sent out to cloud authentication database Send working condition inquiry request；

The cloud authentication database, the working condition inquiry request sent for receiving the dispatch server, inquires institute The working condition of each certification safety control module in the compass of competency of dispatch server is stated, and query result is sent to institute State dispatch server；

The dispatch server is also used to receive the query result that the cloud authentication database is sent, and is looked into according to described It askes as a result, selecting a working condition for idle certification safety control module；By the certification safety control module of selection Identification information be sent to the identity card card-reading terminal.

6. system according to claim 5, which is characterized in that the identification information of the identity card card-reading terminal includes described First Certificate and second certificate；Whether the dispatch server, being judged by the following manner allows the identity card card reading Terminal reading identity card:

The legitimacy of the First Certificate is verified, if being verified, the identity card card-reading terminal is allowed to read body Part card；If verifying does not pass through, the identity card card-reading terminal reading identity card is not allowed；And/or

The legitimacy of second certificate is verified, if being verified, the identity card card-reading terminal is allowed to read body Part card；If verifying does not pass through, the identity card card-reading terminal reading identity card is not allowed.

7. system according to claim 5 or 6, it is characterised in that:

The dispatch server is also used to after selecting certification safety control module of the working condition for the free time, generates The authentication code is respectively sent to the identity card card-reading terminal and the cloud authentication database by authentication code；

The cloud authentication database is also used to store the authentication code, and when reaching the validity period of the authentication code, deletes institute State authentication code；

The card seeking request data package further includes authentication code ciphertext；

The certification safety control module is also used to the card seeking request data being sent to the verifying safety control module Before, the authentication code ciphertext is decrypted, obtains the authentication code, inquired in the cloud authentication database and whether be stored with The authentication code continues to execute the card seeking request data being sent to the verifying safety control module if being stored with Operation, otherwise terminates process.

8. according to claim 1, the described in any item systems in 2,5 or 6, which is characterized in that further include:

The certification safety control module, be also used to by the identity card identification information be sent to verifying safety control module it Afterwards, the identity card identification information is removed；And/or

The certification safety control module is also used to carrying out safety verification to the card reading request data package, and safety verification is logical Later, after obtaining identity card identification information, the identity card identification information is sent to dispatch server；And/or

Dispatch server, for judging the identity card identification information whether in identity card blacklist, if it is, to described It authenticates safety control module and sends instruction information, the identity card for indicating that the identity card card-reading terminal is currently read is illegal.

9. according to claim 1, the described in any item systems in 2,5 or 6, it is characterised in that:

The certification safety control module is also used to carrying out safe handling to the identity card data clear text, obtains the 7th number After packet, the identity card data clear text is removed.

10. system according to claim 4, it is characterised in that:

The card seeking request data includes timestamp and/or terminal counter；

The certification safety control module is also used in the certification decruption key using acquisition to the card seeking request data ciphertext It is decrypted, after obtaining card seeking request data, the timestamp and/or terminal counter is sent to dispatch server.