CN106027483A - Identity card reading method and identity card reading terminal - Google Patents

Identity card reading method and identity card reading terminal Download PDF

Info

Publication number
CN106027483A
CN106027483A CN201610243357.1A CN201610243357A CN106027483A CN 106027483 A CN106027483 A CN 106027483A CN 201610243357 A CN201610243357 A CN 201610243357A CN 106027483 A CN106027483 A CN 106027483A
Authority
CN
China
Prior art keywords
packet
card
identity card
ciphertext
master control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610243357.1A
Other languages
Chinese (zh)
Other versions
CN106027483B (en
Inventor
李明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tendyron Corp
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201610243357.1A priority Critical patent/CN106027483B/en
Publication of CN106027483A publication Critical patent/CN106027483A/en
Application granted granted Critical
Publication of CN106027483B publication Critical patent/CN106027483B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K17/00Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • G06K7/10009Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
    • G06K7/10257Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves arrangements for protecting the interrogation against piracy attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Toxicology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • General Health & Medical Sciences (AREA)
  • Electromagnetism (AREA)
  • Software Systems (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an identity card reading method and an identity card reading terminal. The identity card reading method comprises the steps that the identity card reading terminal receives identity card identification information sent by an identity card and sends the identity card identification information to a cloud authentication platform, receives a first authentication factor generated by the cloud authentication platform and sends the first authentication factor to the identity card, receives first authentication data returned by the identity card and sends the first authentication data to the cloud authentication platform, receives a second authentication factor generated by the identity card and sends the second authentication factor to the cloud authentication platform, and receives second authentication data returned by the cloud authentication platform and sends the second authentication data to the identity card, a card reading interface receives an identity card data ciphertext sent by the identity card, a main control security chip carries out security processing on the identity card data ciphertext to acquire a seventh data packet, a communication interface sends the seventh data packet to the cloud authentication platform, and the communication interface receives an identity card data plaintext returned by the cloud authentication platform. By adopting the identity card reading method provided by the invention, the implementation cost is reduced, and the implementation scheme is simplified.

Description

A kind of identity card read method and identity card card-reading terminal
Technical field
The present invention relates to a kind of identity card field, particularly relate to a kind of identity card read method and identity card card-reading terminal.
Background technology
In existing ID card information read schemes, card reader of ID card needs to realize the reading of ID card information with the use of checking safety control module And display.The industry using ID card information to read is needed, it usually needs at the substantial amounts of card reader of ID card of local layout and testing at bank, station etc. Card safety control module, also needs to arrange corresponding corresponding relation between card reader of ID card with checking safety control module, and scheme realizes more complicated, Relatively costly.
Summary of the invention
Present invention seek to address that the problems referred to above/one of.
A kind of identity card read method of offer is provided.
Another object of the present invention is to provide a kind of identity card card-reading terminal.
For reaching above-mentioned purpose, technical scheme is specifically achieved in that
One aspect of the present invention provides a kind of identity card read method, including: card reading interface receives the identity card identification information that identity card sends, and sends Identity card identification information is to master control safety chip;Master control safety chip receives identity card identification information, identity card identification information is carried out safe handling and obtains To the first packet, send the first packet to communication interface;Communication interface receives the first packet, sends the first packet to cloud authentication platform; Communication interface receives the second packet that cloud authentication platform returns, and sends the second packet to master control safety chip;Master control safety chip receives the second number According to bag, the second packet is carried out safety verification, after safety verification passes through, obtain the first certification factor, send the first certification factor and connect to Card Reader Mouthful;Card reading interface receives the first certification factor, sends the first certification factor to identity card;Card reading interface receives the first authentication data that identity card returns, Sending the first authentication data to master control safety chip, the first authentication data is that the first certification factor is processed and obtains by identity card;The safe core of master control Sheet receives the first authentication data, the first authentication data carries out safe handling and obtains the 3rd packet, sends the 3rd packet to communication interface;Communication Interface the 3rd packet, sends the 3rd packet to cloud authentication platform;Communication interface receives the 4th packet that cloud authentication platform returns, and sends 4th packet is to master control safety chip;Master control safety chip receives the 4th packet, and the 4th packet is carried out safety verification, leads at safety verification Later, obtain the second certification factor and obtain request, send the second certification factor and obtain request to card reading interface;Card reading interface receives the second certification factor Obtain request, send the second certification factor and obtain request to identity card;Card reading interface receives the second certification factor that identity card returns, and sends second and recognizes The card factor is to master control safety chip;Master control safety chip receives the second certification factor, the second certification factor is carried out safe handling and obtains the 5th packet, Send the 5th packet to communication interface;Communication interface receives the 5th packet, sends the 5th packet to cloud authentication platform;Communication interface receives cloud The 6th packet that authentication platform returns, sends the 6th packet to master control safety chip;Master control safety chip receives the 6th packet, to the 6th number Carry out safety verification according to bag, after safety verification passes through, obtain the second authentication data, send the second authentication data to card reading interface;Card reading interface connects Receiving the second authentication data, send the second authentication data to identity card, the second authentication data is that cloud authentication platform carries out process to the second certification factor and obtains 's;Card reading interface receives the identity card data ciphertext that identity card returns, and sends identity card data ciphertext to master control safety chip;Master control safety chip pair Identity card data ciphertext carries out safe handling and obtains the 7th packet, sends the 7th packet to communication interface;Communication interface sends the 7th packet extremely Cloud authentication platform;Communication interface receives the 8th packet that cloud authentication platform returns, and sends the 8th packet to master control safety chip;The safe core of master control Sheet receives the 8th packet, the 8th packet is carried out safety verification, after safety verification passes through, obtains identity card data clear text.
Optionally, master control safety chip, identity card identification information is carried out safe handling and obtains the first packet, including: master control safety chip, profit With the first session key, the encryption of identity card identification information is obtained the first ciphertext, utilize the first private key of identity card card-reading terminal that the first ciphertext is signed Name, obtains the first signature value, and the first packet at least includes: the first ciphertext and the first signature value;Second packet at least includes: the second ciphertext and Second signature value;Master control safety chip, carries out safety verification to the second packet, after safety verification passes through, obtains the first certification factor, including: Master control safety chip, utilizes the PKI of cloud authentication platform that the second signature value is carried out sign test, after sign test is passed through, utilizes the first session key close to second Literary composition is decrypted and obtains the first certification factor;Master control safety chip, carries out safe handling to the first authentication data and obtains the 3rd packet, including: main Control safety chip, utilizes the first session key to be encrypted the first authentication data and obtains the 3rd ciphertext, utilize the first private key of identity card card-reading terminal Signing the 3rd ciphertext, obtain the 3rd signature value, the 3rd packet at least includes: the 3rd ciphertext and the 3rd signature value;4th packet is at least Including: the 4th ciphertext and the 4th signature value;Master control safety chip, carries out safety verification to the 4th packet, after safety verification passes through, obtains The two certification factors obtain request, including: master control safety chip, utilize the PKI of cloud authentication platform that the 4th signature value is carried out sign test, after sign test is passed through, Utilize the first session key that the 4th ciphertext is decrypted and obtain the second certification factor acquisition request;Master control safety chip, is carried out the second certification factor Safe handling obtains the 5th packet, and including master control safety chip, utilizing the first session key to be encrypted the second certification factor, to obtain the 5th close Literary composition, utilizes the first private key of identity card card-reading terminal to sign the 5th ciphertext, obtains the 5th signature value, and the 5th packet at least includes: the 5th Ciphertext and the 5th signature value;6th packet at least includes: the 6th ciphertext and the 6th signature value;Master control safety chip, pacifies the 6th packet Full checking, after safety verification passes through, obtains the second authentication data, including: master control safety chip, utilize the PKI of cloud authentication platform to the 6th label Name value carries out sign test, after sign test is passed through, utilizes the first session key to be decrypted the 6th ciphertext and obtains the second authentication data;Master control safety chip, Identity card data ciphertext is carried out safe handling and obtains the 7th packet, including: master control safety chip, utilize the first session key to identity card data Ciphertext is encrypted and obtains the 7th ciphertext, utilizes the first private key of identity card card-reading terminal to sign the 7th ciphertext, obtains the 7th signature value;The Eight packets at least include: the 8th ciphertext and the 8th signature value;Master control safety chip, carries out safety verification to the 8th packet, leads at safety verification Later, obtain identity card data clear text, including: master control safety chip, utilize the PKI of cloud authentication platform that the 8th signature value is carried out sign test, sign test By rear, utilize the first session key that the 8th ciphertext is decrypted and obtain identity card data clear text.
Optionally, carrying out identity card identification information before safe handling obtains the first packet at master control safety chip, method also includes: master control is pacified Full chip generates the first random number, utilizes the first private key of identity card card-reading terminal to carry out the First Certificate of the first random number and identity card card-reading terminal Signature obtains the 9th signature value, and transmission the 9th packet is to communication interface, and the 9th packet at least includes: the first random number, identity card card-reading terminal First Certificate and the 9th signature value, wherein, First Certificate is including at least the first PKI of identity card card-reading terminal;Communication interface receives the 9th data Bag, sends the 9th packet to cloud authentication platform;Communication interface receives the tenth packet that cloud authentication platform returns, and sends the tenth packet to master control Safety chip, the tenth packet at least includes: the tenth ciphertext and the tenth signature value;Master control safety chip receives the tenth packet, utilizes cloud certification to put down The PKI of platform carries out sign test to the tenth signature value, after sign test is passed through, utilizes the first private key of identity card card-reading terminal to be decrypted the tenth ciphertext and obtains First random number and the second random number, the second random number is generated by cloud authentication platform;Master control safety chip comparison generate the first random number and decipher The first random number arrived, comparison is consistent, utilizes the first random number and second generating random number the first session key.
Optionally, carrying out identity card identification information before safe handling obtains the first packet at master control safety chip, method also includes: master control is pacified Full chip, utilizes the acquisition request of authenticated encryption double secret key the first session key to be encrypted and obtains the 11st ciphertext, utilize identity card card-reading terminal First private key carries out signature and obtains the 11st signature value the 11st ciphertext, and transmission the 11st packet is to communication interface, and the 11st packet at least wraps Including: the First Certificate of identity card card-reading terminal and the second certificate, the 11st ciphertext and the 11st signature value, wherein, First Certificate includes at least identity First PKI of card card-reading terminal, the second certificate is including at least the second PKI of identity card card-reading terminal;Communication interface receives the 11st packet, sends out Send the 11st packet to cloud authentication platform;Communication interface receives the 12nd packet that cloud authentication platform returns, and sends the 12nd packet to master control Safety chip, the 12nd packet at least includes: the 12nd ciphertext and the 12nd signature value;Master control safety chip receives the 12nd packet, utilizes The PKI of cloud authentication platform carries out sign test to the 12nd signature value, after sign test is passed through, utilizes the second private key of identity card card-reading terminal to the 12nd ciphertext It is decrypted and obtains the first session key.
Another aspect of the present invention provides a kind of identity card card-reading terminal, including: card reading interface, for receiving the identity card mark letter that identity card sends Breath, sends identity card identification information to master control safety chip;Master control safety chip, is used for receiving identity card identification information, to identity card identification information Carry out safe handling and obtain the first packet, send the first packet to communication interface;Communication interface, for receiving the first packet, sends first Packet is to cloud authentication platform;Communication interface, is additionally operable to receive the second packet that cloud authentication platform returns, and sends the second packet and pacifies to master control Full chip;Master control safety chip, is additionally operable to receive the second packet, the second packet is carried out safety verification, after safety verification passes through, obtain The first certification factor, sends the first certification factor to card reading interface;Card reading interface, is additionally operable to receive the first certification factor, sends the first certification factor To identity card;Card reading interface, is additionally operable to receive the first authentication data that identity card returns, and sends the first authentication data to master control safety chip, and first Authentication data is that the first certification factor is processed and obtains by identity card;Master control safety chip, is additionally operable to receive the first authentication data, recognizes first Card data carry out safe handling and obtain the 3rd packet, send the 3rd packet to communication interface;Communication interface, is additionally operable to receive the 3rd packet, Send the 3rd packet to cloud authentication platform;Communication interface, is additionally operable to receive the 4th packet that cloud authentication platform returns, sends the 4th packet extremely Master control safety chip;Master control safety chip, is additionally operable to receive the 4th packet, the 4th packet is carried out safety verification, after safety verification passes through, Obtain the second certification factor and obtain request, send the second certification factor and obtain request to card reading interface;Card reading interface, be additionally operable to receive the second certification because of Son obtains request, sends the second certification factor and obtains request to identity card;Card reading interface, is additionally operable to receive the second certification factor that identity card returns, Send the second certification factor to master control safety chip;Master control safety chip, is additionally operable to receive the second certification factor, the second certification factor is carried out safety Process obtains the 5th packet, sends the 5th packet to communication interface;Communication interface, is additionally operable to receive the 5th packet, sends the 5th packet To cloud authentication platform;Communication interface, is additionally operable to receive the 6th packet that cloud authentication platform returns, and sends the 6th packet to master control safety chip; Master control safety chip, is additionally operable to receive the 6th packet, the 6th packet is carried out safety verification, after safety verification passes through, obtains the second certification Data, send the second authentication data to card reading interface;Card reading interface, is additionally operable to receive the second authentication data, sends the second authentication data to identity card, Second authentication data is that the second certification factor is processed and obtains by cloud authentication platform;Card reading interface, is additionally operable to receive the identity card that identity card returns Data ciphertext, sends identity card data ciphertext to master control safety chip;Master control safety chip, is additionally operable to identity card data ciphertext is carried out safe handling Obtain the 7th packet, send the 7th packet to communication interface;Communication interface, is additionally operable to send the 7th packet to cloud authentication platform;Communication connects Mouthful, it is additionally operable to receive the 8th packet that cloud authentication platform returns, sends the 8th packet to master control safety chip;Master control safety chip, is additionally operable to Receive the 8th packet, the 8th packet is carried out safety verification, after safety verification passes through, obtain identity card data clear text.
Optionally, master control safety chip, specifically for utilizing the first session key that the encryption of identity card identification information is obtained the first ciphertext, utilize identity First ciphertext is signed by the first private key of card card-reading terminal, obtains the first signature value, and the first packet at least includes: the first ciphertext and first is signed Name value;Second packet at least includes: the second ciphertext and the second signature value;Master control safety chip, specifically for utilizing the PKI of cloud authentication platform Second signature value is carried out sign test, after sign test is passed through, utilizes the first session key that the second ciphertext is decrypted and obtain the first certification factor;Master control is pacified Full chip, obtains the 3rd ciphertext specifically for utilizing the first session key to be encrypted the first authentication data, utilizes the first of identity card card-reading terminal 3rd ciphertext is signed by private key, obtains the 3rd signature value, and the 3rd packet at least includes: the 3rd ciphertext and the 3rd signature value;4th packet At least include: the 4th ciphertext and the 4th signature value;Master control safety chip, specifically for utilizing the PKI of cloud authentication platform to carry out the 4th signature value Sign test, after sign test is passed through, utilizes the first session key to be decrypted the 4th ciphertext and obtains the second certification factor acquisition request;Master control safety chip, Obtain the 5th ciphertext specifically for utilizing the first session key that the second certification factor is encrypted, utilize the first private key of identity card card-reading terminal to Five ciphertexts are signed, and obtain the 5th signature value, and the 5th packet at least includes: the 5th ciphertext and the 5th signature value;6th packet at least includes: 6th ciphertext and the 6th signature value;Master control safety chip, specifically for utilizing the PKI of cloud authentication platform that the 6th signature value is carried out sign test, sign test By rear, utilize the first session key that the 6th ciphertext is decrypted and obtain the second authentication data;Master control safety chip, specifically for utilizing the first meeting Words double secret key identity card data ciphertext is encrypted and obtains the 7th ciphertext, utilizes the first private key of identity card card-reading terminal to sign the 7th ciphertext, Obtain the 7th signature value;8th packet at least includes: the 8th ciphertext and the 8th signature value;Master control safety chip, specifically for utilizing cloud certification to put down The PKI of platform carries out sign test to the 8th signature value, and after sign test is passed through, utilizing the first session key to be decrypted the 8th ciphertext, to obtain identity card data bright Literary composition.
Optionally, master control safety chip, be additionally operable to generate the first random number, utilize the first private key of identity card card-reading terminal to the first random number and The First Certificate of identity card card-reading terminal carries out signature and obtains the 9th signature value, and transmission the 9th packet is to communication interface, and the 9th packet at least includes: First random number, the First Certificate of identity card card-reading terminal and the 9th signature value, wherein, First Certificate is including at least the first of identity card card-reading terminal PKI;Communication interface, is additionally operable to receive the 9th packet, sends the 9th packet to cloud authentication platform;Communication interface, is additionally operable to receive cloud certification The tenth packet that platform returns, transmission the tenth packet is to master control safety chip, and the tenth packet at least includes: the tenth ciphertext and the tenth signature value; Master control safety chip, is additionally operable to receive the tenth packet, utilizes the PKI of cloud authentication platform that the tenth signature value is carried out sign test, after sign test is passed through, and profit Being decrypted the tenth ciphertext with the first private key of identity card card-reading terminal and obtain the first random number and the second random number, the second random number is put down by cloud certification Platform generates;Master control safety chip, is additionally operable to the first random number and the first random number of obtaining of deciphering that comparison generates, and comparison is consistent, utilize first with Machine number and second generating random number the first session key.
Optionally, master control safety chip, it is additionally operable to utilize the acquisition request of authenticated encryption double secret key the first session key to be encrypted and obtains the 11st Ciphertext, utilizes the first private key of identity card card-reading terminal that the 11st ciphertext carries out signature and obtains the 11st signature value, sends the 11st packet to logical Communication interface, the 11st packet at least includes: the First Certificate of identity card card-reading terminal and the second certificate, the 11st ciphertext and the 11st signature value, Wherein, First Certificate is including at least the first PKI of identity card card-reading terminal, and the second certificate is including at least the second PKI of identity card card-reading terminal;Logical Communication interface, is additionally operable to receive the 11st packet, sends the 11st packet to cloud authentication platform;Communication interface, is additionally operable to receive cloud authentication platform The 12nd packet returned, transmission the 12nd packet is to master control safety chip, and the 12nd packet at least includes: the 12nd ciphertext and the 12nd Signature value;Master control safety chip, is additionally operable to receive the 12nd packet, utilizes the PKI of cloud authentication platform that the 12nd signature value is carried out sign test, tests Sign by rear, utilize the second private key of identity card card-reading terminal that the 12nd ciphertext is decrypted and obtain the first session key.
As seen from the above technical solution provided by the invention, the invention provides a kind of identity card read method and identity card card-reading terminal, at body In part card card-reading terminal and be not provided with verifying safety control module, but arrange in cloud authentication platform can be to the ciphertext data read from identity card Realizing the module of deciphering, identity card card-reading terminal can greatly reduce the reality of user by being linked into cloud authentication platform to realize reading to identity card Ready-made, particularly need to perform the industry of ID card information read operation in bank, station, insurance etc., only need to dispose the identity card of respective numbers Card-reading terminal, it is not necessary to a large amount of deployment verifies safety control module again, without arranging checking safety control module in a large number with identity card Card Reader eventually Corresponding relation between end, simplifies implementation.Further, by the data being sent to cloud authentication platform being carried out safe handling and right The data being received from cloud authentication platform carry out safety verification, it is ensured that the safety of the data of transmission between identity card card-reading terminal and cloud authentication platform.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, in describing embodiment below, the required accompanying drawing used is situated between simply Continue, it should be apparent that, the accompanying drawing in describing below is only some embodiments of the present invention, from the point of view of those of ordinary skill in the art, not On the premise of paying creative work, it is also possible to obtain other accompanying drawings according to these accompanying drawings.
The flow chart of a kind of identity card read method that Fig. 1 provides for the embodiment of the present invention 1;
The flow chart of a kind of acquisition the first session key that Fig. 2 provides for the embodiment of the present invention 1;
The another kind of flow chart obtaining the first session key that Fig. 3 provides for the embodiment of the present invention 1;
The structural representation of a kind of identity card card-reading terminal that Fig. 4 provides for the embodiment of the present invention 2.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that retouched The embodiment stated is only a part of embodiment of the present invention rather than whole embodiments.Based on embodiments of the invention, ordinary skill people The every other embodiment that member is obtained under not making creative work premise, broadly falls into protection scope of the present invention.
In describing the invention, it is to be understood that term " " center ", " longitudinally ", " laterally ", " on ", D score, "front", "rear", " left ", The orientation of the instruction such as " right ", " vertically ", " level ", " top ", " end ", " interior ", " outward " or position relationship are to close based on orientation shown in the drawings or position System, be for only for ease of describe the present invention and simplifying describe rather than instruction or the hint device of indication or element must have specific orientation, with Specific azimuth configuration and operation, be therefore not considered as limiting the invention.Additionally, term " first ", " second " are only used for describing purpose, And it is not intended that indicate or imply relative importance or quantity or position.
In describing the invention, it should be noted that unless otherwise clearly defined and limited, term " is installed ", " being connected ", " connection " should do Broadly understood, connect for example, it may be fixing, it is also possible to be to removably connect, or be integrally connected;Can be to be mechanically connected, it is also possible to be electricity Connect;Can be to be joined directly together, it is also possible to be indirectly connected to by intermediary, can be the connection of two element internals.Common for this area For technical staff, above-mentioned term concrete meaning in the present invention can be understood with concrete condition.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.
Embodiment 1
A kind of identity card read method that Fig. 1 provides for the present embodiment.The identity card read method that the present embodiment provides mainly includes the following steps that (S101-S110)。
S101: card reading interface receives the identity card identification information that identity card sends, and sends identity card identification information to master control safety chip;Master control safety Chip receives identity card identification information, identity card identification information is carried out safe handling and obtains the first packet, send the first packet to communication interface; Communication interface receives the first packet, sends the first packet to cloud authentication platform;
In the present embodiment, identity card identification information is that identity card card-reading terminal can be with Direct Recognition, the information demonstrate,proved for unique identity, example As, identity card identification information can be identity card serial number etc., is not especially limited at the present embodiment.
In the present embodiment, card reading interface can receive the data of identity card transmission and send data to identity card, and card reading interface can be that radio frequency connects Mouthful, such as, radio-frequency antenna, as long as the card reading interface that can communicate with identity card is all within protection scope of the present invention, at the present embodiment not Make concrete restriction.
In the present embodiment, communication interface can receive the data of cloud authentication platform transmission and send data to cloud authentication platform.Communication interface is permissible Directly being communicated with cloud authentication platform by cable network or wireless network, now communication interface can be wireless communication interface (such as, WIFI communication Interface) or wire communication interface.Communication interface can also pass through the wireless network of host computer (such as mobile phone, PAD (panel computer) or PC etc.) Network or cable network communicate with cloud authentication platform, now communication interface can be the wireless communication interface that can communicate with host computer (such as, Blue tooth interface, NFC interface etc.) or wire communication interface (such as, USB interface), it is not especially limited in the present embodiment.
In the present embodiment, master control safety chip can complete the operation such as safe handling, safety verification, is the core texture of identity card card-reading terminal. Master control safety chip in the present embodiment can be the safety chip through the certification of Password Management office of country, it is also possible to for having other controls of above-mentioned functions Coremaking sheet, as long as the function that can realize the master control safety chip of the present invention i.e. belongs to protection scope of the present invention.
As an optional embodiment of the embodiment of the present invention, master control safety chip, identity card identification information is carried out safe handling and obtains the first number According to bag, including: master control safety chip, utilize the first session key that the encryption of identity card identification information is obtained the first ciphertext, utilize identity card Card Reader eventually First ciphertext is signed by the first private key of end, obtains the first signature value, and the first packet at least includes: the first ciphertext and the first signature value.
In the present embodiment, the first session key is the key consulted between identity card card-reading terminal and cloud authentication platform, is used for reading identity card The transmission of card terminal is encrypted to the data of cloud authentication platform and is decrypted the data being received from cloud authentication platform, the master of identity card card-reading terminal After control safety chip uses the first session key to be encrypted data, the cloud authentication platform only with the first identical session key could be to encryption Data are decrypted, prevent other devices beyond cloud authentication platform encryption data is decrypted acquisition identity card card-reading terminal be sent to cloud certification put down The data of platform, it is ensured that the data safety of identity card card-reading terminal transmission to cloud authentication platform.Only there is the identity card card-reading terminal of the first session key Master control safety chip could be decrypted being received from cloud authentication platform encryption data, prevent other devices beyond identity card card-reading terminal to encryption Data are decrypted acquisition cloud authentication platform and send the data to identity card card-reading terminal, it is ensured that the number of cloud authentication platform transmission to identity card card-reading terminal According to safety.
In the present embodiment, after master control safety chip uses the first session key to be encrypted identity card identification information and obtain the first ciphertext, only First ciphertext could be decrypted by the cloud authentication platform with the first identical session key, prevents other devices beyond cloud authentication platform to first Ciphertext is decrypted acquisition identity card identification information, it is ensured that identity card card-reading terminal sends the safety of the identity card identification information to cloud authentication platform.
In the present embodiment, master control safety chip utilizes the first private key of identity card card-reading terminal to sign the first ciphertext, obtains the first signature value Concrete mode be: master control safety chip utilizes HASH algorithm to calculate the first ciphertext to obtain the summary of the first ciphertext, and utilizes identity card card-reading terminal The first private key the summary of the first ciphertext is encrypted, obtain the first signature value.Master control safety chip utilizes that identity card card-reading terminal just has First ciphertext is signed by one private key, if cloud authentication platform uses the identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal To the first signature value deciphering, first PKI can then show that the first signature value received is sent by identity card card-reading terminal, if cloud authentication platform To the first signature value deciphering, the first PKI using identity card card-reading terminal can not then show that the first signature value received is not by identity card card-reading terminal Send, i.e. cloud authentication platform can be signed name-value pair according to first and sends the device of the first signature value and carry out identity validation.Is determined at cloud authentication platform After one signature value identity card card-reading terminal sends, then calculate the summary of the first ciphertext.If the first ciphertext is tampered in transmitting procedure, Then the digest value of the cloud authentication platform the first cryptogram computation to receiving also can change, and therefore, cloud authentication platform is by relatively calculated first The summary of ciphertext is the most identical with the summary of the first ciphertext that deciphering obtains, it is possible to ensure the integrity of the first ciphertext received.It should be noted that Signature process in the present embodiment all can be found in this embodiment, and the process that signature is referred to below will the most specifically repeat.
S102: communication interface receives the second packet that cloud authentication platform returns, and sends the second packet to master control safety chip;Master control safety chip Receive the second packet, the second packet carried out safety verification, after safety verification passes through, obtain the first certification factor, send the first certification because of Son is to card reading interface;Card reading interface receives the first certification factor, sends the first certification factor to identity card;
In the present embodiment, after cloud authentication platform receives the first packet that communication interface sends, the first packet is carried out safety verification, in safety After being verified, obtain identity card identification information.Concrete, cloud authentication platform can utilize the first PKI of identity card card-reading terminal to the first signature Value carries out sign test, after sign test is passed through, utilizes the first session key to be decrypted the first ciphertext and obtains identity card identification information.Cloud authentication platform is permissible The safe key mated with identity card is searched according to identity card identification information.
Identity card card-reading terminal before reading identity card data ciphertext, identity card and the two-way authentication to be realized of cloud authentication platform, it is ensured that identity card and cloud Authentication platform is all legal.
In the present embodiment, the first certification factor is generated and sent to identity card by cloud authentication platform, and cloud authentication platform can utilize the first certification factor Realize the legitimacy certification to identity card.The first certification factor can be one or a string random number, or can be one or a string random character, Or a string random number and the combination in any of random character, be not especially limited in the present embodiment.
As an optional embodiment of the embodiment of the present invention, the second packet at least includes: the second ciphertext and the second signature value;The safe core of master control Sheet, carries out safety verification to the second packet, after safety verification passes through, obtains the first certification factor, including: master control safety chip, utilize cloud The PKI of authentication platform carries out sign test to the second signature value, after sign test is passed through, utilizes the first session key to be decrypted the second ciphertext and obtains first and recognize The card factor.
In the present embodiment, the concrete mode that master control safety chip utilizes the PKI of cloud authentication platform that the second signature value carries out sign test can be: master control Safety chip utilizes the PKI of cloud authentication platform to be decrypted the second signature value, obtains the summary of the second ciphertext, utilizes HASH algorithm to reception Second ciphertext carries out being calculated the summary of the second ciphertext, and the summary of the second ciphertext that comparison deciphering obtains with the summary of calculated second ciphertext is No identical, if identical, then the second signature value sign test is passed through.Sign test process in the present embodiment all can be found in this embodiment, is referred to below The process of sign test will the most specifically repeat.Master control safety chip uses the PKI of cloud authentication platform to carry out sign test, if master control safety chip uses cloud to recognize To the second signature value deciphering, the PKI of card platform can then show that the second signature value received is sent by cloud authentication platform, if the safe core of master control Sheet uses the PKI of cloud authentication platform the second signature value deciphering can not then being shown, the second signature value received is not sent by cloud authentication platform, i.e. Master control safety chip can be signed name-value pair according to second and send the device of the second signature value and carry out identity validation.The second signature is determined at master control safety chip After value cloud authentication platform sends, then calculate the summary of the second ciphertext.If the second ciphertext is tampered in transmitting procedure, then master control safety The digest value of the chip the second cryptogram computation to receiving also can convert, and therefore, master control safety chip is by relatively calculated second ciphertext The summary of the second ciphertext obtained with deciphering of making a summary is the most identical, it is possible to ensure the integrity of the second ciphertext received.Confirm the second signature value be by Cloud authentication platform sends and the second ciphertext is not tampered with in transmitting procedure, and after i.e. sign test is passed through, recycling identity card card-reading terminal and cloud certification are put down Second ciphertext is decrypted and obtains the first certification factor by the first session key that platform just has, and prevents other devices beyond identity card card-reading terminal to Two ciphertexts are decrypted the acquisition first certification factor, it is ensured that the safety of the first certification factor.
S103: card reading interface receives the first authentication data that identity card returns, and sends the first authentication data to master control safety chip, the first authentication data For identity card the first certification factor processed and to obtain;Master control safety chip receives the first authentication data, and the first authentication data is carried out safe place Reason obtains the 3rd packet, sends the 3rd packet to communication interface;Communication interface receives the 3rd packet, sends the 3rd packet and puts down to cloud certification Platform;
In the present embodiment, the first certification factor is processed and obtains the concrete mode of the first authentication data and can be by identity card: identity card utilizes peace Full double secret key the first certification factor carries out MAC (Message Authentication Code, message authentication code) and is calculated MAC value, will calculate The MAC value obtained is as the first authentication data.Identity card can also utilize safe key to be encrypted the first certification factor to obtain the first certification number According to.This safe key is to be preset in legal identity card, and the most legal identity card just has this safe key.Certainly, identity card can also Other modes using Ministry of Public Security's regulation carry out process to the first certification factor and obtain the first authentication data, are not especially limited in the present embodiment.
As an optional embodiment of the embodiment of the present invention, master control safety chip, the first authentication data is carried out safe handling and obtains the 3rd data Bag, including: master control safety chip, utilize the first session key that the first authentication data is encrypted and obtain the 3rd ciphertext, utilize identity card Card Reader eventually 3rd ciphertext is signed by the first private key of end, obtains the 3rd signature value, and the 3rd packet at least includes: the 3rd ciphertext and the 3rd signature value.
In the present embodiment, after master control safety chip uses the first session key to be encrypted the first authentication data and obtain the 3rd ciphertext, only have 3rd ciphertext could be decrypted by the cloud authentication platform having the first identical session key, prevents other devices beyond cloud authentication platform close to the 3rd Literary composition is decrypted acquisition the first authentication data, it is ensured that identity card card-reading terminal sends the safety of the first authentication data to cloud authentication platform.
In the present embodiment, the 3rd ciphertext is signed by the first private key that master control safety chip utilizes identity card card-reading terminal just to have, if cloud is recognized Card platform uses the first PKI of the identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal can decipher the 3rd signature value, then table 3rd signature value of bright reception is sent by identity card card-reading terminal, if the first PKI that cloud authentication platform uses identity card card-reading terminal can not be right 3rd signature value deciphering, then show that the 3rd signature value received is not sent by identity card card-reading terminal, i.e. cloud authentication platform can be signed according to the 3rd Name-value pair sends the device of the 3rd signature value and carries out identity validation.Determine that the 3rd signature value is it of identity card card-reading terminal transmission at cloud authentication platform After, then calculate the summary of the 3rd ciphertext.If the 3rd ciphertext is tampered in transmitting procedure, then the cloud authentication platform the 3rd cryptogram computation to receiving Digest value also can change, therefore, the 3rd ciphertext that cloud authentication platform is obtained with deciphering by the summary of relatively calculated 3rd ciphertext Make a summary the most identical, it is possible to ensure the integrity of the 3rd ciphertext received.
S104: communication interface receives the 4th packet that cloud authentication platform returns, and sends the 4th packet to master control safety chip;Master control safety chip Receive the 4th packet, the 4th packet is carried out safety verification, after safety verification passes through, obtain the second certification factor and obtain request, send the The two certification factors obtain request to card reading interface;Card reading interface receives the second certification factor and obtains request, sends the second certification factor and obtains request to body Part card;
In the present embodiment, after cloud authentication platform receives the 3rd packet, the 3rd packet is carried out safety verification, after safety verification passes through, To the first authentication data.Concrete, cloud authentication platform utilizes the first PKI of identity card card-reading terminal that the 3rd signature value is carried out sign test, and sign test is passed through After, utilize the first session key that the 3rd ciphertext is decrypted and obtain the first authentication data, and the first authentication data is verified.
In the present embodiment, if the first authentication data is identity card, to utilize safe key that the first certification factor is carried out MAC calculated, then The mode that first authentication data is verified by cloud authentication platform can be: cloud authentication platform uses the MAC algorithm that identity card end is identical to recognize first The card factor carries out being calculated authentication data, and relatively calculated authentication data is the most identical with the first authentication data of reception, if identical, then First authentication data is verified.
In the present embodiment, utilize safe key that the first certification factor is encrypted to obtain if the first authentication data is identity card, then cloud certification Two kinds of optional embodiments that first authentication data is verified by platform are:
Mode one, cloud authentication platform utilize the safe key matched with identity card searched according to identity card identification information to recognize receive first Card data are decrypted, and obtain the certification factor, and it is the most identical to compare the first certification factor that the certification factor that deciphering obtains generates with self, if Identical, then the first authentication data is verified.
Mode two, cloud authentication platform utilize first that self is generated by the safe key matched with identity card searched according to identity card identification information The certification factor is encrypted and obtains authentication data, and it is the most identical with the first authentication data of reception to compare the authentication data that obtains of encryption, if identical, Then the first authentication data is verified.
Certainly, the first authentication data is verified by other modes that cloud authentication platform can also use the Ministry of Public Security to specify, does not the most make to have Body limits.Cloud authentication platform is by verifying the first authentication data, it is achieved the checking to identity card legitimacy.If the first authentication data checking Pass through, then show that identity card is legal, generate the 4th packet;If the first authentication data checking is not passed through, then show that identity card is illegal, Now, cloud authentication platform can terminate identity card and read flow process, and sends information to identity card card-reading terminal.
In the present embodiment, after the first authentication data is verified by cloud authentication platform, after i.e. authentication ids is passed through by cloud authentication platform, ask body Part card generates the second certification factor, in order to identity card carries out authentication to cloud authentication platform.
As an optional embodiment of the embodiment of the present invention, the 4th packet at least includes: the 4th ciphertext and the 4th signature value;The safe core of master control Sheet, carries out safety verification to the 4th packet, after safety verification passes through, obtains the second certification factor and obtains request, including: master control safety chip, The PKI utilizing cloud authentication platform carries out sign test to the 4th signature value, after sign test is passed through, utilizes the first session key to be decrypted the 4th ciphertext and obtains The second certification factor obtains request.
Master control safety chip uses the PKI of cloud authentication platform to carry out sign test, if the PKI that master control safety chip uses cloud authentication platform can be to the 4th Signature value is deciphered, then show that the 4th signature value received is sent by cloud authentication platform, if master control safety chip uses the PKI of cloud authentication platform 4th signature value deciphering can not then being shown, the 4th signature value received is not sent by cloud authentication platform, i.e. master control safety chip can be according to the Four devices signing name-value pair transmission the 4th signature value carry out identity validation.Determine that the 4th signature value is it of cloud authentication platform transmission at master control safety chip After, then calculate the summary of the 4th ciphertext.If the 4th ciphertext is tampered in transmitting procedure, then the master control safety chip the 4th ciphertext meter to receiving The digest value calculated also can convert, therefore, master control safety chip by the summary of relatively calculated 4th ciphertext with to decipher the 4th obtained close The summary of literary composition is the most identical, it is possible to ensure the integrity of the 4th ciphertext received.Confirming that the 4th signature value is to be sent by cloud authentication platform and the 4th close Literary composition is not tampered with in transmitting procedure, after i.e. sign test is passed through, and the first session key pair that recycling identity card card-reading terminal and cloud authentication platform just have 4th ciphertext is decrypted and obtains the second certification factor acquisition request, prevents other devices beyond identity card card-reading terminal to be decrypted the 4th ciphertext Obtain the second certification factor and obtain request, it is ensured that the safety of the second certification factor obtains request.
S105: card reading interface receives the second certification factor that identity card returns, and sends the second certification factor to master control safety chip;Master control safety chip Receive the second certification factor, the second certification factor is carried out safe handling and obtains the 5th packet, send the 5th packet to communication interface;Communication connects Mouth receives the 5th packet, sends the 5th packet to cloud authentication platform;
In the present embodiment, the second certification factor is generated and sent to cloud authentication platform by identity card, and identity card can utilize the second certification factor to realize Legitimacy certification to cloud authentication platform.The second certification factor can be one or a string random number, or can be one or a string random character, Or a string random number and the combination in any of random character, be not especially limited in the present embodiment.
As an optional embodiment of the embodiment of the present invention, master control safety chip, the second certification factor is carried out safe handling and obtains the 5th data Bag, including: master control safety chip, utilize the first session key that the second certification factor is encrypted and obtain the 5th ciphertext, utilize identity card Card Reader eventually 5th ciphertext is signed by the first private key of end, obtains the 5th signature value, and the 5th packet at least includes: the 5th ciphertext and the 5th signature value.
In the present embodiment, after master control safety chip uses the first session key to be encrypted the second certification factor and obtain the 5th ciphertext, only have 5th ciphertext could be decrypted by the cloud authentication platform having the first identical session key, prevents other devices beyond cloud authentication platform close to the 5th Literary composition is decrypted the acquisition second certification factor, it is ensured that identity card card-reading terminal sends the safety of the second certification factor to cloud authentication platform.
In the present embodiment, the 5th ciphertext is signed by the first private key that master control safety chip utilizes identity card card-reading terminal just to have, if cloud is recognized Card platform uses the first PKI of the identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal can decipher the 5th signature value, then table 5th signature value of bright reception is sent by identity card card-reading terminal, if the first PKI that cloud authentication platform uses identity card card-reading terminal can not be right 5th signature value deciphering, then show that the data received are not sent by identity card card-reading terminal, i.e. cloud authentication platform can sign name-value pair according to the 5th The device sending the 5th signature value carries out identity validation.After cloud authentication platform determines that the 5th signature value identity card card-reading terminal sends, then count Calculate the summary of the 5th ciphertext.If the 5th ciphertext is tampered in transmitting procedure, then the digest value of the cloud authentication platform the 5th cryptogram computation to receiving Also can change, therefore, whether the summary of the 5th ciphertext that cloud authentication platform is obtained with deciphering by the summary of relatively calculated 5th ciphertext Identical, it is possible to ensure the integrity of the 5th ciphertext received.
S106: communication interface receives the 6th packet that cloud authentication platform returns, and sends the 6th packet to master control safety chip;Master control safety chip Receive the 6th packet, the 6th packet is carried out safety verification, after safety verification passes through, obtain the second authentication data, send the second certification number According to card reading interface;Card reading interface receives the second authentication data, sends the second authentication data to identity card, and the second authentication data is cloud authentication platform pair The second certification factor carries out processing and obtains;
In the present embodiment, after cloud authentication platform receives the 5th packet, the 5th packet is carried out safety verification, after safety verification passes through, To the second certification factor.Concrete, cloud authentication platform can utilize the first PKI of identity card card-reading terminal that the 5th signature value is carried out sign test, sign test By rear, utilize the first session key that the 5th ciphertext is decrypted and obtain the second certification factor, the second certification factor is carried out process and obtains second and recognize Card data.The second certification factor is processed and obtains the concrete mode of the second authentication data and can be by cloud authentication platform: cloud authentication platform is to default letter Breath carries out calculating acquisition safe key, and recycling safe key carries out MAC to the second certification factor and is calculated MAC value, by calculated MAC value is as the second authentication data.Cloud authentication platform can also utilize the safe key matched with identity card to be encrypted the second certification factor Obtain the second authentication data.Certainly, other modes that cloud authentication platform can also use the Ministry of Public Security to specify carry out process and obtain the second certification factor Two authentication datas, are not especially limited in the present embodiment.
As an optional embodiment of the embodiment of the present invention, the 6th packet at least includes: the 6th ciphertext and the 6th signature value;The safe core of master control Sheet, carries out safety verification to the 6th packet, after safety verification passes through, obtains the second authentication data, including: master control safety chip, utilize cloud The PKI of authentication platform carries out sign test to the 6th signature value, after sign test is passed through, utilizes the first session key to be decrypted the 6th ciphertext and obtains second and recognize Card data.
Master control safety chip uses the PKI of cloud authentication platform to carry out sign test, if the PKI that master control safety chip uses cloud authentication platform can be to the 6th Signature value is deciphered, then show that the 6th signature value received is sent by cloud authentication platform, if master control safety chip uses the PKI of cloud authentication platform 6th signature value deciphering can not then being shown, the 6th signature value received is not sent by cloud authentication platform, i.e. master control safety chip can be according to the Six devices signing name-value pair transmission the 6th signature value carry out identity validation.Determine that the 6th signature value is it of cloud authentication platform transmission at master control safety chip After, then calculate the summary of the 6th ciphertext.If the 6th ciphertext is tampered in transmitting procedure, then the master control safety chip the 6th ciphertext meter to receiving The digest value calculated also can convert, therefore, master control safety chip by the summary of relatively calculated 6th ciphertext with to decipher the 6th obtained close The summary of literary composition is the most identical, it is possible to ensure the integrity of the 6th ciphertext received.Confirming that the 6th signature value is to be sent by cloud authentication platform and the 6th close Literary composition is not tampered with in transmitting procedure, after i.e. sign test is passed through, and the first session key pair that recycling identity card card-reading terminal and cloud authentication platform just have 6th ciphertext is decrypted and obtains the second authentication data, prevents other devices beyond identity card card-reading terminal that the 6th ciphertext is decrypted acquisition second Authentication data, it is ensured that the safety of the second authentication data.
S107: card reading interface receives the identity card data ciphertext that identity card returns, and sends identity card data ciphertext to master control safety chip;Master control safety Chip carries out safe handling and obtains the 7th packet identity card data ciphertext, sends the 7th packet to communication interface;Communication interface sends the 7th number According to bag to cloud authentication platform;
In the present embodiment, after identity card receives the second authentication data, the second authentication data is verified, after being verified, send identity card number According to ciphertext to identity card card-reading terminal.Identity card data ciphertext refer in identity card with ciphertext storage identity card data, such as identification card number, name, The information such as sex, address and photo, after the identity card safety control module that this identity card data ciphertext is only authorized by the Ministry of Public Security is decrypted, Corresponding identity card data clear text can be obtained.
In the present embodiment, if the second authentication data is cloud authentication platform, to utilize safe key that the second certification factor carries out MAC calculated, The mode that then the second authentication data is verified by identity card can be: identity card uses the identical MAC algorithm of cloud authentication platform end to the second certification The factor carries out being calculated authentication data, and relatively calculated authentication data is the most identical with the second authentication data of reception, if identical, the most right Second authentication data is verified.
In the present embodiment, utilize safe key that the second certification factor is encrypted to obtain if the second authentication data is cloud authentication platform, then body Two kinds of optional embodiments that second authentication data is verified by part card are:
Mode one, identity card utilize safe key to be decrypted the second authentication data received, and obtain the certification factor, and compare what deciphering obtained The second certification factor that the certification factor generates with self is the most identical, if identical, is then verified the second authentication data.
The second certification factor that mode two, identity card utilize safe key to generate self is encrypted and obtains authentication data, and compares what encryption obtained Authentication data is the most identical with the second authentication data of reception, if identical, is then verified the second authentication data.
Certainly, the second authentication data is verified by other modes that identity card can also use the Ministry of Public Security to specify, the most specifically limits Fixed.Identity card is by verifying the second authentication data, it is achieved the checking to cloud authentication platform legitimacy.If the second authentication data is verified, Then show that cloud authentication platform is legal, return identity card data ciphertext;If the second authentication data checking is not passed through, then show that cloud authentication platform is Illegal.At this point it is possible to terminate identity card to read flow process.
As an optional embodiment of the embodiment of the present invention, master control safety chip, identity card data ciphertext is carried out safe handling and obtains the 7th number According to bag, including: master control safety chip, utilize the first session key that identity card data ciphertext is encrypted and obtain the 7th ciphertext, utilize identity card to read 7th ciphertext is signed by the first private key of card terminal, obtains the 7th signature value.
In the present embodiment, after master control safety chip uses the first session key to be encrypted identity card data ciphertext and obtain the 7th ciphertext, only 7th ciphertext could be decrypted by the cloud authentication platform with the first identical session key, prevents other devices beyond cloud authentication platform to the 7th Ciphertext is decrypted acquisition identity card data ciphertext, it is ensured that identity card card-reading terminal sends the safety of the identity card data ciphertext to cloud authentication platform.
In the present embodiment, the 7th ciphertext is signed by the first private key that master control safety chip utilizes identity card card-reading terminal just to have, if cloud is recognized Card platform uses the first PKI of the identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal can decipher the 7th signature value, then table 7th signature value of bright reception is sent by identity card card-reading terminal, if the first PKI that cloud authentication platform uses identity card card-reading terminal can not be right 7th signature value deciphering, then show that the 7th signature value received is not sent by identity card card-reading terminal, i.e. cloud authentication platform can be signed according to the 7th Name-value pair sends the device of the 7th signature value and carries out identity validation.Determine that the 7th signature value is it of identity card card-reading terminal transmission at cloud authentication platform After, then calculate the summary of the 7th ciphertext.If the 7th ciphertext is tampered in transmitting procedure, then the cloud authentication platform the 7th cryptogram computation to receiving Digest value also can change, therefore, the 7th ciphertext that cloud authentication platform is obtained with deciphering by the summary of relatively calculated 7th ciphertext Make a summary the most identical, it is possible to ensure the integrity of the 7th ciphertext received.
S108: communication interface receives the 8th packet that cloud authentication platform returns, and sends the 8th packet to master control safety chip;Master control safety chip Receive the 8th packet, the 8th packet is carried out safety verification, after safety verification passes through, obtain identity card data clear text.
In the present embodiment, after cloud authentication platform receives the 7th packet, the 7th packet is carried out safety verification, after safety verification passes through, To identity card data ciphertext.Concrete, cloud authentication platform utilizes the first PKI of identity card card-reading terminal that the 7th signature value is carried out sign test, and sign test is led to Later, utilize the first session key that the 7th ciphertext is decrypted and obtain identity card data ciphertext, utilize the identity card security control mould that the Ministry of Public Security authorizes Block obtains identity card data clear text to the deciphering of identity card data ciphertext.Cloud authentication platform carries out safe handling to identity card data clear text and obtains the 8th data Bag.
As an optional embodiment of the embodiment of the present invention, the 8th packet at least includes: the 8th ciphertext and the 8th signature value;The safe core of master control Sheet, carries out safety verification to the 8th packet, after safety verification passes through, obtains identity card data clear text, including: master control safety chip, utilize The PKI of cloud authentication platform carries out sign test to the 8th signature value, after sign test is passed through, utilizes the first session key to be decrypted the 8th ciphertext and obtains identity Card data clear text.
Master control safety chip uses the PKI of cloud authentication platform to carry out sign test, if the PKI that master control safety chip uses cloud authentication platform can be to the 8th Signature value is deciphered, then show that the 8th signature value received is sent by cloud authentication platform, if master control safety chip uses the PKI of cloud authentication platform 8th signature value deciphering can not then being shown, the 8th signature value received is not sent by cloud authentication platform, i.e. master control safety chip can be according to the Eight devices signing name-value pair transmission the 8th signature value carry out identity validation.Determine that the 8th signature value is it of cloud authentication platform transmission at master control safety chip After, then calculate the summary of the 8th ciphertext.If the 8th ciphertext is tampered in transmitting procedure, then the master control safety chip the 8th ciphertext meter to receiving The digest value calculated also can convert, therefore, master control safety chip by the summary of relatively calculated 8th ciphertext with to decipher the 8th obtained close The summary of literary composition is the most identical, it is possible to ensure the integrity of the 8th ciphertext received.Confirming that the 8th signature value is to be sent by cloud authentication platform and the 8th close Literary composition is not tampered with in transmitting procedure, after i.e. sign test is passed through, and the first session key pair that recycling identity card card-reading terminal and cloud authentication platform just have 8th ciphertext is decrypted and obtains identity card data clear text, prevents other devices beyond identity card card-reading terminal that the 8th ciphertext is decrypted acquisition body Part card data clear text, it is ensured that the safety of identity card data clear text.
Identity card card-reading terminal that the present embodiment provides also is not provided with verifying safety control module, but arrange in cloud authentication platform can be to from body The ciphertext data that part card reads realize the identity card safety control module of deciphering, and any using can be put down by wired or wireless network insertion to cloud certification per family Platform is to realize the reading to identity card, and greatly reduce user realizes cost, particularly needs to perform identity card letter in bank, station, insurance etc. The industry of breath read operation, only need to dispose the identity card card-reading terminal of respective numbers, it is not necessary to a large amount of checking safety control modules of disposing again, also Without arranging the corresponding relation between checking safety control module and identity card card-reading terminal in a large number, simplify implementation.Further, by right The data being sent to cloud authentication platform carry out safe handling and the data being received from cloud authentication platform are carried out safety verification, it is ensured that identity card is read The safety of the data of transmission between card terminal and cloud authentication platform.
As an optional embodiment of the present embodiment, obtain as in figure 2 it is shown, identity card identification information is carried out safe handling at master control safety chip Before the first packet, also include following a kind of obtain the first session key step (S201-S204):
S201: master control safety chip generates the first random number, the first private key utilizing identity card card-reading terminal is whole to the first random number and identity card Card Reader The First Certificate of end carries out signature and obtains the 9th signature value, and transmission the 9th packet is to communication interface, and the 9th packet at least includes: the first random number, The First Certificate of identity card card-reading terminal and the 9th signature value, wherein, First Certificate is including at least the first PKI of identity card card-reading terminal;Communication connects Mouth receives the 9th packet, sends the 9th packet to cloud authentication platform;
In the present embodiment, the First Certificate of identity card card-reading terminal is issued by third party's certified authority digital certificate authentication center.Identity Except including the first PKI of identity card card-reading terminal in the First Certificate of card card-reading terminal, also include digital signature and the title of certificate authority Deng.
In the present embodiment, master control safety chip utilizes the first private key that identity card card-reading terminal just has to the first random number and identity card card-reading terminal First Certificate sign, if cloud authentication platform uses the first public affairs of the identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal Key can then show that the 9th signature value received is sent by identity card card-reading terminal, if cloud authentication platform uses body to the 9th signature value deciphering To the 9th signature value deciphering, first PKI of part card card-reading terminal can not then show that the 9th signature value received is not to be sent by identity card card-reading terminal , i.e. cloud authentication platform can carry out identity validation according to the 9th device signing name-value pair transmission the 9th signature value.The 9th label are determined at cloud authentication platform After name value identity card card-reading terminal sends, then calculate the summary of the First Certificate of the first random number and identity card card-reading terminal.If first with The First Certificate of machine number and identity card card-reading terminal is tampered in transmitting procedure, then the first random number and the identity card of reception are read by cloud authentication platform The digest value that the First Certificate of card terminal calculates also can change, and therefore, cloud authentication platform is by relatively calculated first random number and identity The first random number and the summary of the First Certificate of identity card card-reading terminal that the summary of the First Certificate of card card-reading terminal obtains with deciphering are the most identical, energy The integrity of the First Certificate of enough the first randoms number ensureing to receive and identity card card-reading terminal.
S202: communication interface receives the tenth packet that cloud authentication platform returns, and transmission the tenth packet is to master control safety chip, and the tenth packet is extremely Include less: the tenth ciphertext and the tenth signature value;
In the present embodiment, after cloud authentication platform receives the 9th packet, use root certificate that the First Certificate of identity card card-reading terminal is verified, It is verified, then shows that the First Certificate of identity card card-reading terminal is legal.After the First Certificate of identity card card-reading terminal is verified, cloud certification Platform utilizes the first PKI in the First Certificate of identity card card-reading terminal that the 9th signature value is carried out sign test, after sign test is passed through, obtains the first random number, And generating the second random number, cloud authentication platform can utilize the first random number and second generating random number the first session key.Cloud authentication platform uses body First random number and the second random number are encrypted and obtain the tenth ciphertext by the first PKI of part card card-reading terminal, use the private key of cloud authentication platform to the Ten ciphertexts carry out signature and obtain the tenth signature value.
S203: master control safety chip receives the tenth packet, utilizes the PKI of cloud authentication platform that the tenth signature value is carried out sign test, after sign test is passed through, Tenth ciphertext is decrypted and obtains the first random number and the second random number by the first private key utilizing identity card card-reading terminal, and the second random number is by cloud certification Platform generates;
In the present embodiment, identity card card-reading terminal can obtain the PKI of cloud authentication platform from the certificate of the cloud authentication platform prestored;Also may be used To send request to cloud authentication platform, the PKI of cloud authentication platform is sent to identity card card-reading terminal by request cloud authentication platform.Master control safety chip makes Sign test is carried out, if the tenth signature value deciphering can then be shown by the PKI that master control safety chip uses cloud authentication platform with the PKI of cloud authentication platform The tenth signature value received is sent by cloud authentication platform, if the PKI that master control safety chip uses cloud authentication platform can not be to the tenth signature value solution Close, then show that the tenth signature value received is not sent by cloud authentication platform.Determine that the tenth signature value is that cloud authentication platform is sent out at master control safety chip After sending, then calculate the summary of the tenth ciphertext.If the tenth ciphertext is tampered in transmitting procedure, then master control safety chip to receive the tenth The digest value of cryptogram computation also can convert, and therefore, master control safety chip is obtained by the summary of relatively calculated tenth ciphertext and deciphering The summary of the tenth ciphertext is the most identical, it is possible to ensure the integrity of the tenth ciphertext received.Confirm the tenth signature value be sent by cloud authentication platform and Tenth ciphertext is not tampered with in transmitting procedure, after i.e. sign test is passed through, and the first session that recycling identity card card-reading terminal and cloud authentication platform just have Double secret key the tenth ciphertext is decrypted and obtains the first random number and the second random number, prevents other devices beyond identity card card-reading terminal to the second ciphertext It is decrypted acquisition the first random number and the second random number, it is ensured that the first random number and the safety of the second random number.
The first random number that S204: master control safety chip comparison generates and the first random number of obtaining of deciphering, comparison is consistent, utilize the first random number and Second generating random number the first session key.
In the present embodiment, the deciphering of master control safety chip is after the tenth ciphertext obtains the first random number and the second random number, comparison deciphering obtain first with Machine number is the most identical with the first random number of generation, if identical, then shows that cloud authentication platform has received that the first random number and cloud authentication platform connect The first random number received is identical with the first random number that identity card card-reading terminal generates, and master control safety chip can be according to identical calculation with cloud authentication platform First random number and the second random number are calculated and generate the first session key by method, and use the first session key that data are carried out encryption and decryption;If not phase With, then show that the first random number that cloud authentication platform end obtains and the first random number that identity card card-reading terminal generates differ, master control safety chip with Cloud authentication platform uses identical algorithm that respective first random number and the second random number are calculated two session keys differed, i.e. master control peace First session key and the first session key of cloud authentication platform, master control safety chip and the cloud authentication platform of full chip can not be to being received from the close of the other side Literary composition is decrypted.
Step S201-S204 completes the flow process obtaining the first session key, it is ensured that in subsequent process identity card card-reading terminal and cloud authentication platform it Between communication security.
As an optional embodiment of the embodiment of the present invention, as it is shown on figure 3, identity card identification information is carried out safe place at master control safety chip Before reason obtains the first packet, also include the following another kind of step (S301-S303) obtaining the first session key:
S301: master control safety chip, utilizes the acquisition request of authenticated encryption double secret key the first session key to be encrypted and obtains the 11st ciphertext, utilize First private key of identity card card-reading terminal carries out signature and obtains the 11st signature value the 11st ciphertext, sends the 11st packet to communication interface, the 11 packets at least include: the First Certificate of identity card card-reading terminal and the second certificate, the 11st ciphertext and the 11st signature value, wherein, and first Certificate is including at least the first PKI of identity card card-reading terminal, and the second certificate is including at least the second PKI of identity card card-reading terminal;Communication interface receives 11st packet, sends the 11st packet to cloud authentication platform;
In the present embodiment, authenticated encryption key is built in identity card card-reading terminal in advance, before master control safety chip obtains the first session key, The data that master control safety chip utilizes authenticated encryption double secret key to be sent to cloud authentication platform are encrypted.
In the present embodiment, First Certificate and second certificate of identity card card-reading terminal is to be sent out by third party's certified authority digital certificate authentication center Row.Except including the second PKI of identity card card-reading terminal in second certificate of identity card card-reading terminal, also include the numeral label of certificate authority The information such as name and title.In the present embodiment, First Certificate and second certificate of identity card card-reading terminal can be two certificates differed, it is possible to To be same certificate.
In the present embodiment, master control safety chip uses the acquisition of authenticated encryption double secret key the first session key to ask to be encrypted to obtain the 11st ciphertext Afterwards, the 11st ciphertext could be decrypted by the cloud authentication platform only with corresponding certification decruption key, prevents its beyond cloud authentication platform His device is decrypted the acquisition request obtaining the first session key to the 11st ciphertext, it is ensured that identity card card-reading terminal sends the to cloud authentication platform The safety obtaining request of one session key.Certification decruption key and authenticated encryption key are identical key, i.e. symmetric key.Certification deciphering is close Key is built in cloud authentication platform in advance.
In the present embodiment, the 11st ciphertext is signed by the first private key that master control safety chip utilizes identity card card-reading terminal just to have, if cloud Authentication platform uses the first PKI of the identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal can decipher the 11st signature value, Then show that the 11st signature value received is sent by identity card card-reading terminal, if cloud authentication platform uses the first PKI of identity card card-reading terminal 11st signature value deciphering can not then being shown, the 11st signature value received is not sent by identity card card-reading terminal, i.e. cloud authentication platform can Identity validation is carried out according to the device that the 11st signs name-value pair transmission the 11st signature value.Determine that the 11st signature value is that identity card is read at cloud authentication platform After card terminal sends, then calculate the summary of the 11st ciphertext.If the 11st ciphertext is tampered in transmitting procedure, then cloud authentication platform pair The digest value of the 11st cryptogram computation received also can change, and therefore, cloud authentication platform is by the summary of relatively calculated 11st ciphertext The most identical with the summary deciphering the 11st ciphertext obtained, it is possible to ensure the integrity of the 11st ciphertext received.
S302: communication interface receives the 12nd packet that cloud authentication platform returns, and transmission the 12nd packet is to master control safety chip, and the 12nd counts At least include according to bag: the 12nd ciphertext and the 12nd signature value;
In the present embodiment, after cloud authentication platform receives the 11st packet, use the root certificate First Certificate and second to identity card card-reading terminal Certificate is verified, is verified, then show that the First Certificate of identity card card-reading terminal and the second certificate are legal.The of identity card card-reading terminal After one certificate and the second certification authentication are passed through, cloud authentication platform utilizes the first PKI in the First Certificate of identity card card-reading terminal to the 11st signature value Carry out sign test, after sign test is passed through, utilize certification decruption key that the 11st ciphertext is decrypted the acquisition request obtaining the first session key.
In the present embodiment, after cloud authentication platform obtains the acquisition request of the first session key, generate the first session key, utilize identity card Card Reader eventually First session key is encrypted by the second PKI in the second certificate of end, obtains the 12nd ciphertext, and uses the private key of cloud authentication platform to the tenth Two ciphertexts carry out signature and obtain the 12nd signature value.
S303: master control safety chip receives the 12nd packet, utilizes the PKI of cloud authentication platform that the 12nd signature value is carried out sign test, and sign test is passed through After, utilize the second private key of identity card card-reading terminal that the 12nd ciphertext is decrypted and obtain the first session key.
Master control safety chip uses the PKI of cloud authentication platform to carry out sign test, if the PKI that master control safety chip uses cloud authentication platform can be to the tenth Two signature value deciphering, then show that the 12nd signature value received is sent by cloud authentication platform, if master control safety chip uses cloud authentication platform PKI can not then show that the 12nd signature value received is not sent by cloud authentication platform, i.e. master control safety chip energy to the 12nd signature value deciphering Enough devices according to the 12nd label name-value pair transmission the 12nd signature value carry out identity validation.Determine that the 12nd signature value is that cloud is recognized at master control safety chip After card platform sends, then calculate the summary of the 12nd ciphertext.If the 12nd ciphertext is tampered in transmitting procedure, then master control safety chip Also can convert the digest value of the 12nd cryptogram computation received, therefore, master control safety chip is by relatively calculated 12nd ciphertext The summary of the 12nd ciphertext obtained with deciphering of making a summary is the most identical, it is possible to ensure the integrity of the 12nd ciphertext received.Confirming the 12nd signature Value is to be sent by cloud authentication platform and the 12nd ciphertext is not tampered with in transmitting procedure, after i.e. sign test is passed through, recycling identity card card-reading terminal 12nd ciphertext is decrypted and obtains the first session key by the second private key, prevents other devices beyond identity card card-reading terminal from entering the 12nd ciphertext Row deciphering obtains the first session key, it is ensured that the safety of the first session key.
Step S301-S303 completes the flow process obtaining the first session key, it is ensured that in subsequent process identity card card-reading terminal and cloud authentication platform it Between communication security.
Embodiment 2:
Present embodiments provide a kind of identity card card-reading terminal.
The structural representation of the identity card card-reading terminal that Fig. 4 provides for the present embodiment, such as Fig. 4, the identity card card-reading terminal that the present embodiment provides includes: Card reading interface 401, for receiving the identity card identification information that identity card sends, sends identity card identification information to master control safety chip 402;Master control Safety chip 402, is used for receiving identity card identification information, identity card identification information carries out safe handling and obtains the first packet, sends the first number According to bag to communication interface 403;Communication interface 403, for receiving the first packet, sends the first packet to cloud authentication platform;Communication interface 403, It is additionally operable to receive the second packet that cloud authentication platform returns, sends the second packet to master control safety chip 402;Master control safety chip 402, also For receiving the second packet, the second packet is carried out safety verification, after safety verification passes through, obtain the first certification factor, send first and recognize The card factor is to card reading interface 401;Card reading interface 401, is additionally operable to receive the first certification factor, sends the first certification factor to identity card;Card Reader connects Mouth 401, is additionally operable to receive the first authentication data that identity card returns, sends the first authentication data to master control safety chip 402, the first authentication data For identity card the first certification factor processed and to obtain;Master control safety chip 402, is additionally operable to receive the first authentication data, to the first certification number Obtain the 3rd packet according to carrying out safe handling, send the 3rd packet to communication interface 403;Communication interface 403, is additionally operable to receive the 3rd data Bag, sends the 3rd packet to cloud authentication platform;Communication interface 403, is additionally operable to receive the 4th packet that cloud authentication platform returns, sends the 4th Packet is to master control safety chip 402;Master control safety chip 402, is additionally operable to receive the 4th packet, the 4th packet is carried out safety verification, After safety verification passes through, obtain the second certification factor and obtain request, send the second certification factor and obtain request to card reading interface 401;Card reading interface 401, it is additionally operable to receive the second certification factor and obtains request, send the second certification factor and obtain request to identity card;Card reading interface 401, is additionally operable to connect Receive the second certification factor that identity card returns, send the second certification factor to master control safety chip 402;Master control safety chip 402, is additionally operable to receive The second certification factor, carries out safe handling and obtains the 5th packet the second certification factor, sends the 5th packet to communication interface 403;Communication connects Mouth 403, is additionally operable to receive the 5th packet, sends the 5th packet to cloud authentication platform;Communication interface 403, is additionally operable to receive cloud authentication platform The 6th packet returned, sends the 6th packet to master control safety chip 402;Master control safety chip 402, is additionally operable to receive the 6th packet, 6th packet is carried out safety verification, after safety verification passes through, obtains the second authentication data, send the second authentication data to card reading interface 401; Card reading interface 401, is additionally operable to receive the second authentication data, sends the second authentication data to identity card, and the second authentication data is that cloud authentication platform is to The two certification factors carry out processing and obtain;Card reading interface 401, is additionally operable to receive the identity card data ciphertext that identity card returns, sends identity card data Ciphertext is to master control safety chip 402;Master control safety chip 402, is additionally operable to that identity card data ciphertext is carried out safe handling and obtains the 7th packet, Send the 7th packet to communication interface 403;Communication interface 403, is additionally operable to send the 7th packet to cloud authentication platform;Communication interface 403, also For receiving the 8th packet that cloud authentication platform returns, send the 8th packet to master control safety chip 402;Master control safety chip 402, also uses In receiving the 8th packet, the 8th packet is carried out safety verification, after safety verification passes through, obtains identity card data clear text.
Identity card card-reading terminal that the present embodiment provides also is not provided with verifying safety control module, but arrange in cloud authentication platform can be to from body The identity card safety control module that the data ciphertext that part card reads is decrypted, any with being put down by wired or wireless network insertion to cloud certification per family Platform is to realize the reading to identity card, and greatly reduce user realizes cost, particularly needs to perform identity card letter in bank, station, insurance etc. The industry of breath read operation, only need to dispose the identity card card-reading terminal of respective numbers, it is not necessary to a large amount of checking safety control modules of disposing again, also Without arranging the corresponding relation between checking safety control module and identity card card-reading terminal in a large number, simplify implementation.Further, by right The data being sent to cloud authentication platform carry out safe handling and the data being received from cloud authentication platform are carried out safety verification, it is ensured that identity card is read The safety of the data of transmission between card terminal and cloud authentication platform.
In the present embodiment, identity card identification information is that identity card card-reading terminal can be with Direct Recognition, the information demonstrate,proved for unique identity, example As, identity card identification information can be identity card serial number etc., is not especially limited at the present embodiment.
In the present embodiment, card reading interface 401 is for receiving the data of identity card transmission and sending data to identity card, and card reading interface 401 is permissible For radio frequency interface, such as, radio-frequency antenna, as long as the card reading interface 401 that can communicate with identity card is all within protection scope of the present invention, It is not especially limited at the present embodiment.
In the present embodiment, communication interface 403 is for receiving the data of cloud authentication platform transmission and sending data to cloud authentication platform.Communication interface 403 directly can be communicated with cloud authentication platform by cable network or wireless network, and now communication interface 403 can be wireless communication interface 403 (example As, WIFI communication interface 403) or wire communication interface 403.Communication interface 403 can also pass through host computer (such as mobile phone, PAD (flat board Computer) or PC etc.) wireless network or cable network communicate with cloud authentication platform, now communication interface 403 can be can to enter with host computer The wireless communication interface 403 of row communication (such as, blue tooth interface, NFC interface etc.) or wire communication interface 403 (such as, USB interface), It is not especially limited in the present embodiment.
In the present embodiment, master control safety chip 402 has been used for the operation such as safe handling, safety verification, is the core knot of identity card card-reading terminal Structure.Master control safety chip 402 in the present embodiment can be the safety chip through the certification of Password Management office of country, it is also possible to for having above-mentioned functions Other control chips, as long as the function that can realize the master control safety chip 402 of the present invention i.e. belongs to protection scope of the present invention.
As an optional embodiment of the present embodiment, master control safety chip 402, specifically for utilizing the first session key to identity card mark letter Encryption for information obtains the first ciphertext, utilizes the first private key of identity card card-reading terminal to sign the first ciphertext, obtains the first signature value, the first data Bag at least includes: the first ciphertext and the first signature value.
In the present embodiment, the first session key is the key consulted between identity card card-reading terminal and cloud authentication platform, is used for reading identity card The transmission of card terminal is encrypted to the data of cloud authentication platform and is decrypted the data being received from cloud authentication platform, the master of identity card card-reading terminal After control safety chip 402 uses the first session key to be encrypted data, the cloud authentication platform only with the first identical session key could be right Encryption data is decrypted, and prevents other devices beyond cloud authentication platform that encryption data is decrypted acquisition identity card card-reading terminal and is sent to cloud and recognizes The data of card platform, it is ensured that the data safety of identity card card-reading terminal transmission to cloud authentication platform.Only there is the identity card Card Reader of the first session key The master control safety chip 402 of terminal could be decrypted being received from cloud authentication platform encryption data, prevents other dresses beyond identity card card-reading terminal Put encryption data is decrypted and obtain cloud authentication platform and send to the data of identity card card-reading terminal, it is ensured that cloud authentication platform transmits to identity card Card Reader The data safety of terminal.
In the present embodiment, master control safety chip 402 utilizes the first private key of identity card card-reading terminal to sign the first ciphertext, obtains the first label The concrete mode of name value is: master control safety chip 402 utilizes HASH algorithm to calculate the first ciphertext to obtain the summary of the first ciphertext, and utilizes identity card The summary of the first ciphertext is encrypted by the first private key of card-reading terminal, obtains the first signature value.Master control safety chip 402 utilizes identity card Card Reader eventually First ciphertext is signed by the first private key that end just has, if cloud authentication platform uses the identity corresponding with the first private key of identity card card-reading terminal To the first signature value deciphering, first PKI of card card-reading terminal can then show that the first signature value received is sent by identity card card-reading terminal, as Really cloud authentication platform uses the first PKI of identity card card-reading terminal the first signature value deciphering can not then being shown, the first signature value received is not by body Part card card-reading terminal sends, i.e. cloud authentication platform can be signed name-value pair according to first and sends the device of the first signature value and carry out identity validation.Recognize at cloud After card platform determines that the first signature value identity card card-reading terminal sends, then calculate the summary of the first ciphertext.If the first ciphertext is in transmitting procedure In be tampered, then the digest value of the first cryptogram computation received also can be changed by cloud authentication platform, and therefore, cloud authentication platform is by comparing meter The summary of the first ciphertext obtained is the most identical with the summary of the first ciphertext that deciphering obtains, it is possible to ensure the integrity of the first ciphertext received.Need The signature process being noted that in the present embodiment all can be found in this embodiment, and the process that signature is referred to below will the most specifically repeat.
In the present embodiment, after cloud authentication platform receives the first packet, the first packet is carried out safety verification, after safety verification passes through, To identity card identification information.Concrete, cloud authentication platform can utilize the first PKI of identity card card-reading terminal that the first signature value is carried out sign test, tests Sign by rear, utilize the first session key that the first ciphertext is decrypted and obtain identity card identification information.Cloud authentication platform can identify according to identity card The safe key that information searching mates with identity card.
Identity card card-reading terminal before reading identity card data ciphertext, identity card and the two-way authentication to be realized of cloud authentication platform, it is ensured that identity card and cloud Authentication platform is all legal.
In the present embodiment, the first certification factor is generated and sent to identity card by cloud authentication platform, and cloud authentication platform can utilize the first certification factor Realize the legitimacy certification to identity card.The first certification factor can be one or a string random number, or can be one or a string random character, Or a string random number and the combination in any of random character, be not especially limited in the present embodiment.
As an optional embodiment of the present embodiment, the second packet at least includes: the second ciphertext and the second signature value;Master control safety chip 402, Specifically for utilizing the PKI of cloud authentication platform that the second signature value is carried out sign test, after sign test is passed through, utilize the first session key that the second ciphertext is carried out Deciphering obtains the first certification factor.
In the present embodiment, the concrete mode that master control safety chip 402 utilizes the PKI of cloud authentication platform that the second signature value carries out sign test can be: Master control safety chip 402 utilizes the PKI of cloud authentication platform to be decrypted the second signature value, obtains the summary of the second ciphertext, utilizes HASH algorithm The second ciphertext received is calculated the summary of the second ciphertext, the summary of the second ciphertext that comparison deciphering obtains and calculated second ciphertext Summary the most identical, if identical, then the second signature value sign test is passed through.Sign test process in the present embodiment all can be found in this embodiment, under Face relates to the process of sign test and will the most specifically repeat.Master control safety chip 402 uses the PKI of cloud authentication platform to carry out sign test, if master control safety Chip 402 uses the PKI of cloud authentication platform the second signature value deciphering can then being shown, the second signature value received is sent by cloud authentication platform, If to the second signature value deciphering, the PKI that master control safety chip 402 uses cloud authentication platform can not then show that the second signature value received is not by cloud Authentication platform sends, i.e. master control safety chip 402 can be signed name-value pair according to second and sends the device of the second signature value and carry out identity validation.Leading After control safety chip 402 determines that the second signature value cloud authentication platform sends, then calculate the summary of the second ciphertext.If the second ciphertext is in transmission During be tampered, then the digest value of the second cryptogram computation received also can be converted by master control safety chip 402, therefore, the safe core of master control Sheet 402 is the most identical by the summary of the second ciphertext that the summary of relatively calculated second ciphertext obtains with deciphering, it is possible to ensure second received The integrity of ciphertext.Confirming that the second signature value is to be sent by cloud authentication platform and the second ciphertext is not tampered with in transmitting procedure, i.e. sign test is passed through After, the second ciphertext is decrypted and obtains the first certification factor by the first session key that recycling identity card card-reading terminal and cloud authentication platform just have, anti- Only other devices beyond identity card card-reading terminal are decrypted the acquisition first certification factor to the second ciphertext, it is ensured that the safety of the first certification factor.
In the present embodiment, the first certification factor is processed and obtains the concrete mode of the first authentication data and can be by identity card: identity card utilizes peace Full double secret key the first certification factor carries out MAC and is calculated MAC value, using calculated MAC value as the first authentication data.Identity card Can also utilize safe key that the first certification factor is encrypted and obtain the first authentication data.This safe key is to be preset in legal identity card , the most legal identity card just has this safe key.Certainly, identity card can also use other modes that the Ministry of Public Security specifies to the first certification because of Son carries out process and obtains the first authentication data, is not especially limited in the present embodiment.
As an optional embodiment of the present embodiment, master control safety chip 402, specifically for utilizing the first session key to the first authentication data It is encrypted and obtains the 3rd ciphertext, utilize the first private key of identity card card-reading terminal that the 3rd ciphertext is signed, obtain the 3rd signature value, the 3rd number At least include according to bag: the 3rd ciphertext and the 3rd signature value.
In the present embodiment, after master control safety chip 402 uses the first session key to be encrypted the first authentication data and obtain the 3rd ciphertext, only There is the cloud authentication platform with the first identical session key could the 3rd ciphertext be decrypted, prevent other devices beyond cloud authentication platform to Three ciphertexts are decrypted acquisition the first authentication data, it is ensured that identity card card-reading terminal sends the safety of the first authentication data to cloud authentication platform.
In the present embodiment, the 3rd ciphertext is signed by the first private key that master control safety chip 402 utilizes identity card card-reading terminal just to have, if Cloud authentication platform uses the first PKI of the identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal can decipher the 3rd signature value, Then show that the 3rd signature value received is sent by identity card card-reading terminal, if cloud authentication platform uses the first PKI of identity card card-reading terminal not 3rd signature value deciphering then being shown, the data received are not sent by identity card card-reading terminal, i.e. cloud authentication platform can be according to the 3rd signature Value carries out identity validation to the device sending the 3rd signature value.After cloud authentication platform determines that the 3rd signature value identity card card-reading terminal sends, Calculate the summary of the 3rd ciphertext again.If the 3rd ciphertext is tampered in transmitting procedure, then the cloud authentication platform the plucking of the 3rd cryptogram computation to receiving It is worth and also can change, therefore, the summary of the 3rd ciphertext that cloud authentication platform is obtained with deciphering by the summary of relatively calculated 3rd ciphertext The most identical, it is possible to ensure the integrity of the 3rd ciphertext received.
In the present embodiment, after cloud authentication platform receives the 3rd packet, the 3rd packet is carried out safety verification, after safety verification passes through, To the first authentication data.Concrete, cloud authentication platform utilizes the first PKI of identity card card-reading terminal that the 3rd signature value is carried out sign test, and sign test is passed through After, utilize the first session key that the 3rd ciphertext is decrypted and obtain the first authentication data, and the first authentication data is verified.
In the present embodiment, if the first authentication data is identity card, to utilize safe key that the first certification factor is carried out MAC calculated, then The mode that first authentication data is verified by cloud authentication platform can be: cloud authentication platform uses the MAC algorithm that identity card end is identical to recognize first The card factor carries out being calculated authentication data, and relatively calculated authentication data is the most identical with the first authentication data of reception, if identical, then First authentication data is verified.
In the present embodiment, utilize safe key that the first certification factor is encrypted to obtain if the first authentication data is identity card, then cloud certification Two kinds of optional embodiments that first authentication data is verified by platform are:
Mode one, cloud authentication platform utilize the safe key matched with identity card searched according to identity card identification information the first certification to receiving Data are decrypted, and obtain the certification factor, and it is the most identical to compare the first certification factor that the certification factor that deciphering obtains generates with self, if phase With, then the first authentication data is verified.
Mode two, cloud authentication platform utilize self generates by the safe key matched with identity card searched according to identity card identification information first to recognize The card factor is encrypted and obtains authentication data, and it is the most identical with the first authentication data of reception to compare the authentication data that encryption obtains, if identical, Then the first authentication data is verified.
Certainly, the first authentication data is verified by other modes that cloud authentication platform can also use the Ministry of Public Security to specify, does not the most make to have Body limits.Cloud authentication platform is by verifying the first authentication data, it is achieved the checking to identity card legitimacy.If the first authentication data checking Pass through, then show that identity card is legal, generate the 4th packet;If the first authentication data checking is not passed through, then show that identity card is illegal, Now, cloud authentication platform can terminate identity card and read, and sends information to identity card card-reading terminal.
In the present embodiment, after the first authentication data is verified by cloud authentication platform, after i.e. authentication ids is passed through by cloud authentication platform, ask body Part card generates the second certification factor, in order to identity card carries out authentication to cloud authentication platform.
As an optional embodiment of the present embodiment, the 4th packet at least includes: the 4th ciphertext and the 4th signature value;Master control safety chip 402, Specifically for utilizing the PKI of cloud authentication platform that the 4th signature value is carried out sign test, after sign test is passed through, utilize the first session key that the 4th ciphertext is carried out Deciphering obtains the second certification factor and obtains request.
Master control safety chip 402 uses the PKI of cloud authentication platform to carry out sign test, if master control safety chip 402 uses the PKI energy of cloud authentication platform Enough to the 4th signature value deciphering, then show that the 4th signature value received is sent by cloud authentication platform, if master control safety chip 402 uses cloud to recognize The PKI of card platform can not then show that the 4th signature value received is not sent by cloud authentication platform, i.e. the safe core of master control to the 4th signature value deciphering Sheet 402 can carry out identity validation according to the 4th device signing name-value pair transmission the 4th signature value.The 4th signature value is determined at master control safety chip 402 After cloud authentication platform sends, then calculate the summary of the 4th ciphertext.If the 4th ciphertext is tampered in transmitting procedure, then the safe core of master control The digest value of the sheet 402 the 4th cryptogram computation to receiving also can convert, and therefore, master control safety chip 402 is by the relatively the calculated 4th The summary of ciphertext is the most identical with the summary of the 4th ciphertext that deciphering obtains, it is possible to ensure the integrity of the 4th ciphertext received.Confirming the 4th signature Value is to be sent by cloud authentication platform and the 4th ciphertext is not tampered with in transmitting procedure, after i.e. sign test is passed through, and recycling identity card card-reading terminal and cloud 4th ciphertext is decrypted and obtains the second certification factor acquisition request by the first session key that authentication platform just has, and prevents beyond identity card card-reading terminal Other devices the 4th ciphertext is decrypted acquisition second the certification factor obtain request, it is ensured that second the certification factor obtain request safety.
In the present embodiment, the second certification factor is generated and sent to cloud authentication platform by identity card, and identity card can utilize the second certification factor to realize Legitimacy certification to cloud authentication platform.The second certification factor can be one or a string random number, or can be one or a string random character, Or a string random number and the combination in any of random character, be not especially limited in the present embodiment.
As an optional embodiment of the present embodiment, master control safety chip 402, specifically for utilizing the first session key to the second certification factor It is encrypted and obtains the 5th ciphertext, utilize the first private key of identity card card-reading terminal that the 5th ciphertext is signed, obtain the 5th signature value, the 5th number At least include according to bag: the 5th ciphertext and the 5th signature value.
In the present embodiment, after master control safety chip 402 uses the first session key to be encrypted the second certification factor and obtain the 5th ciphertext, only There is the cloud authentication platform with the first identical session key could the 5th ciphertext be decrypted, prevent other devices beyond cloud authentication platform to Five ciphertexts are decrypted the acquisition second certification factor, it is ensured that identity card card-reading terminal sends the safety of the second certification factor to cloud authentication platform.
In the present embodiment, the 5th ciphertext is signed by the first private key that master control safety chip 402 utilizes identity card card-reading terminal just to have, if Cloud authentication platform uses the first PKI of the identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal can decipher the 5th signature value, Then show that the 5th signature value received is sent by identity card card-reading terminal, if cloud authentication platform uses the first PKI of identity card card-reading terminal not 5th signature value deciphering then being shown, the data received are not sent by identity card card-reading terminal, i.e. cloud authentication platform can be according to the 5th signature Value carries out identity validation to the device sending the 5th signature value.After cloud authentication platform determines that the 5th signature value identity card card-reading terminal sends, Calculate the summary of the 5th ciphertext again.If the 5th ciphertext is tampered in transmitting procedure, then the cloud authentication platform the plucking of the 5th cryptogram computation to receiving It is worth and also can change, therefore, the summary of the 5th ciphertext that cloud authentication platform is obtained with deciphering by the summary of relatively calculated 5th ciphertext The most identical, it is possible to ensure the integrity of the 5th ciphertext received.
In the present embodiment, after cloud authentication platform receives the 5th packet, the 5th packet is carried out safety verification, after safety verification passes through, To the second certification factor.Concrete, cloud authentication platform can utilize the first PKI of identity card card-reading terminal that the 5th signature value is carried out sign test, sign test By rear, utilize the first session key that the 5th ciphertext is decrypted and obtain the second certification factor, the second certification factor is carried out process and obtains second and recognize Card data.The second certification factor is processed and obtains the concrete mode of the second authentication data and can be by cloud authentication platform: cloud authentication platform is to default letter Breath carries out calculating acquisition safe key, and recycling safe key carries out MAC to the second certification factor and is calculated MAC value, by calculated MAC value is as the second authentication data.Cloud authentication platform can also utilize the safe key matched with identity card to be encrypted the second certification factor Obtain the second authentication data.Certainly, other modes that cloud authentication platform can also use the Ministry of Public Security to specify carry out process and obtain the second certification factor Two authentication datas, are not especially limited in the present embodiment.
As an optional embodiment of the present embodiment, the 6th packet at least includes: the 6th ciphertext and the 6th signature value;Master control safety chip 402, Specifically for utilizing the PKI of cloud authentication platform that the 6th signature value is carried out sign test, after sign test is passed through, utilize the first session key that the 6th ciphertext is carried out Deciphering obtains the second authentication data.
Master control safety chip 402 uses the PKI of cloud authentication platform to carry out sign test, if master control safety chip 402 uses the PKI energy of cloud authentication platform Enough to the 6th signature value deciphering, then show that the 6th signature value received is sent by cloud authentication platform, if master control safety chip 402 uses cloud to recognize The PKI of card platform can not then show that the 6th signature value received is not sent by cloud authentication platform, i.e. the safe core of master control to the 6th signature value deciphering Sheet 402 can carry out identity validation according to the 6th device signing name-value pair transmission the 6th signature value.The 6th signature value is determined at master control safety chip 402 After cloud authentication platform sends, then calculate the summary of the 6th ciphertext.If the 6th ciphertext is tampered in transmitting procedure, then the safe core of master control The digest value of the sheet 402 the 6th cryptogram computation to receiving also can convert, and therefore, master control safety chip 402 is by the relatively the calculated 6th The summary of ciphertext is the most identical with the summary of the 6th ciphertext that deciphering obtains, it is possible to ensure the integrity of the 6th ciphertext received.Confirming the 6th signature Value is to be sent by cloud authentication platform and the 6th ciphertext is not tampered with in transmitting procedure, after i.e. sign test is passed through, and recycling identity card card-reading terminal and cloud 6th ciphertext is decrypted and obtains the second authentication data by the first session key that authentication platform just has, and prevents other dresses beyond identity card card-reading terminal Put and the 6th ciphertext is decrypted acquisition the second authentication data, it is ensured that the safety of the second authentication data.
In the present embodiment, after identity card receives the second authentication data, the second authentication data is verified, after being verified, send identity card number According to ciphertext to identity card card-reading terminal.Identity card data ciphertext refer in identity card with ciphertext storage identity card data, such as identification card number, name, The information such as sex, address and photo, after the identity card safety control module that this identity card data ciphertext is only authorized by the Ministry of Public Security is decrypted, Corresponding identity card data clear text can be obtained.
In the present embodiment, utilize safe key that the second certification factor is carried out MAC to be calculated if the second authentication data is cloud authentication platform MAC value, then the mode that the second authentication data is verified by identity card can be: identity card uses the MAC algorithm that cloud authentication platform end is identical The second certification factor is calculated authentication data, and relatively calculated authentication data is the most identical with the second authentication data of reception, if Identical, then the second authentication data is verified.
In the present embodiment, utilize safe key that the second certification factor is encrypted to obtain if the second authentication data is cloud authentication platform, then body Two kinds of optional embodiments that second authentication data is verified by part card are:
Mode one, identity card utilize safe key to be decrypted the second authentication data received, and obtain the certification factor, and compare what deciphering obtained The second certification factor that the certification factor generates with self is the most identical, if identical, is then verified the second authentication data.
The second certification factor that mode two, identity card utilize safe key to generate self is encrypted and obtains authentication data, and compares what encryption obtained Authentication data is the most identical with the second authentication data of reception, if identical, is then verified the second authentication data.
Certainly, the second authentication data is verified by other modes that identity card can also use the Ministry of Public Security to specify, the most specifically limits Fixed.Identity card is by verifying the second authentication data, it is achieved the checking to cloud authentication platform legitimacy.If the second authentication data is verified, Then show that cloud authentication platform is legal, return identity card data ciphertext;If the second authentication data checking is not passed through, then show that cloud authentication platform is Illegal.At this point it is possible to terminate identity card to read flow process.
As an optional embodiment of the present embodiment, master control safety chip 402, specifically for utilizing described first session key to described identity Card data ciphertext is encrypted and obtains the 7th ciphertext, utilizes the first private key of described identity card card-reading terminal to sign described 7th ciphertext, obtains 7th signature value.
In the present embodiment, after master control safety chip 402 uses the first session key to be encrypted identity card data ciphertext and obtain the 7th ciphertext, 7th ciphertext could be decrypted by the cloud authentication platform only with the first identical session key, prevents other devices pair beyond cloud authentication platform 7th ciphertext is decrypted acquisition identity card data ciphertext, it is ensured that identity card card-reading terminal sends the safety of the identity card data ciphertext to cloud authentication platform Property.
In the present embodiment, the 7th ciphertext is signed by the first private key that master control safety chip 402 utilizes identity card card-reading terminal just to have, if Cloud authentication platform uses the first PKI of the identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal can decipher the 7th signature value, Then show that the 7th signature value received is sent by identity card card-reading terminal, if cloud authentication platform uses the first PKI of identity card card-reading terminal not 7th signature value deciphering then being shown, the 7th signature value received is not sent by identity card card-reading terminal, i.e. cloud authentication platform can be according to the Seven devices signing name-value pair transmission the 7th signature value carry out identity validation.Determine that the 7th signature value is that identity card card-reading terminal sends at cloud authentication platform Afterwards, then calculate the summary of the 7th ciphertext.If the 7th ciphertext is tampered in transmitting procedure, then the cloud authentication platform the 7th ciphertext meter to receiving The digest value calculated also can change, therefore, and the 7th ciphertext that cloud authentication platform is obtained with deciphering by the summary of relatively calculated 7th ciphertext Summary the most identical, it is possible to ensure the integrity of the 7th ciphertext received.
In the present embodiment, after cloud authentication platform receives the 7th packet, the 7th packet is carried out safety verification, after safety verification passes through, To identity card data ciphertext.Concrete, cloud authentication platform utilizes the first PKI of identity card card-reading terminal that the 7th signature value is carried out sign test, and sign test is led to Later, utilize the first session key that the 7th ciphertext is decrypted and obtain identity card data ciphertext, utilize the identity card security control mould that the Ministry of Public Security authorizes Block obtains identity card data clear text to the deciphering of identity card data ciphertext.Cloud authentication platform carries out safe handling to identity card data clear text and obtains the 8th data Bag.
As an optional embodiment of the present embodiment, the 8th packet at least includes: the 8th ciphertext and the 8th signature value;Master control safety chip 402, Specifically for utilizing the PKI of cloud authentication platform that the 8th signature value is carried out sign test, after sign test is passed through, utilize the first session key that the 8th ciphertext is carried out Deciphering obtains identity card data clear text.
Master control safety chip 402 uses the PKI of cloud authentication platform to carry out sign test, if master control safety chip 402 uses the PKI energy of cloud authentication platform Enough to the 8th signature value deciphering, then show that the 8th signature value received is sent by cloud authentication platform, if master control safety chip 402 uses cloud to recognize The PKI of card platform can not then show that the 8th signature value received is not sent by cloud authentication platform, i.e. the safe core of master control to the 8th signature value deciphering Sheet 402 can carry out identity validation according to the 8th device signing name-value pair transmission the 8th signature value.The 8th signature value is determined at master control safety chip 402 After cloud authentication platform sends, then calculate the summary of the 8th ciphertext.If the 8th ciphertext is tampered in transmitting procedure, then the safe core of master control The digest value of the sheet 402 the 8th cryptogram computation to receiving also can convert, and therefore, master control safety chip 402 is by the relatively the calculated 8th The summary of ciphertext is the most identical with the summary of the 8th ciphertext that deciphering obtains, it is possible to ensure the integrity of the 8th ciphertext received.Confirming the 8th signature Value is to be sent by cloud authentication platform and the 8th ciphertext is not tampered with in transmitting procedure, after i.e. sign test is passed through, and recycling identity card card-reading terminal and cloud 8th ciphertext is decrypted and obtains identity card data clear text by the first session key that authentication platform just has, and prevents other beyond identity card card-reading terminal Device is decrypted acquisition identity card data clear text to the 8th ciphertext, it is ensured that the safety of identity card data clear text.
As an optional embodiment of the present embodiment, master control safety chip 402, it is additionally operable to generate the first random number, utilizes identity card Card Reader eventually First private key of end carries out signature and obtains the 9th signature value the First Certificate of the first random number and identity card card-reading terminal, sends the 9th packet to logical Communication interface 403, the 9th packet at least includes: the first random number, the First Certificate of identity card card-reading terminal and the 9th signature value, wherein, first Certificate is including at least the first PKI of identity card card-reading terminal;Communication interface 403, is additionally operable to receive the 9th packet, sends the 9th packet to cloud Authentication platform;Communication interface 403, be additionally operable to receive cloud authentication platform return the tenth packet, send the tenth packet to master control safety chip 402, Tenth packet at least includes: the tenth ciphertext and the tenth signature value;Master control safety chip 402, is additionally operable to receive the tenth packet, utilizes cloud certification The PKI of platform carries out sign test to the tenth signature value, after sign test is passed through, utilizes the first private key of identity card card-reading terminal to be decrypted the tenth ciphertext To the first random number and the second random number, the second random number is generated by cloud authentication platform;Master control safety chip 402, is additionally operable to the first of comparison generation The first random number that random number and deciphering obtain, comparison is consistent, utilizes the first random number and second generating random number the first session key.
After identity card card-reading terminal obtains the first session key, use the first session key to transmission between identity card card-reading terminal and cloud authentication platform Data carry out encryption and decryption, it is ensured that the safety of data transmission.
In the present embodiment, the First Certificate of identity card card-reading terminal is issued by third party's certified authority digital certificate authentication center.Identity Except including the first PKI of identity card card-reading terminal in the First Certificate of card card-reading terminal, also include digital signature and the title of certificate authority Deng.
In the present embodiment, master control safety chip utilizes the first private key that identity card card-reading terminal just has to the first random number and identity card card-reading terminal First Certificate sign, if cloud authentication platform uses the first public affairs of the identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal Key can then show that the 9th signature value received is sent by identity card card-reading terminal, if cloud authentication platform uses body to the 9th signature value deciphering To the 9th signature value deciphering, first PKI of part card card-reading terminal can not then show that the 9th signature value received is not to be sent by identity card card-reading terminal , i.e. cloud authentication platform can carry out identity validation according to the 9th device signing name-value pair transmission the 9th signature value.The 9th label are determined at cloud authentication platform After name value identity card card-reading terminal sends, then calculate the summary of the First Certificate of the first random number and identity card card-reading terminal.If first with The First Certificate of machine number and identity card card-reading terminal is tampered in transmitting procedure, then the first random number and the identity card of reception are read by cloud authentication platform The digest value that the First Certificate of card terminal calculates also can change, and therefore, cloud authentication platform is by relatively calculated first random number and identity The first random number and the summary of the First Certificate of identity card card-reading terminal that the summary of the First Certificate of card card-reading terminal obtains with deciphering are the most identical, energy The integrity of the First Certificate of enough the first randoms number ensureing to receive and identity card card-reading terminal.
In the present embodiment, after cloud authentication platform receives the 9th packet, use root certificate that the First Certificate of identity card card-reading terminal is verified, It is verified, then shows that the First Certificate of identity card card-reading terminal is legal.After the First Certificate of identity card card-reading terminal is verified, cloud certification Platform utilizes the first PKI in the First Certificate of identity card card-reading terminal that the 9th signature value is carried out sign test, after sign test is passed through, obtains the first random number, And generating the second random number, cloud authentication platform can utilize the first random number and second generating random number the first session key.Cloud authentication platform uses body First random number and the second random number are encrypted and obtain the tenth ciphertext by the first PKI of part card card-reading terminal, use the private key of cloud authentication platform to the Ten ciphertexts carry out signature and obtain the tenth signature value.
In the present embodiment, identity card card-reading terminal can obtain the PKI of cloud authentication platform from the certificate of the cloud authentication platform prestored;Also may be used To send request to cloud authentication platform, the PKI of cloud authentication platform is sent to identity card card-reading terminal by request cloud authentication platform.Master control safety chip 402 The PKI using cloud authentication platform carries out sign test, if the tenth signature value can be deciphered by the PKI that master control safety chip 402 uses cloud authentication platform, Then show that the tenth signature value received is sent by cloud authentication platform, if the PKI that master control safety chip 402 uses cloud authentication platform can not be to the Ten signature value deciphering, then show that the tenth signature value received is not sent by cloud authentication platform.The tenth signature value is determined at master control safety chip 402 After cloud authentication platform sends, then calculate the summary of the tenth ciphertext.If the tenth ciphertext is tampered in transmitting procedure, then the safe core of master control The digest value of the sheet 402 the tenth cryptogram computation to receiving also can convert, and therefore, master control safety chip 402 is by the relatively the calculated tenth The summary of ciphertext is the most identical with the summary of the tenth ciphertext that deciphering obtains, it is possible to ensure the integrity of the tenth ciphertext received.Confirming the tenth signature Value is to be sent by cloud authentication platform and the tenth ciphertext is not tampered with in transmitting procedure, after i.e. sign test is passed through, and recycling identity card card-reading terminal and cloud Tenth ciphertext is decrypted and obtains the first random number and the second random number by the first session key that authentication platform just has, prevent identity card card-reading terminal with Other outer devices are decrypted acquisition the first random number and the second random number to the second ciphertext, it is ensured that the first random number and the safety of the second random number Property.
In the present embodiment, master control safety chip 402 is deciphered after the tenth ciphertext obtains the first random number and the second random number, comparison deciphering obtain the One random number is the most identical with the first random number of generation, if identical, then shows that cloud authentication platform has received that the first random number and cloud certification are put down The first random number that platform receives is identical with the first random number that identity card card-reading terminal generates, and master control safety chip can be according to identical with cloud authentication platform Algorithm the first random number and the second random number calculated generate the first session key, and use the first session key that data are carried out encryption and decryption;If Differ, then show that the first random number that cloud authentication platform end obtains and the first random number that identity card card-reading terminal generates differ, the safe core of master control Sheet uses identical algorithm that respective first random number and the second random number are calculated two session keys differed with cloud authentication platform, the most main First session key and the first session key of cloud authentication platform, master control safety chip and the cloud authentication platform of control safety chip can not be to being received from the other side Ciphertext be decrypted.
As an optional embodiment of the present embodiment, master control safety chip 402, it is additionally operable to utilize authenticated encryption double secret key the first session key Acquisition request is encrypted and obtains the 11st ciphertext, utilizes the first private key of identity card card-reading terminal that the 11st ciphertext is carried out signature and obtains the 11st label Name value, sends the 11st packet and at least includes to communication interface 403, the 11st packet: the First Certificate of identity card card-reading terminal and the second card Book, the 11st ciphertext and the 11st signature value, wherein, First Certificate is including at least the first PKI of identity card card-reading terminal, and the second certificate at least wraps The second PKI containing identity card card-reading terminal;Communication interface 403, is additionally operable to receive the 11st packet, sends the 11st packet and puts down to cloud certification Platform;Communication interface 403, be additionally operable to receive cloud authentication platform return the 12nd packet, send the 12nd packet to master control safety chip 402, 12nd packet at least includes: the 12nd ciphertext and the 12nd signature value;Master control safety chip 402, is additionally operable to receive the 12nd packet, profit With the PKI of cloud authentication platform, the 12nd signature value being carried out sign test, after sign test is passed through, the second private key utilizing identity card card-reading terminal is close to the 12nd Literary composition is decrypted and obtains the first session key.
After identity card card-reading terminal obtains the first session key, use the first session key to transmission between identity card card-reading terminal and cloud authentication platform Data carry out encryption and decryption, it is ensured that the safety of data transmission.
In the present embodiment, authenticated encryption key is built in identity card card-reading terminal in advance, identity card card-reading terminal obtain the first session key it Before, the data that master control safety chip 402 utilizes authenticated encryption double secret key to be sent to cloud authentication platform are encrypted.
In the present embodiment, First Certificate and second certificate of identity card card-reading terminal is to be sent out by third party's certified authority digital certificate authentication center Row.Except including the second PKI of identity card card-reading terminal in second certificate of identity card card-reading terminal, also include the numeral label of certificate authority The information such as name and title.In the present embodiment, First Certificate and second certificate of identity card card-reading terminal can be two certificates differed, it is possible to To be same certificate.
In the present embodiment, master control safety chip 402 uses the acquisition of authenticated encryption double secret key the first session key to ask to be encrypted to obtain the 11st After ciphertext, the 11st ciphertext could be decrypted by the cloud authentication platform only with corresponding certification decruption key, prevents beyond cloud authentication platform Other devices the 11st ciphertext is decrypted obtain the first session key acquisition request, it is ensured that identity card card-reading terminal send to cloud authentication platform The first session key obtain request safety.Certification decruption key and authenticated encryption key are identical key, i.e. symmetric key.Certification solution Decryption key is built in cloud authentication platform in advance.
In the present embodiment, the 11st ciphertext is signed by the first private key that master control safety chip 402 utilizes identity card card-reading terminal just to have, as Really the first PKI of the identity card card-reading terminal that the use of cloud authentication platform is corresponding with the first private key of identity card card-reading terminal can be to the 11st signature value Deciphering, then show that the 11st signature value received is sent by identity card card-reading terminal, if cloud authentication platform uses the of identity card card-reading terminal To the 11st signature value deciphering, one PKI can not then show that the 11st signature value received is not sent by identity card card-reading terminal, i.e. cloud certification is put down Platform can carry out identity validation according to the 11st device signing name-value pair transmission the 11st signature value.Determine that the 11st signature value is body at cloud authentication platform After part card card-reading terminal sends, then calculate the summary of the 11st ciphertext.If the 11st ciphertext is tampered in transmitting procedure, then cloud certification The digest value of the platform the 11st cryptogram computation to receiving also can change, and therefore, cloud authentication platform is by relatively calculated 11st ciphertext Summary the most identical with the summary of the 11st ciphertext that deciphering obtains, it is possible to ensure the integrity of the 11st ciphertext received.
In the present embodiment, after cloud authentication platform receives the 11st packet, use the root certificate First Certificate and second to identity card card-reading terminal Certificate is verified, is verified, then show that the First Certificate of identity card card-reading terminal and the second certificate are legal.The of identity card card-reading terminal After one certificate and the second certification authentication are passed through, cloud authentication platform utilizes the first PKI in the First Certificate of identity card card-reading terminal to the 11st signature value Carry out sign test, after sign test is passed through, utilize certification decruption key that the 11st ciphertext is decrypted the acquisition request obtaining the first session key.
In the present embodiment, after cloud authentication platform obtains the acquisition request of the first session key, generate the first session key, utilize identity card Card Reader eventually First session key is encrypted by the second PKI in the second certificate of end, obtains the 12nd ciphertext, and uses the private key of cloud authentication platform to the tenth Two ciphertexts carry out signature and obtain the 12nd signature value.
In the present embodiment, master control safety chip 402 uses the PKI of cloud authentication platform to carry out sign test, if master control safety chip 402 uses cloud to recognize To the 12nd signature value deciphering, the PKI of card platform can then show that the 12nd signature value received is sent by cloud authentication platform, if master control peace Full chip 402 uses the PKI of cloud authentication platform the 12nd signature value deciphering can not then being shown, the 12nd signature value received is not to be put down by cloud certification Platform sends, i.e. master control safety chip 402 can carry out identity validation according to the 12nd device signing name-value pair transmission the 12nd signature value.In master control After safety chip 402 determines that the 12nd signature value cloud authentication platform sends, then calculate the summary of the 12nd ciphertext.If the 12nd ciphertext exists Be tampered in transmitting procedure, then the digest value of the master control safety chip 402 the 12nd cryptogram computation to receiving also can convert, therefore, and master control Safety chip 402 is the most identical by the summary of the 12nd ciphertext that the summary of relatively calculated 12nd ciphertext obtains with deciphering, it is possible to ensure The integrity of the 12nd ciphertext received.Confirm the 12nd signature value be sent by cloud authentication platform and the 12nd ciphertext in transmitting procedure not by Distorting, after i.e. sign test is passed through, the 12nd ciphertext is decrypted and obtains the first session key by the second private key of recycling identity card card-reading terminal, prevents Other devices beyond identity card card-reading terminal are decrypted acquisition the first session key to the 12nd ciphertext, it is ensured that the safety of the first session key.
In flow chart or at this, any process described otherwise above or method description are construed as, and represent and include that one or more is for reality The module of code, fragment or the part of the executable instruction of the step of existing specific logical function or process, and the model of the preferred embodiment of the present invention Enclose and include other realization, wherein can not by order that is shown or that discuss, including according to involved function by basic mode simultaneously or by phase Anti-order, performs function, and this should be understood by embodiments of the invention person of ordinary skill in the field.
Should be appreciated that each several part of the present invention can realize by hardware, software, firmware or combinations thereof.In the above-described embodiment, multiple Step or method can realize with software or the firmware that storage in memory and is performed by suitable instruction execution system.Such as, if using hardware Realize, with the most the same, can realize by any one in following technology well known in the art or their combination: there is use In the discrete logic of the logic gates that data signal is realized logic function, there is the special IC of suitable combination logic gate circuit, Programmable gate array (PGA), field programmable gate array (FPGA) etc..
Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries can be by program The hardware that instruction is relevant completes, program can be stored in a kind of computer-readable recording medium, this program upon execution, including embodiment of the method One or a combination set of step.
Additionally, each functional unit in each embodiment of the present invention can be integrated in a processing module, it is also possible to be the independent physics of unit Exist, it is also possible to two or more unit are integrated in a module.Above-mentioned integrated module both can realize to use the form of hardware, it is possible to To use the form of software function module to realize.If integrated module realizes using the form of software function module and as independent production marketing or make Used time, it is also possible to be stored in a computer read/write memory medium.
Storage medium mentioned above can be read only memory, disk or CD etc..
In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " concrete example " or " some examples " Deng description means to combine this embodiment or example describes specific features, structure, material or feature be contained at least one embodiment of the present invention Or in example.In this manual, the schematic representation to above-mentioned term is not necessarily referring to identical embodiment or example.And, the tool of description Body characteristics, structure, material or feature can combine in any one or more embodiments or example in an appropriate manner.
Although above it has been shown and described that embodiments of the invention, it is to be understood that above-described embodiment is exemplary, it is impossible to it is right to be interpreted as The restriction of the present invention, those of ordinary skill in the art in the case of without departing from the principle of the present invention and objective within the scope of the invention can on State embodiment to be changed, revise, replace and modification.The scope of the present invention is limited by claims and equivalent thereof.

Claims (8)

1. an identity card read method, it is characterised in that described method includes:
Card reading interface receives the identity card identification information that identity card sends, and sends described identity card identification information to master control safety chip;
Described master control safety chip receives described identity card identification information, described identity card identification information is carried out safe handling and obtains the first packet, Send described first packet to communication interface;
Described communication interface receives described first packet, sends described first packet to cloud authentication platform;
Described communication interface receives the second packet that described cloud authentication platform returns, and sends described second packet to described master control safety chip;
Described master control safety chip receives described second packet, described second packet is carried out safety verification, after safety verification passes through, obtains The first certification factor, sends the described first certification factor to described card reading interface;
Described card reading interface receives the described first certification factor, sends the described first certification factor to described identity card;
Described card reading interface receives the first authentication data that described identity card returns, and sends described first authentication data to described master control safety chip, institute Stating the first authentication data is that the described first certification factor is processed and obtains by described identity card;
Described master control safety chip receives described first authentication data, described first authentication data is carried out safe handling and obtains the 3rd packet, sends Described 3rd packet is to described communication interface;
Described communication interface receives described 3rd packet, sends described 3rd packet to described cloud authentication platform;
Described communication interface receives the 4th packet that described cloud authentication platform returns, and sends described 4th packet to described master control safety chip;
Described master control safety chip receives described 4th packet, described 4th packet is carried out safety verification, after safety verification passes through, obtains The second certification factor obtains request, sends the described second certification factor and obtains request to described card reading interface;
Described card reading interface receives the described second certification factor and obtains request, sends the described second certification factor and obtains request to described identity card;
Described card reading interface receives the second certification factor that described identity card returns, and sends the described second certification factor to described master control safety chip;
Described master control safety chip receives the described second certification factor, the described second certification factor is carried out safe handling and obtains the 5th packet, sends Described 5th packet is to described communication interface;
Described communication interface receives described 5th packet, sends described 5th packet to described cloud authentication platform;
Described communication interface receives the 6th packet that described cloud authentication platform returns, and sends described 6th packet to described master control safety chip;
Described master control safety chip receives described 6th packet, described 6th packet is carried out safety verification, after safety verification passes through, obtains Second authentication data, sends described second authentication data to described card reading interface;
Described card reading interface receives described second authentication data, sends described second authentication data extremely described identity card, and described second authentication data is institute State cloud authentication platform the described second certification factor processed to obtain;
Described card reading interface receives the identity card data ciphertext that described identity card returns, and sends described identity card data ciphertext to master control safety chip;
Described master control safety chip carries out safe handling to described identity card data ciphertext and obtains the 7th packet, sends described 7th packet to described Communication interface;
Described communication interface sends described 7th packet to described cloud authentication platform;
Described communication interface receives the 8th packet that described cloud authentication platform returns, and sends described 8th packet to described master control safety chip;
Described master control safety chip receives described 8th packet, described 8th packet is carried out safety verification, after safety verification passes through, obtains Identity card data clear text.
Method the most according to claim 1, it is characterised in that
Described master control safety chip, carries out safe handling to described identity card identification information and obtains the first packet, including:
Described master control safety chip, utilizes the first session key that the encryption of described identity card identification information is obtained the first ciphertext, utilizes described identity card to read Described first ciphertext is signed by the first private key of card terminal, obtains the first signature value, and described first packet at least includes: described first ciphertext With described first signature value;
Described second packet at least includes: the second ciphertext and the second signature value;Described master control safety chip, carries out safety to described second packet Checking, after safety verification passes through, obtains the first certification factor, including:
Described master control safety chip, utilizes the PKI of described cloud authentication platform that described second signature value is carried out sign test, after sign test is passed through, utilizes described Described second ciphertext is decrypted and obtains the first certification factor by the first session key;
Described master control safety chip, carries out safe handling to described first authentication data and obtains the 3rd packet, including:
Described master control safety chip, utilizes described first session key to be encrypted described first authentication data and obtains the 3rd ciphertext, utilize described body Described 3rd ciphertext is signed by the first private key of part card card-reading terminal, obtains the 3rd signature value, and described 3rd packet at least includes: described the Three ciphertexts and described 3rd signature value;
Described 4th packet at least includes: the 4th ciphertext and the 4th signature value;Described master control safety chip, carries out safety to described 4th packet Checking, after safety verification passes through, obtains the second certification factor and obtains request, including:
Described master control safety chip, utilizes the PKI of described cloud authentication platform that described 4th signature value is carried out sign test, after sign test is passed through, utilizes described Described 4th ciphertext is decrypted and obtains the second certification factor acquisition request by the first session key;
Described master control safety chip, carries out safe handling to the described second certification factor and obtains the 5th packet, including:
Described master control safety chip, utilizes described first session key to be encrypted the described second certification factor and obtains the 5th ciphertext, utilize described body Described 5th ciphertext is signed by the first private key of part card card-reading terminal, obtains the 5th signature value, and described 5th packet at least includes: described the Five ciphertexts and described 5th signature value;
Described 6th packet at least includes: the 6th ciphertext and the 6th signature value;Described master control safety chip, carries out safety to described 6th packet Checking, after safety verification passes through, obtains the second authentication data, including:
Described master control safety chip, utilizes the PKI of described cloud authentication platform that described 6th signature value is carried out sign test, after sign test is passed through, utilizes described Described 6th ciphertext is decrypted and obtains the second authentication data by the first session key;
Described master control safety chip, carries out safe handling to described identity card data ciphertext and obtains the 7th packet, including:
Described master control safety chip, utilizes described first session key to be encrypted described identity card data ciphertext and obtains the 7th ciphertext, utilizes described Described 7th ciphertext is signed by the first private key of identity card card-reading terminal, obtains the 7th signature value;
Described 8th packet at least includes: the 8th ciphertext and the 8th signature value;Described master control safety chip, carries out safety to described 8th packet Checking, after safety verification passes through, obtains identity card data clear text, including:
Described master control safety chip, utilizes the PKI of described cloud authentication platform that described 8th signature value is carried out sign test, after sign test is passed through, utilizes described Described 8th ciphertext is decrypted and obtains identity card data clear text by the first session key.
Method the most according to claim 1 and 2, it is characterised in that described identity card identification information is carried out at described master control safety chip Before safe handling obtains the first packet, described method also includes:
Described master control safety chip generates the first random number, utilizes the first private key of described identity card card-reading terminal to described first random number and identity card The First Certificate of card-reading terminal carries out signature and obtains the 9th signature value, sends the 9th packet extremely described communication interface, and described 9th packet at least wraps Include: described first random number, the First Certificate of described identity card card-reading terminal and described 9th signature value, wherein, described First Certificate includes at least First PKI of identity card card-reading terminal;
Described communication interface receives described 9th packet, sends described 9th packet to described cloud authentication platform;
Described communication interface receives the tenth packet that described cloud authentication platform returns, and sends described tenth packet to described master control safety chip, institute State the tenth packet at least to include: the tenth ciphertext and the tenth signature value;
Described master control safety chip receives described tenth packet, utilizes the PKI of described cloud authentication platform that described tenth signature value is carried out sign test, tests Sign by rear, utilize the first private key of described identity card card-reading terminal that described tenth ciphertext is decrypted and obtain described first random number and second random Number, described second random number is generated by described cloud authentication platform;
The first random number generated described in described master control safety chip comparison and the first random number of obtaining of described deciphering, comparison is consistent, utilizes described the One random number and described second generating random number the first session key.
Method the most according to claim 1 and 2, it is characterised in that described identity card identification information is carried out at described master control safety chip Before safe handling obtains the first packet, described method also includes:
Described master control safety chip, utilizes the acquisition request of authenticated encryption double secret key the first session key to be encrypted and obtains the 11st ciphertext, utilize institute State the first private key of identity card card-reading terminal described 11st ciphertext carries out signature to obtain the 11st signature value, send the 11st packet to the most described logical Communication interface, described 11st packet at least includes: the First Certificate of described identity card card-reading terminal and the second certificate, described 11st ciphertext and institute Stating the 11st signature value, wherein, described First Certificate includes at least identity including at least the first PKI of identity card card-reading terminal, described second certificate Second PKI of card card-reading terminal;
Described communication interface receives described 11st packet, sends described 11st packet to described cloud authentication platform;
Described communication interface receives the 12nd packet that described cloud authentication platform returns, and sends described 12nd packet to the safe core of described master control Sheet, described 12nd packet at least includes: the 12nd ciphertext and the 12nd signature value;
Described master control safety chip receives described 12nd packet, utilizes the PKI of described cloud authentication platform to test described 12nd signature value Sign, after sign test is passed through, utilize the second private key of described identity card card-reading terminal that described 12nd ciphertext is decrypted and obtain the first session key.
5. an identity card card-reading terminal, it is characterised in that including:
Card reading interface, for receiving the identity card identification information that identity card sends, sends described identity card identification information to master control safety chip;
Described master control safety chip, is used for receiving described identity card identification information, described identity card identification information carries out safe handling and obtains the first number According to bag, send described first packet to communication interface;
Described communication interface, is used for receiving described first packet, sends described first packet to cloud authentication platform;
Described communication interface, is additionally operable to receive the second packet that described cloud authentication platform returns, and sends described second packet to described master control safety Chip;
Described master control safety chip, is additionally operable to receive described second packet, described second packet is carried out safety verification, passes through at safety verification After, obtain the first certification factor, send the described first certification factor to described card reading interface;
Described card reading interface, is additionally operable to receive the described first certification factor, sends the described first certification factor to described identity card;
Described card reading interface, is additionally operable to receive the first authentication data that described identity card returns, and sends described first authentication data to described master control safety Chip, described first authentication data is that the described first certification factor is processed and obtains by described identity card;
Described master control safety chip, is additionally operable to receive described first authentication data, described first authentication data is carried out safe handling and obtains the 3rd data Bag, sends described 3rd packet to described communication interface;
Described communication interface, is additionally operable to receive described 3rd packet, sends described 3rd packet to described cloud authentication platform;
Described communication interface, is additionally operable to receive the 4th packet that described cloud authentication platform returns, and sends described 4th packet to described master control safety Chip;
Described master control safety chip, is additionally operable to receive described 4th packet, described 4th packet is carried out safety verification, passes through at safety verification After, obtain the second certification factor and obtain request, send the described second certification factor and obtain request to described card reading interface;
Described card reading interface, is additionally operable to receive the described second certification factor and obtains request, send the described second certification factor and obtain request to described identity Card;
Described card reading interface, is additionally operable to receive the second certification factor that described identity card returns, and sends the described second certification factor to described master control safety Chip;
Described master control safety chip, is additionally operable to receive the described second certification factor, the described second certification factor is carried out safe handling and obtains the 5th data Bag, sends described 5th packet to described communication interface;
Described communication interface, is additionally operable to receive described 5th packet, sends described 5th packet to described cloud authentication platform;
Described communication interface, is additionally operable to receive the 6th packet that described cloud authentication platform returns, and sends described 6th packet to described master control safety Chip;
Described master control safety chip, is additionally operable to receive described 6th packet, described 6th packet is carried out safety verification, passes through at safety verification After, obtain the second authentication data, send described second authentication data to described card reading interface;
Described card reading interface, is additionally operable to receive described second authentication data, sends described second authentication data to described identity card, described second certification Data are that the described second certification factor is processed and obtains by described cloud authentication platform;
Described card reading interface, is additionally operable to receive the identity card data ciphertext that described identity card returns, sends described identity card data ciphertext to master control safety Chip;
Described master control safety chip, is additionally operable to that described identity card data ciphertext is carried out safe handling and obtains the 7th packet, send described 7th data Bag is to described communication interface;
Described communication interface, is additionally operable to send described 7th packet to described cloud authentication platform;
Described communication interface, is additionally operable to receive the 8th packet that described cloud authentication platform returns, and sends described 8th packet to described master control safety Chip;
Described master control safety chip, is additionally operable to receive described 8th packet, described 8th packet is carried out safety verification, passes through at safety verification After, obtain identity card data clear text.
Identity card card-reading terminal the most according to claim 5, it is characterised in that
Described master control safety chip, specifically for utilizing the first session key that the encryption of described identity card identification information is obtained the first ciphertext, utilizes described Described first ciphertext is signed by the first private key of identity card card-reading terminal, obtains the first signature value, and described first packet at least includes: described First ciphertext and described first signature value;
Described second packet at least includes: the second ciphertext and the second signature value;
Described master control safety chip, specifically for utilizing the PKI of described cloud authentication platform that described second signature value is carried out sign test, after sign test is passed through, Utilize described first session key that described second ciphertext is decrypted and obtain the first certification factor;
Described master control safety chip, obtains the 3rd ciphertext specifically for utilizing described first session key to be encrypted described first authentication data, profit Signing described 3rd ciphertext with the first private key of described identity card card-reading terminal, obtain the 3rd signature value, described 3rd packet at least includes: Described 3rd ciphertext and described 3rd signature value;
Described 4th packet at least includes: the 4th ciphertext and the 4th signature value;
Described master control safety chip, specifically for utilizing the PKI of described cloud authentication platform that described 4th signature value is carried out sign test, after sign test is passed through, Utilize described first session key that described 4th ciphertext is decrypted and obtain the second certification factor acquisition request;
Described master control safety chip, obtains the 5th ciphertext specifically for utilizing described first session key to be encrypted the described second certification factor, profit Signing described 5th ciphertext with the first private key of described identity card card-reading terminal, obtain the 5th signature value, described 5th packet at least includes: Described 5th ciphertext and described 5th signature value;
Described 6th packet at least includes: the 6th ciphertext and the 6th signature value;
Described master control safety chip, specifically for utilizing the PKI of described cloud authentication platform that described 6th signature value is carried out sign test, after sign test is passed through, Utilize described first session key that described 6th ciphertext is decrypted and obtain the second authentication data;
Described master control safety chip, obtains the 7th ciphertext specifically for utilizing described first session key to be encrypted described identity card data ciphertext, Described 7th ciphertext is signed by the first private key utilizing described identity card card-reading terminal, obtains the 7th signature value;
Described 8th packet at least includes: the 8th ciphertext and the 8th signature value;
Described master control safety chip, specifically for utilizing the PKI of described cloud authentication platform that described 8th signature value is carried out sign test, after sign test is passed through, Utilize described first session key that described 8th ciphertext is decrypted and obtain identity card data clear text.
7. according to the identity card card-reading terminal described in claim 5 or 6, it is characterised in that
Described master control safety chip, is additionally operable to generate the first random number,
The first private key utilizing described identity card card-reading terminal carries out signature to the First Certificate of described first random number and identity card card-reading terminal and obtains 9th signature value, sends the 9th packet extremely described communication interface, and described 9th packet at least includes: described first random number, described identity card The First Certificate of card-reading terminal and described 9th signature value, wherein, described First Certificate is including at least the first PKI of identity card card-reading terminal;
Described communication interface, is additionally operable to receive described 9th packet, sends described 9th packet to described cloud authentication platform;
Described communication interface, is additionally operable to receive the tenth packet that described cloud authentication platform returns, and sends described tenth packet to described master control safety Chip, described tenth packet at least includes: the tenth ciphertext and the tenth signature value;
Described master control safety chip, is additionally operable to receive described tenth packet, utilizes the PKI of described cloud authentication platform to carry out described tenth signature value Sign test, after sign test is passed through, utilize the first private key of described identity card card-reading terminal described tenth ciphertext is decrypted obtain described first random number and Second random number, described second random number is generated by described cloud authentication platform;
Described master control safety chip, is additionally operable to the first random number and the first random number that obtains of described deciphering generated described in comparison, and comparison is consistent, profit With described first random number and described second generating random number the first session key.
8. according to the identity card card-reading terminal described in claim 5 or 6, it is characterised in that
Described master control safety chip, is additionally operable to utilize the acquisition request of authenticated encryption double secret key the first session key to be encrypted and obtains the 11st ciphertext, The first private key utilizing described identity card card-reading terminal carries out signature and obtains the 11st signature value described 11st ciphertext, sends the 11st packet extremely Described communication interface, described 11st packet at least includes: the First Certificate of described identity card card-reading terminal and the second certificate, described 11st close Civilian and described 11st signature value, wherein, described First Certificate is including at least the first PKI of identity card card-reading terminal, and described second certificate at least wraps The second PKI containing identity card card-reading terminal;
Described communication interface, is additionally operable to receive described 11st packet, sends described 11st packet to described cloud authentication platform;
Described communication interface, is additionally operable to receive the 12nd packet that described cloud authentication platform returns, and sends described 12nd packet to described master control Safety chip, described 12nd packet at least includes: the 12nd ciphertext and the 12nd signature value;
Described master control safety chip, is additionally operable to receive described 12nd packet, utilizes the PKI of described cloud authentication platform to described 12nd signature value Carrying out sign test, after sign test is passed through, utilizing the second private key of described identity card card-reading terminal to be decrypted described 12nd ciphertext, to obtain the first session close Key.
CN201610243357.1A 2016-04-18 2016-04-18 A kind of identity card read method and identity card card-reading terminal Active CN106027483B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610243357.1A CN106027483B (en) 2016-04-18 2016-04-18 A kind of identity card read method and identity card card-reading terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610243357.1A CN106027483B (en) 2016-04-18 2016-04-18 A kind of identity card read method and identity card card-reading terminal

Publications (2)

Publication Number Publication Date
CN106027483A true CN106027483A (en) 2016-10-12
CN106027483B CN106027483B (en) 2019-02-19

Family

ID=57081444

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610243357.1A Active CN106027483B (en) 2016-04-18 2016-04-18 A kind of identity card read method and identity card card-reading terminal

Country Status (1)

Country Link
CN (1) CN106027483B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108471418A (en) * 2018-03-28 2018-08-31 湖南东方华龙信息科技有限公司 The data safe transmission method of terminal device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101599832A (en) * 2008-06-05 2009-12-09 北京思创银联科技有限公司 A kind of personal identification method and system that realize the network system login
US20130222107A1 (en) * 2012-01-20 2013-08-29 Identive Group, Inc. Cloud Secure Channel Access Control
US8781530B2 (en) * 2008-12-16 2014-07-15 At&T Intellectual Property I, L.P. OTA file upload servers
CN104574599A (en) * 2014-12-30 2015-04-29 张泽 Authentication method and device, and intelligent door lock
CN104636777A (en) * 2015-01-15 2015-05-20 李明 Identity card information obtaining system
CN104994114A (en) * 2015-07-27 2015-10-21 尤磊 Identity authentication system and method based on electronic identification card

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101599832A (en) * 2008-06-05 2009-12-09 北京思创银联科技有限公司 A kind of personal identification method and system that realize the network system login
US8781530B2 (en) * 2008-12-16 2014-07-15 At&T Intellectual Property I, L.P. OTA file upload servers
US20130222107A1 (en) * 2012-01-20 2013-08-29 Identive Group, Inc. Cloud Secure Channel Access Control
CN104574599A (en) * 2014-12-30 2015-04-29 张泽 Authentication method and device, and intelligent door lock
CN104636777A (en) * 2015-01-15 2015-05-20 李明 Identity card information obtaining system
CN104994114A (en) * 2015-07-27 2015-10-21 尤磊 Identity authentication system and method based on electronic identification card

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
武传坤: ""身份证件的安全要求和可使用的密码学技术"", 《信息网络安全》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108471418A (en) * 2018-03-28 2018-08-31 湖南东方华龙信息科技有限公司 The data safe transmission method of terminal device

Also Published As

Publication number Publication date
CN106027483B (en) 2019-02-19

Similar Documents

Publication Publication Date Title
CN101300808B (en) Method and arrangement for secure autentication
CN103401844B (en) The processing method of operation requests and system
CN101828357B (en) Credential provisioning method and device
CN103269271B (en) A kind of back up the method and system of private key in electronic signature token
CN107844946A (en) A kind of method, apparatus and server of electronic contract signature
CN104636777B (en) ID card information obtains system
CN101527714B (en) Method, device and system for accreditation
CN102694782B (en) Security information exchange device based on internet and method
CN109617675B (en) Method and system for authenticating identifiers of both sides between charge and discharge facility and user terminal
CN103281299B (en) A kind of ciphering and deciphering device and information processing method and system
CN106027250A (en) Identity card information safety transmission method and system
CN108683674A (en) Verification method, device, terminal and the computer readable storage medium of door lock communication
CN105939194A (en) Backup method and backup system for private key of electronic key device
CN109257328A (en) A kind of safety interacting method and device of scene operation/maintenance data
CN106022081A (en) Card reading method for identity-card card-reading terminal, and terminal and system for identity-card card-reading
CN106156677A (en) Identity card card reading method and system
CN104579659A (en) Device for safety information interaction
CN103281188B (en) A kind of back up the method and system of private key in electronic signature token
CN103136667B (en) There is the smart card of electronic signature functionality, smart card transaction system and method
CN111435389A (en) Power distribution terminal operation and maintenance tool safety protection system
CN106027256B (en) A kind of identity card card reading response system
CN112367664A (en) Method and device for safely accessing external equipment to intelligent electric meter
CN105989481B (en) Data interaction method and system
CN106372557B (en) Certificate card information acquisition method, device and system
CN106027483A (en) Identity card reading method and identity card reading terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220425

Address after: Tiantianrong building, No. 1, Zhongguancun, Beiqing Road, Haidian District, Beijing 100094

Patentee after: TENDYRON Corp.

Address before: 100086 room 603, building 12, taiyueyuan, Haidian District, Beijing

Patentee before: Li Ming