CN106027483B - A kind of identity card read method and identity card card-reading terminal - Google Patents
A kind of identity card read method and identity card card-reading terminal Download PDFInfo
- Publication number
- CN106027483B CN106027483B CN201610243357.1A CN201610243357A CN106027483B CN 106027483 B CN106027483 B CN 106027483B CN 201610243357 A CN201610243357 A CN 201610243357A CN 106027483 B CN106027483 B CN 106027483B
- Authority
- CN
- China
- Prior art keywords
- card
- data packet
- identity card
- ciphertext
- master control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
- G06F21/35—User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K17/00—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K7/00—Methods or arrangements for sensing record carriers, e.g. for reading patterns
- G06K7/10—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
- G06K7/10009—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
- G06K7/10257—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves arrangements for protecting the interrogation against piracy attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Toxicology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- General Health & Medical Sciences (AREA)
- Electromagnetism (AREA)
- Software Systems (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of identity card read method and identity card card-reading terminals, wherein, identity card read method includes: that identity card card-reading terminal receives the identity card identification information that identity card is sent and is sent to cloud authentication platform, it receives the first certification factor that cloud authentication platform generates and is sent to identity card, it receives the first authentication data that identity card returns and is sent to cloud authentication platform, it receives the second certification factor that identity card generates and is sent to cloud authentication platform, it receives the second authentication data that cloud authentication platform returns and is sent to identity card, card reading interface receives the identity card data ciphertext that identity card is sent, master control safety chip carries out safe handling to identity card data ciphertext and obtains the 7th data packet, communication interface sends the 7th data packet to cloud authentication platform, communication interface receives cloud authentication platform and returns to identity card data clear text.The identity card read method provided through the invention, reduces cost of implementation, simplifies implementation.
Description
Technical field
The present invention relates to a kind of identity card field more particularly to a kind of identity card read method and identity card card-reading terminals.
Background technique
In existing ID card information read schemes, card reader of ID card needs real with the use of verifying safety control module
The reading and display of existing ID card information.The industry read using ID card information is needed at bank, station etc., it usually needs
The a large amount of card reader of ID card of local layout and verifying safety control module, card reader of ID card and verifying safety control module it
Between also need to be arranged corresponding corresponding relationship, scheme realizes more complex, higher cost.
Summary of the invention
One of present invention seek to address that the above problem/.
The main purpose of the present invention is to provide a kind of identity card read methods.
Another object of the present invention is to provide a kind of identity card card-reading terminals.
In order to achieve the above objectives, technical solution of the present invention is specifically achieved in that
One aspect of the present invention provides a kind of identity card read method, comprising: card reading interface receives the body that identity card is sent
Part card identification information, sends identity card identification information to master control safety chip;Master control safety chip receives identity card identification information,
Safe handling is carried out to identity card identification information and obtains the first data packet, sends the first data packet to communication interface;Communication interface
The first data packet is received, sends the first data packet to cloud authentication platform;Communication interface receives the second number that cloud authentication platform returns
According to packet, the second data packet is sent to master control safety chip;Master control safety chip receives the second data packet, carries out to the second data packet
Safety verification obtains the first certification factor after safety verification passes through, and sends the first certification factor to card reading interface;Card reading connects
Mouth receives the first certification factor, sends the first certification factor to identity card;Card reading interface receives the first certification that identity card returns
Data send the first authentication data to master control safety chip, and the first authentication data is that identity card authenticates at the factor to first
What reason obtained;Master control safety chip receives the first authentication data, carries out safe handling to the first authentication data and obtains third data
Packet sends third data packet to communication interface;Communication interface receives third data packet, and it is flat to cloud certification to send third data packet
Platform;Communication interface receives the 4th data packet that cloud authentication platform returns, and sends the 4th data packet to master control safety chip;Master control peace
Full chip receives the 4th data packet, carries out safety verification to the 4th data packet, after safety verification passes through, obtain the second certification because
Sub- acquisition request sends the second certification factor acquisition request to card reading interface;Card reading interface receives the second certification factor acquisition and asks
It asks, sends the second certification factor acquisition request to identity card;Card reading interface receives the second certification factor that identity card returns, and sends
Second authenticates the factor to master control safety chip;Master control safety chip receives the second certification factor, pacifies to the second certification factor
Full processing obtains the 5th data packet, sends the 5th data packet to communication interface;Communication interface receives the 5th data packet, sends the 5th
Data packet is to cloud authentication platform;Communication interface receives the 6th data packet that cloud authentication platform returns, and sends the 6th data packet to master
Control safety chip;Master control safety chip receives the 6th data packet, carries out safety verification to the 6th data packet, passes through in safety verification
Afterwards, the second authentication data is obtained, sends the second authentication data to card reading interface;Card reading interface receives the second authentication data, sends
For second authentication data to identity card, the second authentication data is that cloud authentication platform handles the second certification factor;It reads
Card interface receives the identity card data ciphertext that identity card returns, and sends identity card data ciphertext to master control safety chip;Master control peace
Full chip carries out safe handling to identity card data ciphertext and obtains the 7th data packet, sends the 7th data packet to communication interface;It is logical
Communication interface sends the 7th data packet to cloud authentication platform;Communication interface receives the 8th data packet that cloud authentication platform returns, and sends
8th data packet is to master control safety chip;Master control safety chip receives the 8th data packet, carries out safety verification to the 8th data packet,
After safety verification passes through, identity card data clear text is obtained.
Optionally, master control safety chip carries out safe handling to identity card identification information and obtains the first data packet, comprising:
Master control safety chip encrypts identity card identification information using the first session key to obtain the first ciphertext, utilizes identity card card reading
First private key of terminal signs to the first ciphertext, obtains the first signature value, and the first data packet includes at least: the first ciphertext and
First signature value;Second data packet includes at least: the second ciphertext and the second signature value;Master control safety chip, to the second data packet
It carries out safety verification and obtains the first certification factor after safety verification passes through, comprising: master control safety chip is authenticated flat using cloud
The public key of platform carries out sign test to the second signature value, and after sign test passes through, the second ciphertext is decrypted using the first session key
To the first certification factor;Master control safety chip carries out safe handling to the first authentication data and obtains third data packet, comprising: is main
Safety chip is controlled, the first authentication data is encrypted using the first session key to obtain third ciphertext, utilizes identity card card reading
First private key of terminal signs to third ciphertext, obtains third signature value, and third data packet includes at least: third ciphertext and
Third signature value;4th data packet includes at least: the 4th ciphertext and the 4th signature value;Master control safety chip, to the 4th data packet
It carries out safety verification and obtains the second certification factor acquisition request after safety verification passes through, comprising: master control safety chip utilizes
The public key of cloud authentication platform to the 4th signature value carry out sign test, after sign test passes through, using the first session key to the 4th ciphertext into
Row decryption obtains the second certification factor acquisition request;Master control safety chip carries out safe handling to the second certification factor and obtains the
Five data packets, comprising: master control safety chip is encrypted to obtain the 5th close using the first session key to the second certification factor
Text signs to the 5th ciphertext using the first private key of identity card card-reading terminal, obtains the 5th signature value, the 5th data packet is extremely
It less include: the 5th ciphertext and the 5th signature value;6th data packet includes at least: the 6th ciphertext and the 6th signature value;Master control safety
Chip carries out safety verification to the 6th data packet and obtains the second authentication data after safety verification passes through, comprising: master control safety
Chip carries out sign test to the 6th signature value using the public key of cloud authentication platform, after sign test passes through, using the first session key to the
Six ciphertexts are decrypted to obtain the second authentication data;Master control safety chip carries out safe handling to identity card data ciphertext and obtains
7th data packet, comprising: master control safety chip is encrypted to obtain the 7th using the first session key to identity card data ciphertext
Ciphertext signs to the 7th ciphertext using the first private key of identity card card-reading terminal, obtains the 7th signature value;8th data packet
It includes at least: the 8th ciphertext and the 8th signature value;Master control safety chip carries out safety verification to the 8th data packet, tests in safety
After card passes through, identity card data clear text is obtained, comprising: master control safety chip is signed using the public key of cloud authentication platform to the 8th
Value carries out sign test, after sign test passes through, is decrypted to obtain identity card data clear text to the 8th ciphertext using the first session key.
Optionally, before master control safety chip obtains the first data packet to the progress safe handling of identity card identification information,
Method further include: master control safety chip generates the first random number, random to first using the first private key of identity card card-reading terminal
Several and identity card card-reading terminal First Certificates are signed to obtain the 9th signature value, send the 9th data packet to communication interface,
9th data packet includes at least: the first random number, the First Certificate of identity card card-reading terminal and the 9th signature value, wherein first
Certificate includes at least the first public key of identity card card-reading terminal;Communication interface receives the 9th data packet, sends the 9th data packet extremely
Cloud authentication platform;Communication interface receives the tenth data packet that cloud authentication platform returns, and sends the tenth data packet to the safe core of master control
Piece, the tenth data packet include at least: the tenth ciphertext and the tenth signature value;Master control safety chip receives the tenth data packet, utilizes cloud
The public key of authentication platform carries out sign test to the tenth signature value, after sign test passes through, utilizes the first private key pair of identity card card-reading terminal
Tenth ciphertext is decrypted to obtain the first random number and the second random number, and the second random number is generated by cloud authentication platform;Master control peace
The first random number that full chip compares the first random number generated and decryption obtains, compares consistent, utilizes the first random number and the
Two the first session keys of generating random number.
Optionally, before master control safety chip obtains the first data packet to the progress safe handling of identity card identification information,
Method further include: master control safety chip is encrypted to obtain using the acquisition request of the first session key of authenticated encryption key pair
11st ciphertext is signed to obtain the 11st signature value using the first private key of identity card card-reading terminal to the 11st ciphertext,
The 11st data packet is sent to communication interface, the 11st data packet includes at least: the First Certificate of identity card card-reading terminal and
Two certificates, the 11st ciphertext and the 11st signature value, wherein First Certificate includes at least the first public affairs of identity card card-reading terminal
Key, the second certificate include at least the second public key of identity card card-reading terminal;Communication interface receives the 11st data packet, sends the tenth
One data packet is to cloud authentication platform;Communication interface receives the 12nd data packet that cloud authentication platform returns, and sends the 12nd data
Packet is to master control safety chip, and the 12nd data packet includes at least: the 12nd ciphertext and the 12nd signature value;Master control safety chip connects
The 12nd data packet is received, sign test is carried out to the 12nd signature value using the public key of cloud authentication platform, after sign test passes through, utilizes identity
Second private key of card card-reading terminal is decrypted to obtain the first session key to the 12nd ciphertext.
Another aspect of the present invention provides a kind of identity card card-reading terminal, comprising: card reading interface, for receiving identity card hair
The identity card identification information sent sends identity card identification information to master control safety chip;Master control safety chip, for receiving identity
Identification information is demonstrate,proved, safe handling is carried out to identity card identification information and obtains the first data packet, the first data packet to communication is sent and connects
Mouthful;Communication interface sends the first data packet to cloud authentication platform for receiving the first data packet;Communication interface is also used to receive
The second data packet that cloud authentication platform returns sends the second data packet to master control safety chip;Master control safety chip is also used to connect
The second data packet is received, safety verification is carried out to the second data packet and obtains the first certification factor after safety verification passes through, is sent
First authenticates the factor to card reading interface;Card reading interface is also used to receive the first certification factor, sends the first certification factor to identity
Card;Card reading interface is also used to receive the first authentication data of identity card return, sends the first authentication data to the safe core of master control
Piece, the first authentication data are that identity card handles the first certification factor;Master control safety chip is also used to receive
One authentication data carries out safe handling to the first authentication data and obtains third data packet, sends third data packet to communication interface;
Communication interface is also used to receive third data packet, sends third data packet to cloud authentication platform;Communication interface is also used to receive
The 4th data packet that cloud authentication platform returns sends the 4th data packet to master control safety chip;Master control safety chip is also used to connect
The 4th data packet is received, safety verification is carried out to the 4th data packet, after safety verification passes through, the acquisition of the second certification factor is obtained and asks
It asks, sends the second certification factor acquisition request to card reading interface;Card reading interface is also used to receive the acquisition of the second certification factor and asks
It asks, sends the second certification factor acquisition request to identity card;Card reading interface, be also used to receive identity card return second certification because
Son sends the second certification factor to master control safety chip;Master control safety chip is also used to receive the second certification factor, to second
The certification factor carries out safe handling and obtains the 5th data packet, sends the 5th data packet to communication interface;Communication interface is also used to connect
The 5th data packet is received, sends the 5th data packet to cloud authentication platform;Communication interface is also used to receive the of cloud authentication platform return
Six data packets send the 6th data packet to master control safety chip;Master control safety chip is also used to receive the 6th data packet, to
Six data packets carry out safety verification, after safety verification passes through, obtain the second authentication data, send the second authentication data to card reading
Interface;Card reading interface is also used to receive the second authentication data, sends the second authentication data to identity card, the second authentication data is
Cloud authentication platform handles the second certification factor;Card reading interface is also used to receive the identity card of identity card return
Data ciphertext sends identity card data ciphertext to master control safety chip;Master control safety chip is also used to identity card data ciphertext
It carries out safe handling and obtains the 7th data packet, send the 7th data packet to communication interface;Communication interface is also used to send the 7th number
According to packet to cloud authentication platform;Communication interface is also used to receive the 8th data packet of cloud authentication platform return, sends the 8th data packet
To master control safety chip;Master control safety chip is also used to receive the 8th data packet, carries out safety verification to the 8th data packet,
After safety verification passes through, identity card data clear text is obtained.
Optionally, master control safety chip, specifically for encrypting to obtain to identity card identification information using the first session key
First ciphertext signs to the first ciphertext using the first private key of identity card card-reading terminal, obtains the first signature value, the first number
It is included at least according to packet: the first ciphertext and the first signature value;Second data packet includes at least: the second ciphertext and the second signature value;It is main
Safety chip is controlled, specifically for the public key using cloud authentication platform to the second signature value progress sign test, after sign test passes through, utilizes the
One the second ciphertext of session key pair is decrypted to obtain the first certification factor;Master control safety chip is specifically used for utilizing the first meeting
Words the first authentication data of key pair is encrypted to obtain third ciphertext, close to third using the first private key of identity card card-reading terminal
Text is signed, and third signature value is obtained, and third data packet includes at least: third ciphertext and third signature value;4th data packet
It includes at least: the 4th ciphertext and the 4th signature value;Master control safety chip, specifically for the public key using cloud authentication platform to the 4th
Signature value carries out sign test, after sign test passes through, the 4th ciphertext is decrypted using the first session key to obtain the second certification factor
Acquisition request;Master control safety chip, specifically for being encrypted to obtain the 5th to the second certification factor using the first session key
Ciphertext signs to the 5th ciphertext using the first private key of identity card card-reading terminal, obtains the 5th signature value, the 5th data packet
It includes at least: the 5th ciphertext and the 5th signature value;6th data packet includes at least: the 6th ciphertext and the 6th signature value;Master control peace
Full chip carries out sign test to the 6th signature value specifically for the public key using cloud authentication platform, after sign test passes through, utilizes the first meeting
Words the 6th ciphertext of key pair is decrypted to obtain the second authentication data;Master control safety chip is specifically used for close using the first session
Key is encrypted to obtain the 7th ciphertext to identity card data ciphertext, using the first private key of identity card card-reading terminal to the 7th ciphertext
It signs, obtains the 7th signature value;8th data packet includes at least: the 8th ciphertext and the 8th signature value;Master control safety chip,
Sign test is carried out to the 8th signature value specifically for the public key using cloud authentication platform, after sign test passes through, utilizes the first session key
8th ciphertext is decrypted to obtain identity card data clear text.
Optionally, master control safety chip is also used to generate the first random number, utilizes the first private key of identity card card-reading terminal
The First Certificate of first random number and identity card card-reading terminal is signed to obtain the 9th signature value, sends the 9th data packet extremely
Communication interface, the 9th data packet include at least: the first random number, the First Certificate of identity card card-reading terminal and the 9th signature value,
Wherein, First Certificate includes at least the first public key of identity card card-reading terminal;Communication interface is also used to receive the 9th data packet,
The 9th data packet is sent to cloud authentication platform;Communication interface is also used to receive the tenth data packet of cloud authentication platform return, sends
Tenth data packet to master control safety chip, the tenth data packet includes at least: the tenth ciphertext and the tenth signature value;The safe core of master control
Piece is also used to receive the tenth data packet, carries out sign test to the tenth signature value using the public key of cloud authentication platform, after sign test passes through,
It is decrypted to obtain the first random number and the second random number to the tenth ciphertext using the first private key of identity card card-reading terminal, second
Random number is generated by cloud authentication platform;Master control safety chip, the first random number and decryption for being also used to compare generation obtain the
One random number compares unanimously, utilizes the first random number and second the first session key of generating random number.
Optionally, master control safety chip, be also used to acquisition request using the first session key of authenticated encryption key pair into
Row encryption obtains the 11st ciphertext, is signed to obtain the tenth to the 11st ciphertext using the first private key of identity card card-reading terminal
One signature value sends the 11st data packet to communication interface, and the 11st data packet includes at least: the first of identity card card-reading terminal
Certificate and the second certificate, the 11st ciphertext and the 11st signature value, wherein First Certificate includes at least identity card card-reading terminal
First public key, the second certificate include at least the second public key of identity card card-reading terminal;Communication interface is also used to receive the 11st number
According to packet, the 11st data packet is sent to cloud authentication platform;Communication interface is also used to receive the 12nd number of cloud authentication platform return
According to packet, the 12nd data packet is sent to master control safety chip, the 12nd data packet includes at least: the 12nd ciphertext and the 12nd label
Name value;Master control safety chip is also used to receive the 12nd data packet, using cloud authentication platform public key to the 12nd signature value into
Row sign test after sign test passes through, is decrypted to obtain the first meeting using the second private key of identity card card-reading terminal to the 12nd ciphertext
Talk about key.
As seen from the above technical solution provided by the invention, the present invention provides a kind of identity card read method and bodies
Part card card-reading terminal, in identity card card-reading terminal and is not provided with verifying safety control module, but in cloud authentication platform
The module that the ciphertext data read from identity card can be realized with decryption is set, and identity card card-reading terminal can be recognized by being linked into cloud
Platform is demonstrate,proved to realize the reading to identity card, the cost of implementation of user is greatly reduced, especially in bank, station, insurance etc.
The industry of ID card information read operation is needed to be implemented, the identity card card-reading terminal of respective numbers need to be only disposed, no longer need to
Safety control module is verified in secondary a large amount of deployment, without between a large amount of setting verifying safety control modules and identity card card-reading terminal
Corresponding relationship, simplify implementation.Further, by carrying out safe handling to the data for being sent to cloud authentication platform
And safety verification is carried out to the data received from cloud authentication platform, it ensure that between identity card card-reading terminal and cloud authentication platform
The safety of the data of transmission.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is a kind of flow chart for identity card read method that the embodiment of the present invention 1 provides;
Fig. 2 is a kind of flow chart for the first session key of acquisition that the embodiment of the present invention 1 provides;
Fig. 3 is another flow chart for obtaining the first session key that the embodiment of the present invention 1 provides;
Fig. 4 is a kind of structural schematic diagram for identity card card-reading terminal that the embodiment of the present invention 2 provides.
Specific embodiment
With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete
Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on this
The embodiment of invention, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, belongs to protection scope of the present invention.
In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", "upper", "lower",
The orientation or positional relationship of the instructions such as "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outside" is
It is based on the orientation or positional relationship shown in the drawings, is merely for convenience of description of the present invention and simplification of the description, rather than instruction or dark
Show that signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore should not be understood as pair
Limitation of the invention.In addition, term " first ", " second " are used for description purposes only, it is not understood to indicate or imply opposite
Importance or quantity or position.
In the description of the present invention, it should be noted that unless otherwise clearly defined and limited, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition
Concrete meaning in invention.
The embodiment of the present invention is described in further detail below in conjunction with attached drawing.
Embodiment 1
Fig. 1 is a kind of identity card read method provided in this embodiment.Identity card read method master provided in this embodiment
Include the following steps (S101-S108).
S101: card reading interface receives the identity card identification information that identity card is sent, and sends identity card identification information to master control
Safety chip;Master control safety chip receives identity card identification information, carries out safe handling to identity card identification information and obtains first
Data packet sends the first data packet to communication interface;Communication interface receives the first data packet, sends the first data packet to cloud and authenticates
Platform;
In the present embodiment, identity card identification information is that identity card card-reading terminal can be marked with Direct Recognition, for unique
Know the information of identity card, for example, identity card identification information can be identity card sequence number etc., is not limited specifically in the present embodiment
It is fixed.
In the present embodiment, card reading interface can receive the data of identity card transmission and send data to identity card, read
Card interface can be radio frequency interface, for example, radio-frequency antenna, as long as the card reading interface that can be communicated with identity card is in this hair
Within bright protection scope, it is not especially limited in the present embodiment.
In the present embodiment, communication interface can receive the data of cloud authentication platform transmission and send to cloud authentication platform
Data.Communication interface can be by cable network or wireless network and cloud authentication platform direct communication, and communication interface can be at this time
For wireless communication interface (for example, WIFI communication interface) or wire communication interface.Communication interface can also by host computer (such as
Mobile phone, PAD (tablet computer) or PC etc.) wireless network or cable network communicated with cloud authentication platform, communication interface at this time
It can be connect for the wireless communication interface (for example, blue tooth interface, NFC interface etc.) or wire communication that can be communicated with host computer
Mouth (for example, USB interface), is not especially limited in the present embodiment.
In the present embodiment, master control safety chip can complete the operation such as safe handling, safety verification, be identity card card reading
The nuclear structure of terminal.Master control safety chip in the present embodiment can be the safe core by national Password Management office certification
Piece, or other control chips with the above function, as long as being able to achieve the function of master control safety chip of the invention i.e.
It belongs to the scope of protection of the present invention.
As an optional embodiment of the embodiment of the present invention, master control safety chip carries out identity card identification information
Safe handling obtains the first data packet, comprising: master control safety chip encrypts identity card identification information using the first session key
The first ciphertext is obtained, is signed using the first private key of identity card card-reading terminal to the first ciphertext, the first signature value is obtained, the
One data packet includes at least: the first ciphertext and the first signature value.
In the present embodiment, the first session key is that negotiate between identity card card-reading terminal and cloud authentication platform one is close
Key carries out encryption and to received from cloud authentication platform for being sent to the data of cloud authentication platform to identity card card-reading terminal
Data are decrypted, after the master control safety chip of identity card card-reading terminal encrypts data using the first session key, only
Encryption data could be decrypted by having the cloud authentication platform of the first session key having the same, be prevented other than cloud authentication platform
Other devices encryption data is decrypted obtains identity card card-reading terminal and be sent to the data of cloud authentication platform, guarantee identity
Card card-reading terminal is transmitted to the data safety of cloud authentication platform.The only master of the identity card card-reading terminal with the first session key
Control safety chip could be decrypted to received from cloud authentication platform encryption data, prevent other other than identity card card-reading terminal
Device encryption data is decrypted the data for obtaining cloud authentication platform and being sent to identity card card-reading terminal, guarantees cloud authentication platform
It is transmitted to the data safety of identity card card-reading terminal.
In the present embodiment, master control safety chip is encrypted to obtain using the first session key to identity card identification information
After first ciphertext, the first ciphertext could be decrypted in the cloud authentication platform of the first session key only having the same, prevented
Only other devices other than cloud authentication platform are decrypted the first ciphertext and obtain identity card identification information, guarantee identity card card reading
Terminal is sent to the safety of the identity card identification information of cloud authentication platform.
In the present embodiment, master control safety chip signs the first ciphertext using the first private key of identity card card-reading terminal
Name, obtains the concrete mode of the first signature value are as follows: master control safety chip using HASH algorithm calculates the first ciphertext, and to obtain first close
The abstract of text, and the abstract of the first ciphertext is encrypted using the first private key of identity card card-reading terminal, obtain the first signature
Value.Master control safety chip signs to the first ciphertext using the first private key that identity card card-reading terminal just has, if cloud is recognized
Demonstrate,proving platform can be to first using the first public key of identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal
The decryption of signature value then shows that received first signature value is issued by identity card card-reading terminal, if cloud authentication platform uses
First public key of identity card card-reading terminal cannot decrypt the first signature value, then show that received first signature value is not by identity
Demonstrate,prove what card-reading terminal issued, i.e., cloud authentication platform can carry out identity according to the device that the first label name-value pair sends the first signature value
Confirmation.Determine that the first signature value is that identity card card-reading terminal sends and then calculate plucking for the first ciphertext in cloud authentication platform
It wants.If the first ciphertext is tampered in transmission process, digest value of the cloud authentication platform to received first cryptogram computation
Also can change, therefore, the abstract of the first ciphertext that cloud authentication platform is calculated by comparing and decryption obtain first
Whether the abstract of ciphertext is identical, can guarantee the integrality of received first ciphertext.It should be noted that the label in the present embodiment
Name process can be found in the embodiment, and the process that signature is referred to below no longer will be repeated specifically.
S102: communication interface receives the second data packet that cloud authentication platform returns, and sends the second data packet to master control safety
Chip;Master control safety chip receives the second data packet, carries out safety verification to the second data packet and obtains after safety verification passes through
To the first certification factor, the first certification factor is sent to card reading interface;Card reading interface receives the first certification factor, sends first and recognizes
The factor is demonstrate,proved to identity card;
In the present embodiment, cloud authentication platform receive communication interface send the first data packet after, to the first data packet into
Row safety verification obtains identity card identification information after safety verification passes through.Specifically, cloud authentication platform can use identity
The first public key for demonstrate,proving card-reading terminal carries out sign test to the first signature value, close to first using the first session key after sign test passes through
Text is decrypted to obtain identity card identification information.Cloud authentication platform can be searched according to identity card identification information and be matched with identity card
Security key.
Before reading identity card data ciphertext, identity card and cloud authentication platform will be realized two-way to be recognized identity card card-reading terminal
Card, it is ensured that identity card and cloud authentication platform are all legal.
In the present embodiment, the first certification factor is generated and sent by cloud authentication platform to identity card, and cloud authentication platform can
The legitimacy of identity card is authenticated with being realized using the first certification factor.The first certification factor can be random for one or a string
Number can be perhaps one or any combination of a string of random characters or a string of random numbers and random character, in the present embodiment
In be not especially limited.
As an optional embodiment of the embodiment of the present invention, the second data packet is included at least: the second ciphertext and second
Signature value;Master control safety chip, to the second data packet carry out safety verification, after safety verification passes through, obtain the first certification because
Son, comprising: master control safety chip carries out sign test to the second signature value using the public key of cloud authentication platform, after sign test passes through, utilizes
First session key is decrypted the second ciphertext to obtain the first certification factor.
In the present embodiment, master control safety chip carries out the tool of sign test using the public key of cloud authentication platform to the second signature value
Body mode can be with are as follows: master control safety chip is decrypted the second signature value using the public key of cloud authentication platform, and it is close to obtain second
The abstract of text carries out the abstract that the second ciphertext is calculated using HASH algorithm to received second ciphertext, compares decryption and obtains
The second ciphertext abstract it is whether identical as the abstract for the second ciphertext being calculated, if identical, the second signature value is tested
Label pass through.Sign test process in the present embodiment can be found in the embodiment, and the process that sign test is referred to below will be no longer specific
It repeats.Master control safety chip carries out sign test using the public key of cloud authentication platform, if master control safety chip uses cloud authentication platform
Public key the second signature value can be decrypted, then show that received second signature value is issued by cloud authentication platform, if main
Control safety chip cannot decrypt the second signature value using the public key of cloud authentication platform, then show that received second signature value is not
It is issued by cloud authentication platform, i.e., master control safety chip can be carried out according to the device that the second label name-value pair sends the second signature value
Identity validation.Determine that the second signature value is that cloud authentication platform sends and then calculate the second ciphertext in master control safety chip
Abstract.If the second ciphertext is tampered in transmission process, master control safety chip plucks received second cryptogram computation
Being worth can also convert, and therefore, the abstract for the second ciphertext that master control safety chip is calculated by comparing is obtained with decryption
The second ciphertext abstract it is whether identical, can guarantee the integrality of received second ciphertext.Confirmation the second signature value be by
Cloud authentication platform is sent and the second ciphertext is not tampered in transmission process, i.e., after sign test passes through, recycles identity card card reading
The first session key that terminal and cloud authentication platform just have is decrypted the second ciphertext to obtain the first certification factor, prevents identity
Acquisition the first certification factor is decrypted to the second ciphertext in other devices other than card card-reading terminal, guarantees the first certification factor
Safety.
S103: card reading interface receives the first authentication data that identity card returns, and sends the first authentication data to master control safety
Chip, the first authentication data are that identity card handles the first certification factor;Master control safety chip, which receives first, to be recognized
Data are demonstrate,proved, safe handling is carried out to the first authentication data and obtains third data packet, send third data packet to communication interface;Communication
Interface third data packet sends third data packet to cloud authentication platform;
In the present embodiment, the concrete mode that identity card is handled to obtain the first authentication data to the first certification factor can
With are as follows: identity card carries out MAC (Message Authentication Code, message to the first certification factor using security key
Authentication code) MAC value is calculated, using the MAC value being calculated as the first authentication data.It is close that identity card also can use safety
Key is encrypted to obtain the first authentication data to the first certification factor.The security key is preset in legal identity card,
Only legal identity card just has the security key.Certainly, identity card can also be using other modes pair as defined in the Ministry of Public Security
The first certification factor is handled to obtain the first authentication data, is not especially limited in the present embodiment.
As an optional embodiment of the embodiment of the present invention, master control safety chip pacifies the first authentication data
Full processing obtains third data packet, comprising: master control safety chip encrypts the first authentication data using the first session key
Third ciphertext is obtained, is signed using the first private key of identity card card-reading terminal to third ciphertext, third signature value is obtained, the
Three data packets include at least: third ciphertext and third signature value.
In the present embodiment, master control safety chip encrypts the first authentication data using the first session key to obtain
After three ciphertexts, third ciphertext could be decrypted in the cloud authentication platform of the first session key only having the same, prevented
Third ciphertext, which is decrypted, in other devices other than cloud authentication platform obtains the first authentication data, guarantees identity card card-reading terminal
It is sent to the safety of the first authentication data of cloud authentication platform.
In the present embodiment, the first private key that master control safety chip just has using identity card card-reading terminal is to third ciphertext
It signs, if cloud authentication platform uses the of identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal
One public key can decrypt third signature value, then show that received third signature value is issued by identity card card-reading terminal, such as
Fruit cloud authentication platform cannot decrypt third signature value using the first public key of identity card card-reading terminal, then show received third
Signature value is issued by identity card card-reading terminal, i.e., cloud authentication platform can send third signature according to third label name-value pair
The device of value carries out identity validation.Cloud authentication platform determine third signature value be identity card card-reading terminal send and then
Calculate the abstract of third ciphertext.If third ciphertext is tampered in transmission process, cloud authentication platform is to received third
The digest value of cryptogram computation can also change, therefore, the abstract for the third ciphertext that cloud authentication platform is calculated by comparing
Whether the abstract of third ciphertext obtained with decryption is identical, can guarantee the integrality of received third ciphertext.
S104: communication interface receives the 4th data packet that cloud authentication platform returns, and sends the 4th data packet to master control safety
Chip;Master control safety chip receives the 4th data packet, carries out safety verification to the 4th data packet and obtains after safety verification passes through
To the second certification factor acquisition request, the second certification factor acquisition request is sent to card reading interface;Card reading interface, which receives second, to be recognized
Factor acquisition request is demonstrate,proved, sends the second certification factor acquisition request to identity card;
In the present embodiment, after cloud authentication platform receives third data packet, safety verification is carried out to third data packet, is being pacified
After being verified entirely, the first authentication data is obtained.Specifically, cloud authentication platform utilizes the first public key pair of identity card card-reading terminal
Third signature value carries out sign test, after sign test passes through, third ciphertext is decrypted using the first session key to obtain the first certification
Data, and the first authentication data is verified.
In the present embodiment, if the first authentication data is that identity card carries out the first certification factor using security key
What MAC was calculated, then the mode that cloud authentication platform verifies the first authentication data can be with are as follows: cloud authentication platform uses body
The identical MAC algorithm in part card end to the first certification factor carries out that authentication data is calculated, and compares the authentication data being calculated
It is whether identical as received first authentication data, if identical, the first authentication data is verified.
In the present embodiment, if the first authentication data is that identity card adds the first certification factor using security key
It is close to obtain, then cloud authentication platform verifies the first authentication data two kinds of optional embodiments are as follows:
Mode one, cloud authentication platform utilize safety being searched according to identity card identification information, matching with identity card close
The first authentication data received is decrypted in key, obtains the certification factor, and compare and decrypt the obtained certification factor and itself
Whether the first certification factor generated is identical, if identical, is verified to the first authentication data.
Mode two, cloud authentication platform utilize safety being searched according to identity card identification information, matching with identity card close
The first certification factor that key generates itself is encrypted to obtain authentication data, and compares authentication data and reception that encryption obtains
The first authentication data it is whether identical, if identical, the first authentication data is verified.
Certainly, cloud authentication platform can also verify the first authentication data using other modes as defined in the Ministry of Public Security,
It is not especially limited in the present embodiment.Cloud authentication platform is realized and is closed to identity card by verifying to the first authentication data
The verifying of method.If the first authentication data is verified, show that identity card is legal, the 4th data packet of generation;If
The verifying of first authentication data does not pass through, then shows that identity card is illegal, at this point, cloud authentication platform can terminate identity card reading
Process, and prompt information is sent to identity card card-reading terminal.
In the present embodiment, after cloud authentication platform is verified the first authentication data, i.e. cloud authentication platform is to identity card
After certification passes through, request identity card generates the second certification factor, so that identity card carries out authentication to cloud authentication platform.
As an optional embodiment of the embodiment of the present invention, the 4th data packet is included at least: the 4th ciphertext and the 4th
Signature value;Master control safety chip, to the 4th data packet carry out safety verification, after safety verification passes through, obtain the second certification because
Sub- acquisition request, comprising: master control safety chip carries out sign test to the 4th signature value using the public key of cloud authentication platform, and sign test is logical
Later, the 4th ciphertext is decrypted using the first session key to obtain the second certification factor acquisition request.
Master control safety chip carries out sign test using the public key of cloud authentication platform, puts down if master control safety chip is authenticated using cloud
The public key of platform can decrypt the 4th signature value, then show received 4th signature value be issued by cloud authentication platform, if
Master control safety chip cannot decrypt the 4th signature value using the public key of cloud authentication platform, then show received 4th signature value not
To be issued by cloud authentication platform, i.e., master control safety chip can according to the 4th label name-value pair send the 4th signature value device into
Row identity validation.Determine that the 4th signature value is that cloud authentication platform sends and then calculate the 4th ciphertext in master control safety chip
Abstract.If the 4th ciphertext is tampered in transmission process, master control safety chip is to received 4th cryptogram computation
Digest value can also convert, and therefore, the abstract for the 4th ciphertext that master control safety chip is calculated by comparing and decrypt
Whether the abstract of the 4th ciphertext arrived is identical, can guarantee the integrality of received 4th ciphertext.It is in the 4th signature value of confirmation
It is sent by cloud authentication platform and the 4th ciphertext is not tampered in transmission process, i.e., after sign test passes through, identity card is recycled to read
The first session key that card terminal and cloud authentication platform just have is decrypted to obtain the acquisition of the second certification factor to the 4th ciphertext and asks
It asks, prevents other devices other than identity card card-reading terminal that acquisition the second certification factor acquisition is decrypted to the 4th ciphertext and ask
It asks, guarantees the safety acquisition request of the second certification factor.
S105: card reading interface receives the second certification factor that identity card returns, and sends the second certification factor to master control safety
Chip;Master control safety chip receives the second certification factor, carries out safe handling to the second certification factor and obtains the 5th data packet, sends out
Send the 5th data packet to communication interface;Communication interface receives the 5th data packet, sends the 5th data packet to cloud authentication platform;
In the present embodiment, the second certification factor is generated and sent by identity card to cloud authentication platform, and identity card can benefit
It is realized with the second certification factor and the legitimacy of cloud authentication platform is authenticated.The second certification factor can be random for one or a string
Number can be perhaps one or any combination of a string of random characters or a string of random numbers and random character, in the present embodiment
In be not especially limited.
As an optional embodiment of the embodiment of the present invention, master control safety chip pacifies the second certification factor
Full processing obtains the 5th data packet, comprising: master control safety chip encrypts the second certification factor using the first session key
The 5th ciphertext is obtained, is signed using the first private key of identity card card-reading terminal to the 5th ciphertext, the 5th signature value is obtained, the
Five data packets include at least: the 5th ciphertext and the 5th signature value.
In the present embodiment, master control safety chip is encrypted to obtain the to the second certification factor using the first session key
After five ciphertexts, the 5th ciphertext could be decrypted in the cloud authentication platform of the first session key only having the same, prevented
Acquisition the second certification factor is decrypted to the 5th ciphertext in other devices other than cloud authentication platform, guarantees identity card card-reading terminal
It is sent to the safety of the second certification factor of cloud authentication platform.
In the present embodiment, the first private key that master control safety chip just has using identity card card-reading terminal is to the 5th ciphertext
It signs, if cloud authentication platform uses the of identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal
One public key can decrypt the 5th signature value, then show that received 5th signature value is issued by identity card card-reading terminal, such as
Fruit cloud authentication platform cannot decrypt the 5th signature value using the first public key of identity card card-reading terminal, then show received data
It is not to be issued by identity card card-reading terminal, i.e., cloud authentication platform can send the dress of the 5th signature value according to the 5th label name-value pair
Set carry out identity validation.Determine that the 5th signature value is that identity card card-reading terminal sends and then calculate the in cloud authentication platform
The abstract of five ciphertexts.If the 5th ciphertext is tampered in transmission process, cloud authentication platform is to received 5th ciphertext meter
The digest value of calculation can also change, therefore, the abstract for the 5th ciphertext that cloud authentication platform is calculated by comparing and decryption
Whether the abstract of the 5th obtained ciphertext is identical, can guarantee the integrality of received 5th ciphertext.
S106: communication interface receives the 6th data packet that cloud authentication platform returns, and sends the 6th data packet to master control safety
Chip;Master control safety chip receives the 6th data packet, carries out safety verification to the 6th data packet and obtains after safety verification passes through
To the second authentication data, the second authentication data is sent to card reading interface;Card reading interface receives the second authentication data, sends second and recognizes
Data are demonstrate,proved to identity card, the second authentication data is that cloud authentication platform handles the second certification factor;
In the present embodiment, after cloud authentication platform receives the 5th data packet, safety verification is carried out to the 5th data packet, is being pacified
After being verified entirely, the second certification factor is obtained.Specifically, cloud authentication platform can use the first public affairs of identity card card-reading terminal
Key carries out sign test to the 5th signature value, after sign test passes through, is decrypted to obtain second to the 5th ciphertext using the first session key
The factor is authenticated, the second certification factor is handled to obtain the second authentication data.Cloud authentication platform carries out the second certification factor
The concrete mode that processing obtains the second authentication data can be with are as follows: cloud authentication platform calculate to presupposed information that obtain safety close
Key recycles security key to carry out MAC to the second certification factor and MAC value is calculated, using the MAC value being calculated as second
Authentication data.Cloud authentication platform also can use the security key to match with identity card and encrypt to the second certification factor
To the second authentication data.Certainly, cloud authentication platform can also using other modes as defined in the Ministry of Public Security to the second certification factor into
Row processing obtains the second authentication data, is not especially limited in the present embodiment.
As an optional embodiment of the embodiment of the present invention, the 6th data packet is included at least: the 6th ciphertext and the 6th
Signature value;Master control safety chip carries out safety verification to the 6th data packet and obtains the second certification number after safety verification passes through
According to, comprising: master control safety chip carries out sign test to the 6th signature value using the public key of cloud authentication platform, after sign test passes through, utilizes
First session key is decrypted to obtain the second authentication data to the 6th ciphertext.
Master control safety chip carries out sign test using the public key of cloud authentication platform, puts down if master control safety chip is authenticated using cloud
The public key of platform can decrypt the 6th signature value, then show received 6th signature value be issued by cloud authentication platform, if
Master control safety chip cannot decrypt the 6th signature value using the public key of cloud authentication platform, then show received 6th signature value not
To be issued by cloud authentication platform, i.e., master control safety chip can according to the 6th label name-value pair send the 6th signature value device into
Row identity validation.Determine that the 6th signature value is that cloud authentication platform sends and then calculate the 6th ciphertext in master control safety chip
Abstract.If the 6th ciphertext is tampered in transmission process, master control safety chip is to received 6th cryptogram computation
Digest value can also convert, and therefore, the abstract for the 6th ciphertext that master control safety chip is calculated by comparing and decrypt
Whether the abstract of the 6th ciphertext arrived is identical, can guarantee the integrality of received 6th ciphertext.It is in the 6th signature value of confirmation
It is sent by cloud authentication platform and the 6th ciphertext is not tampered in transmission process, i.e., after sign test passes through, identity card is recycled to read
The first session key that card terminal and cloud authentication platform just have is decrypted to obtain the second authentication data to the 6th ciphertext, prevents body
The 6th ciphertext, which is decrypted, in other devices other than part card card-reading terminal obtains the second authentication data, guarantees the second authentication data
Safety.
S107: card reading interface receives the identity card data ciphertext that identity card returns, and sends identity card data ciphertext to master control
Safety chip;Master control safety chip carries out safe handling to identity card data ciphertext and obtains the 7th data packet, sends the 7th data
It wraps to communication interface;Communication interface sends the 7th data packet to cloud authentication platform;
In the present embodiment, after identity card receives the second authentication data, the second authentication data is verified, is verified
Afterwards, identity card data ciphertext is sent to identity card card-reading terminal.Identity card data ciphertext refers in identity card with ciphertext storage
The information such as identity card data, such as identification card number, name, gender, address and photo, the identity card data ciphertext only pass through public affairs
After the identity card safety control module of peace portion authorization is decrypted, corresponding identity card data clear text could be obtained.
In the present embodiment, if the second authentication data be cloud authentication platform using security key to the second certification factor into
Row MAC is calculated, then the mode that identity card verifies the second authentication data can be with are as follows: identity card is authenticated flat using cloud
The identical MAC algorithm of end to the second certification factor carries out that authentication data is calculated, compare the authentication data that is calculated with
Whether received second authentication data is identical, if identical, is verified to the second authentication data.
In the present embodiment, if the second authentication data be cloud authentication platform using security key to the second certification factor into
Row encryption obtains, then two kinds of optional embodiments that identity card verifies the second authentication data are as follows:
Mode one, identity card are decrypted the second authentication data received using security key, obtain the certification factor,
And compare the obtained certification factor of decryption is generated with itself second whether authenticate the factor identical, if identical, recognize second
Card data verification passes through.
Mode two, identity card are encrypted to obtain certification number using the second certification factor that security key generates itself
According to, and compare the obtained authentication data of encryption and whether received second authentication data is identical, if identical, to the second certification
Data verification passes through.
Certainly, identity card can also verify the second authentication data using other modes as defined in the Ministry of Public Security, at this
It is not especially limited in embodiment.Identity card is realized by verifying to the second authentication data to cloud authentication platform legitimacy
Verifying.If the second authentication data is verified, show that cloud authentication platform is legal, return identity card data ciphertext;
If the verifying of the second authentication data does not pass through, show that cloud authentication platform is illegal.At this point it is possible to terminate identity card reading flow
Journey.
As an optional embodiment of the embodiment of the present invention, master control safety chip carries out identity card data ciphertext
Safe handling obtains the 7th data packet, comprising: master control safety chip carries out identity card data ciphertext using the first session key
Encryption obtains the 7th ciphertext, is signed using the first private key of identity card card-reading terminal to the 7th ciphertext, obtains the 7th signature
Value.
In the present embodiment, master control safety chip is encrypted to obtain using the first session key to identity card data ciphertext
After 7th ciphertext, the 7th ciphertext could be decrypted in the cloud authentication platform of the first session key only having the same, prevented
Only other devices other than cloud authentication platform are decrypted the 7th ciphertext and obtain identity card data ciphertext, guarantee identity card card reading
Terminal is sent to the safety of the identity card data ciphertext of cloud authentication platform.
In the present embodiment, the first private key that master control safety chip just has using identity card card-reading terminal is to the 7th ciphertext
It signs, if cloud authentication platform uses the of identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal
One public key can decrypt the 7th signature value, then show that received 7th signature value is issued by identity card card-reading terminal, such as
Fruit cloud authentication platform cannot decrypt the 7th signature value using the first public key of identity card card-reading terminal, then show the received 7th
Signature value is issued by identity card card-reading terminal, i.e., cloud authentication platform can send the 7th signature according to the 7th label name-value pair
The device of value carries out identity validation.Cloud authentication platform determine the 7th signature value be identity card card-reading terminal send and then
Calculate the abstract of the 7th ciphertext.If the 7th ciphertext is tampered in transmission process, cloud authentication platform is to the received 7th
The digest value of cryptogram computation can also change, therefore, the abstract for the 7th ciphertext that cloud authentication platform is calculated by comparing
Whether the abstract of the 7th ciphertext obtained with decryption is identical, can guarantee the integrality of received 7th ciphertext.
S108: communication interface receives the 8th data packet that cloud authentication platform returns, and sends the 8th data packet to master control safety
Chip;Master control safety chip receives the 8th data packet, carries out safety verification to the 8th data packet and obtains after safety verification passes through
To identity card data clear text.
In the present embodiment, after cloud authentication platform receives the 7th data packet, safety verification is carried out to the 7th data packet, is being pacified
After being verified entirely, identity card data ciphertext is obtained.Specifically, cloud authentication platform utilizes the first public key of identity card card-reading terminal
Sign test is carried out to the 7th signature value, after sign test passes through, the 7th ciphertext is decrypted to obtain identity card using the first session key
Data ciphertext decrypts to obtain identity card data using the identity card safety control module that the Ministry of Public Security authorizes to identity card data ciphertext
In plain text.Cloud authentication platform carries out safe handling to identity card data clear text and obtains the 8th data packet.
As an optional embodiment of the embodiment of the present invention, the 8th data packet is included at least: the 8th ciphertext and the 8th
Signature value;Master control safety chip carries out safety verification to the 8th data packet and obtains identity card data after safety verification passes through
In plain text, comprising: master control safety chip carries out sign test to the 8th signature value using the public key of cloud authentication platform, after sign test passes through, benefit
The 8th ciphertext is decrypted to obtain identity card data clear text with the first session key.
Master control safety chip carries out sign test using the public key of cloud authentication platform, puts down if master control safety chip is authenticated using cloud
The public key of platform can decrypt the 8th signature value, then show received 8th signature value be issued by cloud authentication platform, if
Master control safety chip cannot decrypt the 8th signature value using the public key of cloud authentication platform, then show received 8th signature value not
To be issued by cloud authentication platform, i.e., master control safety chip can according to the 8th label name-value pair send the 8th signature value device into
Row identity validation.Determine that the 8th signature value is that cloud authentication platform sends and then calculate the 8th ciphertext in master control safety chip
Abstract.If the 8th ciphertext is tampered in transmission process, master control safety chip is to received 8th cryptogram computation
Digest value can also convert, and therefore, the abstract for the 8th ciphertext that master control safety chip is calculated by comparing and decrypt
Whether the abstract of the 8th ciphertext arrived is identical, can guarantee the integrality of received 8th ciphertext.It is in the 8th signature value of confirmation
It is sent by cloud authentication platform and the 8th ciphertext is not tampered in transmission process, i.e., after sign test passes through, identity card is recycled to read
The first session key that card terminal and cloud authentication platform just have is decrypted to obtain identity card data clear text to the 8th ciphertext, prevents
The 8th ciphertext, which is decrypted, in other devices other than identity card card-reading terminal obtains identity card data clear text, guarantees identity card number
According to the safety of plaintext.
Identity card card-reading terminal provided in this embodiment is simultaneously not provided with verifying safety control module, but flat in cloud certification
Setting can realize the identity card safety control module of decryption to the ciphertext data read from identity card in platform, and any use per family may be used
Cloud authentication platform is linked into realize the reading to identity card by wired or wireless network, greatly reduces being implemented as user
This, especially needs to be implemented the industry of ID card information read operation in bank, station, insurance etc., need to only dispose respective numbers
Identity card card-reading terminal, without a large amount of deployment verifying safety control modules again, without a large amount of setting verifying safety
Corresponding relationship between control module and identity card card-reading terminal, simplifies implementation.Further, by being sent to
The data of cloud authentication platform carry out safe handling and carry out safety verification to the data received from cloud authentication platform, ensure that body
The safety for the data transmitted between part card card-reading terminal and cloud authentication platform.
As an optional embodiment of the present embodiment, believe as shown in Fig. 2, being identified in master control safety chip to identity card
Before breath progress safe handling obtains the first data packet, further include the steps that a kind of the first session key (S201- of following acquisition
S204):
S201: master control safety chip generate the first random number, using identity card card-reading terminal the first private key to first with
Machine number and the First Certificate of identity card card-reading terminal are signed to obtain the 9th signature value, are sent the 9th data packet to communication and are connect
Mouthful, the 9th data packet includes at least: the first random number, the First Certificate of identity card card-reading terminal and the 9th signature value, wherein the
One certificate includes at least the first public key of identity card card-reading terminal;Communication interface receives the 9th data packet, sends the 9th data packet
To cloud authentication platform;
In the present embodiment, the First Certificate of identity card card-reading terminal is recognized by third party's certified authority digital certificate
The distribution of card center.In addition to the first public key including identity card card-reading terminal in the First Certificate of identity card card-reading terminal, also wrap
Include digital signature and the title etc. of certificate authority.
In the present embodiment, the first private key that master control safety chip just has using identity card card-reading terminal is random to first
Several and identity card card-reading terminal First Certificate is signed, if cloud authentication platform uses first with identity card card-reading terminal
First public key of the corresponding identity card card-reading terminal of private key can decrypt the 9th signature value, then show received 9th signature value
It is to be issued by identity card card-reading terminal, if cloud authentication platform cannot be to the 9th using the first public key of identity card card-reading terminal
The decryption of signature value, then show that received 9th signature value is issued by identity card card-reading terminal, i.e. cloud authentication platform can
Identity validation is carried out according to the device that the 9th label name-value pair sends the 9th signature value.Determine that the 9th signature value is in cloud authentication platform
The abstract of First Certificate that is that identity card card-reading terminal is sent and then calculating the first random number and identity card card-reading terminal.Such as
The First Certificate of the first random number of fruit and identity card card-reading terminal is tampered in transmission process, then cloud authentication platform is to reception
The first random number and the digest value that calculates of First Certificate of identity card card-reading terminal can also change, therefore, cloud certification is flat
The abstract of the First Certificate of the first random number and identity card card-reading terminal that platform is calculated by comparing and decryption obtain the
Whether the abstract of the First Certificate of one random number and identity card card-reading terminal is identical, can guarantee received first random number and body
The integrality of the First Certificate of part card card-reading terminal.
S202: communication interface receives the tenth data packet that cloud authentication platform returns, and sends the tenth data packet to master control safety
Chip, the tenth data packet include at least: the tenth ciphertext and the tenth signature value;
In the present embodiment, after cloud authentication platform receives the 9th data packet, using root certificate to identity card card-reading terminal
First Certificate is verified, and is verified, then shows that the First Certificate of identity card card-reading terminal is legal.Identity card card reading is whole
After the First Certificate at end is verified, cloud authentication platform is using the first public key in the First Certificate of identity card card-reading terminal to the
Nine signature values carry out sign test, after sign test passes through, obtain the first random number, and generate the second random number, cloud authentication platform can benefit
With the first random number and second the first session key of generating random number.Cloud authentication platform uses the first public affairs of identity card card-reading terminal
Key is encrypted to obtain the tenth ciphertext to the first random number and the second random number, using the private key of cloud authentication platform to the tenth ciphertext
It is signed to obtain the tenth signature value.
S203: master control safety chip receives the tenth data packet, is carried out using the public key of cloud authentication platform to the tenth signature value
Sign test after sign test passes through, is decrypted to obtain the first random number using the first private key of identity card card-reading terminal to the tenth ciphertext
With the second random number, the second random number is generated by cloud authentication platform;
In the present embodiment, identity card card-reading terminal can obtain cloud from the certificate of pre-stored cloud authentication platform and recognize
Demonstrate,prove the public key of platform;It can also send and request to cloud authentication platform, request cloud authentication platform sends the public key of cloud authentication platform
To identity card card-reading terminal.Master control safety chip carries out sign test using the public key of cloud authentication platform, if master control safety chip makes
The tenth signature value can be decrypted with the public key of cloud authentication platform, then show that received tenth signature value is sent out by cloud authentication platform
Out, if master control safety chip cannot decrypt the tenth signature value using the public key of cloud authentication platform, show received the
Ten signature values are issued by cloud authentication platform.Determine that the tenth signature value is that cloud authentication platform is sent in master control safety chip
And then calculate the abstract of the tenth ciphertext.If the tenth ciphertext is tampered in transmission process, the docking of master control safety chip
The digest value of the tenth cryptogram computation received can also convert, therefore, master control safety chip be calculated by comparing the tenth
Whether the abstract of ciphertext is identical as the abstract for the tenth ciphertext that decryption obtains, and can guarantee the integrality of received tenth ciphertext.
Confirming that the tenth signature value is to be sent by cloud authentication platform and the tenth ciphertext is not tampered in transmission process, i.e., sign test passes through
Afterwards, the first session key for recycling identity card card-reading terminal and cloud authentication platform just to have is decrypted to obtain the to the tenth ciphertext
One random number and the second random number prevent other devices other than identity card card-reading terminal that acquisition is decrypted to the second ciphertext
One random number and the second random number guarantee the safety of the first random number and the second random number.
S204: the first random number that master control safety chip compares the first random number generated and decryption obtains, comparison is consistent,
Utilize the first random number and second the first session key of generating random number.
In the present embodiment, after the tenth ciphertext of master control safety chip decryption obtains the first random number and the second random number, than
Whether the first random number obtain to decryption and the first random number generated are identical, if identical, have shown cloud authentication platform
Received first random number and received first random number of cloud authentication platform and identity card card-reading terminal generate first random
Number is identical, and master control safety chip and cloud authentication platform can calculate the first random number and the second random number according to identical algorithm
The first session key is generated, and encryption and decryption is carried out to data using the first session key;If it is not the same, then showing that cloud certification is flat
The first random number that the first random number and identity card card-reading terminal that end obtains generate is not identical, and master control safety chip and cloud are recognized
Demonstrate,proving platform, using identical algorithm different two sessions to be calculated to respective first random number and the second random number close
Key, i.e. the first session key of the first session key of master control safety chip and cloud authentication platform, master control safety chip and cloud are recognized
The ciphertext received from other side cannot be decrypted in card platform.
Step S201-S204 completes the process for obtaining the first session key, ensure that identity card card reading in subsequent process
Communication security between terminal and cloud authentication platform.
As an optional embodiment of the embodiment of the present invention, as shown in figure 3, in master control safety chip to identity card mark
Before knowledge information progress safe handling obtains the first data packet, further include the steps that the first session key of following another acquisition
(S301-S303):
S301: master control safety chip encrypt using the acquisition request of the first session key of authenticated encryption key pair
To the 11st ciphertext, the 11st ciphertext is signed to obtain the 11st signature using the first private key of identity card card-reading terminal
Value, send the 11st data packet to communication interface, the 11st data packet includes at least: the First Certificate of identity card card-reading terminal and
Second certificate, the 11st ciphertext and the 11st signature value, wherein First Certificate includes at least the first public affairs of identity card card-reading terminal
Key, the second certificate include at least the second public key of identity card card-reading terminal;Communication interface receives the 11st data packet, sends the tenth
One data packet is to cloud authentication platform;
In the present embodiment, authenticated encryption key preset configuration obtains in identity card card-reading terminal in master control safety chip
Before taking the first session key, master control safety chip is added using the data that authenticated encryption key pair is sent to cloud authentication platform
It is close.
In the present embodiment, the First Certificate of identity card card-reading terminal and the second certificate are by third party's certified authority
Digital certificate authentication center distribution.In addition to second including identity card card-reading terminal in second certificate of identity card card-reading terminal
Public key further includes the information such as digital signature and the title of certificate authority.In the present embodiment, the of identity card card-reading terminal
One certificate and the second certificate can be different two certificates, be also possible to the same certificate.
In the present embodiment, master control safety chip is carried out using the acquisition request of the first session key of authenticated encryption key pair
After encryption obtains the 11st ciphertext, only have the cloud authentication platform of corresponding certification decruption key could be to the 11st ciphertext
It is decrypted, prevents other devices other than cloud authentication platform that the first session key of acquisition is decrypted to the 11st ciphertext and obtain
Request is taken, guarantees that identity card card-reading terminal is sent to the safety of the acquisition request of the first session key of cloud authentication platform.Recognize
It demonstrate,proves decruption key and authenticated encryption key is identical key, i.e. symmetric key.Decruption key preset configuration is authenticated to authenticate in cloud
In platform.
In the present embodiment, the first private key that master control safety chip just has using identity card card-reading terminal is close to the 11st
Text is signed, if cloud authentication platform uses identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal
First public key can decrypt the 11st signature value, then show that received 11st signature value is issued by identity card card-reading terminal
, if cloud authentication platform cannot decrypt the 11st signature value using the first public key of identity card card-reading terminal, show to connect
The 11st signature value received is issued by identity card card-reading terminal, i.e., cloud authentication platform can be according to the 11st label name-value pair
The device for sending the 11st signature value carries out identity validation.Determine that the 11st signature value is that identity card card reading is whole in cloud authentication platform
Abstract that is that end is sent and then calculating the 11st ciphertext.If the 11st ciphertext is tampered in transmission process, cloud is recognized
Card platform can also change to the digest value of received 11st cryptogram computation, and therefore, cloud authentication platform is by comparing calculating
Whether the abstract of the 11st obtained ciphertext is identical as the abstract for the 11st ciphertext that decryption obtains, and can guarantee the received tenth
The integrality of one ciphertext.
S302: communication interface receives the 12nd data packet that cloud authentication platform returns, and sends the 12nd data packet to master control
Safety chip, the 12nd data packet include at least: the 12nd ciphertext and the 12nd signature value;
In the present embodiment, it is whole to identity card card reading using root certificate after cloud authentication platform receives the 11st data packet
The First Certificate at end and the second certificate are verified, and are verified, then show the First Certificate and second of identity card card-reading terminal
Certificate is legal.After the First Certificate of identity card card-reading terminal and the second certification authentication pass through, cloud authentication platform utilizes identity
The first public key demonstrate,proved in the First Certificate of card-reading terminal carries out sign test to the 11st signature value, after sign test passes through, is solved using certification
Close the 11st ciphertext of key pair is decrypted to obtain the acquisition request of the first session key.
In the present embodiment, after cloud authentication platform obtains the acquisition request of the first session key, the first session key is generated,
The first session key is encrypted using the second public key in the second certificate of identity card card-reading terminal, it is close to obtain the 12nd
Text, and the 12nd ciphertext is signed to obtain the 12nd signature value using the private key of cloud authentication platform.
S303: master control safety chip receives the 12nd data packet, using the public key of cloud authentication platform to the 12nd signature value
Sign test is carried out, after sign test passes through, the 12nd ciphertext is decrypted to obtain first using the second private key of identity card card-reading terminal
Session key.
Master control safety chip carries out sign test using the public key of cloud authentication platform, puts down if master control safety chip is authenticated using cloud
The public key of platform can decrypt the 12nd signature value, then show that received 12nd signature value is issued by cloud authentication platform,
If master control safety chip cannot decrypt the 12nd signature value using the public key of cloud authentication platform, show the received 12nd
Signature value is issued by cloud authentication platform, i.e., master control safety chip can send the 12nd label according to the 12nd label name-value pair
The device of name value carries out identity validation.Master control safety chip determine the 12nd signature value be cloud authentication platform send after,
The abstract of the 12nd ciphertext is calculated again.If the 12nd ciphertext is tampered in transmission process, the docking of master control safety chip
The digest value of the 12nd cryptogram computation received can also convert, therefore, master control safety chip be calculated by comparing the
Whether the abstract of 12 ciphertexts is identical as the abstract for the 12nd ciphertext that decryption obtains, and can guarantee received 12nd ciphertext
Integrality.Confirming that the 12nd signature value is to be sent by cloud authentication platform and the 12nd ciphertext is not usurped in transmission process
Change, i.e., after sign test passes through, the second private key of identity card card-reading terminal is recycled to be decrypted to obtain the first meeting to the 12nd ciphertext
Key is talked about, prevents other devices other than identity card card-reading terminal that the 12nd ciphertext is decrypted and obtains the first session key,
Guarantee the safety of the first session key.
Step S301-S303 completes the process for obtaining the first session key, ensure that identity card card reading in subsequent process
Communication security between terminal and cloud authentication platform.
Embodiment 2:
Present embodiments provide a kind of identity card card-reading terminal.
Fig. 4 is the structural schematic diagram of identity card card-reading terminal provided in this embodiment, such as Fig. 4, body provided in this embodiment
Part card card-reading terminal includes: card reading interface 401, for receiving the identity card identification information of identity card transmission, sends identity card mark
Information is known to master control safety chip 402;Master control safety chip 402 identifies identity card and believes for receiving identity card identification information
Breath carries out safe handling and obtains the first data packet, sends the first data packet to communication interface 403;Communication interface 403, for receiving
First data packet sends the first data packet to cloud authentication platform;Communication interface 403 is also used to receive the return of cloud authentication platform
Second data packet sends the second data packet to master control safety chip 402;Master control safety chip 402 is also used to receive the second data
Packet carries out safety verification to the second data packet, after safety verification passes through, obtains the first certification factor, send the first certification because
Son is to card reading interface 401;Card reading interface 401 is also used to receive the first certification factor, sends the first certification factor to identity card;
Card reading interface 401 is also used to receive the first authentication data of identity card return, sends the first authentication data to master control safety chip
402, the first authentication data is that identity card handles the first certification factor;Master control safety chip 402 is also used to connect
The first authentication data is received, safe handling is carried out to the first authentication data and obtains third data packet, sends third data packet to communication
Interface 403;Communication interface 403 is also used to receive third data packet, sends third data packet to cloud authentication platform;Communication interface
403, it is also used to receive the 4th data packet of cloud authentication platform return, sends the 4th data packet to master control safety chip 402;Master control
Safety chip 402 is also used to receive the 4th data packet, carries out safety verification to the 4th data packet and obtains after safety verification passes through
To the second certification factor acquisition request, the second certification factor acquisition request is sent to card reading interface 401;Card reading interface 401, is also used
Factor acquisition request is authenticated in reception second, sends the second certification factor acquisition request to identity card;Card reading interface 401, is also used
In the second certification factor for receiving identity card return, the second certification factor is sent to master control safety chip 402;Master control safety chip
402, it is also used to receive the second certification factor, safe handling is carried out to the second certification factor and obtains the 5th data packet, sends the 5th
Data packet is to communication interface 403;Communication interface 403 is also used to receive the 5th data packet, and it is flat to cloud certification to send the 5th data packet
Platform;Communication interface 403 is also used to receive the 6th data packet of cloud authentication platform return, sends the 6th data packet to master control safety
Chip 402;Master control safety chip 402 is also used to receive the 6th data packet, safety verification is carried out to the 6th data packet, in safety
After being verified, the second authentication data is obtained, sends the second authentication data to card reading interface 401;Card reading interface 401, is also used to
The second authentication data is received, sends the second authentication data to identity card, the second authentication data is that cloud authentication platform is authenticated to second
What the factor was handled;Card reading interface 401 is also used to receive the identity card data ciphertext of identity card return, sends identity
Data ciphertext is demonstrate,proved to master control safety chip 402;Master control safety chip 402 is also used to carry out safe place to identity card data ciphertext
Reason obtains the 7th data packet, sends the 7th data packet to communication interface 403;Communication interface 403 is also used to send the 7th data packet
To cloud authentication platform;Communication interface 403 is also used to receive the 8th data packet of cloud authentication platform return, sends the 8th data packet
To master control safety chip 402;Master control safety chip 402 is also used to receive the 8th data packet, carries out safety to the 8th data packet and tests
Card, after safety verification passes through, obtains identity card data clear text.
Identity card card-reading terminal provided in this embodiment is simultaneously not provided with verifying safety control module, but flat in cloud certification
The identity card safety control module that the data ciphertext read from identity card can be decrypted is set in platform, and any use per family may be used
Cloud authentication platform is linked into realize the reading to identity card by wired or wireless network, greatly reduces being implemented as user
This, especially needs to be implemented the industry of ID card information read operation in bank, station, insurance etc., need to only dispose respective numbers
Identity card card-reading terminal, without a large amount of deployment verifying safety control modules again, without a large amount of setting verifying safety
Corresponding relationship between control module and identity card card-reading terminal, simplifies implementation.Further, by being sent to
The data of cloud authentication platform carry out safe handling and carry out safety verification to the data received from cloud authentication platform, ensure that body
The safety for the data transmitted between part card card-reading terminal and cloud authentication platform.
In the present embodiment, identity card identification information is that identity card card-reading terminal can be marked with Direct Recognition, for unique
Know the information of identity card, for example, identity card identification information can be identity card sequence number etc., is not limited specifically in the present embodiment
It is fixed.
In the present embodiment, card reading interface 401 is used to receive the data of identity card transmission and sends data to identity card,
Card reading interface 401 can be radio frequency interface, for example, radio-frequency antenna, as long as the card reading interface 401 that can be communicated with identity card
It is within the scope of the present invention, it is not especially limited in the present embodiment.
In the present embodiment, communication interface 403 is used to receive the data of cloud authentication platform transmission and to cloud authentication platform
Send data.Communication interface 403 can be by cable network or wireless network and cloud authentication platform direct communication, and communication connects at this time
Mouth 403 can be wireless communication interface 403 (for example, WIFI communication interface 403) or wire communication interface 403.Communication interface 403
It can also be authenticated by the wireless network or cable network and cloud of host computer (such as mobile phone, PAD (tablet computer) or PC etc.)
Platform communication, communication interface 403 can be the wireless communication interface 403 that can be communicated with host computer (for example, bluetooth at this time
Interface, NFC interface etc.) or wire communication interface 403 (for example, USB interface), it is not especially limited in the present embodiment.
In the present embodiment, master control safety chip 402 is identity card for completing the operation such as safe handling, safety verification
The nuclear structure of card-reading terminal.Master control safety chip 402 in the present embodiment can be for by national Password Management office certification
Safety chip, or other control chips with the above function, as long as being able to achieve master control safety chip 402 of the invention
Function i.e. belong to the scope of protection of the present invention.
As an optional embodiment of the present embodiment, master control safety chip 402 is specifically used for close using the first session
Key encrypts identity card identification information to obtain the first ciphertext, is carried out using the first private key of identity card card-reading terminal to the first ciphertext
Signature, obtains the first signature value, the first data packet includes at least: the first ciphertext and the first signature value.
In the present embodiment, the first session key is that negotiate between identity card card-reading terminal and cloud authentication platform one is close
Key carries out encryption and to received from cloud authentication platform for being sent to the data of cloud authentication platform to identity card card-reading terminal
Data are decrypted, after the master control safety chip 402 of identity card card-reading terminal encrypts data using the first session key,
Encryption data could be decrypted in the cloud authentication platform of first session key only having the same, prevent cloud authentication platform with
Other outer devices encryption data are decrypted the data for obtaining identity card card-reading terminal and being sent to cloud authentication platform, guarantee body
Part card card-reading terminal is transmitted to the data safety of cloud authentication platform.Only there is the identity card card-reading terminal of the first session key
Master control safety chip 402 could be decrypted to received from cloud authentication platform encryption data, prevent other than identity card card-reading terminal
Other devices encryption data is decrypted obtains cloud authentication platform and be sent to the data of identity card card-reading terminal, guarantee that cloud is recognized
Card platform is transmitted to the data safety of identity card card-reading terminal.
In the present embodiment, master control safety chip 402 using identity card card-reading terminal the first private key to the first ciphertext into
Row signature, obtains the concrete mode of the first signature value are as follows: master control safety chip 402 calculates the first ciphertext using HASH algorithm and obtains
The abstract of first ciphertext, and the abstract of the first ciphertext is encrypted using the first private key of identity card card-reading terminal, obtain
One signature value.Master control safety chip 402 signs to the first ciphertext using the first private key that identity card card-reading terminal just has,
If cloud authentication platform uses the first public key energy of identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal
It is enough that first signature value is decrypted, then show that received first signature value is issued by identity card card-reading terminal, if cloud authenticates
Platform cannot decrypt the first signature value using the first public key of identity card card-reading terminal, then show received first signature value not
It is to be issued by identity card card-reading terminal, i.e., cloud authentication platform can send the device of the first signature value according to the first label name-value pair
Carry out identity validation.Determine that the first signature value is that identity card card-reading terminal sends and then calculate first in cloud authentication platform
The abstract of ciphertext.If the first ciphertext is tampered in transmission process, cloud authentication platform is to received first cryptogram computation
Digest value can also change, therefore, the abstract for the first ciphertext that cloud authentication platform is calculated by comparing and decrypt
Whether the abstract of the first ciphertext arrived is identical, can guarantee the integrality of received first ciphertext.It should be noted that this implementation
Signature process in example can be found in the embodiment, and the process that signature is referred to below no longer will be repeated specifically.
In the present embodiment, after cloud authentication platform receives the first data packet, safety verification is carried out to the first data packet, is being pacified
After being verified entirely, identity card identification information is obtained.Specifically, cloud authentication platform can use the first of identity card card-reading terminal
Public key carries out sign test to the first signature value, after sign test passes through, is decrypted to obtain body to the first ciphertext using the first session key
Part card identification information.Cloud authentication platform can be searched and the matched security key of identity card according to identity card identification information.
Before reading identity card data ciphertext, identity card and cloud authentication platform will be realized two-way to be recognized identity card card-reading terminal
Card, it is ensured that identity card and cloud authentication platform are all legal.
In the present embodiment, the first certification factor is generated and sent by cloud authentication platform to identity card, and cloud authentication platform can
The legitimacy of identity card is authenticated with being realized using the first certification factor.The first certification factor can be random for one or a string
Number can be perhaps one or any combination of a string of random characters or a string of random numbers and random character, in the present embodiment
In be not especially limited.
As an optional embodiment of the present embodiment, the second data packet is included at least: the second ciphertext and the second signature
Value;Master control safety chip 402 carries out sign test to the second signature value specifically for the public key using cloud authentication platform, and sign test passes through
Afterwards, the second ciphertext is decrypted using the first session key to obtain the first certification factor.
In the present embodiment, master control safety chip 402 carries out sign test to the second signature value using the public key of cloud authentication platform
Concrete mode can be with are as follows: master control safety chip 402 is decrypted the second signature value using the public key of cloud authentication platform, obtains
The abstract of second ciphertext carries out the abstract that the second ciphertext is calculated using HASH algorithm to received second ciphertext, compares solution
Whether the abstract of close the second obtained ciphertext is identical as the abstract for the second ciphertext being calculated, if identical, signs to second
Name value sign test passes through.Sign test process in the present embodiment can be found in the embodiment, and the process that sign test is referred to below will not
It specifically repeats again.Master control safety chip 402 carries out sign test using the public key of cloud authentication platform, if master control safety chip 402 makes
The second signature value can be decrypted with the public key of cloud authentication platform, then show that received second signature value is sent out by cloud authentication platform
Out, if master control safety chip 402 cannot decrypt the second signature value using the public key of cloud authentication platform, show received
Second signature value is issued by cloud authentication platform, i.e., master control safety chip 402 can send the according to the second label name-value pair
The device of two signature values carries out identity validation.Determine that the second signature value is that cloud authentication platform is sent in master control safety chip 402
And then calculate the abstract of the second ciphertext.If the second ciphertext is tampered in transmission process, master control safety chip 402
The digest value of received second cryptogram computation can also be converted, therefore, master control safety chip 402 is calculated by comparing
The second ciphertext the obtained abstract of the second ciphertext of abstract and decryption it is whether identical, can guarantee the complete of received second ciphertext
Whole property.It is to be sent by cloud authentication platform and the second ciphertext is not tampered in transmission process in confirmation the second signature value, that is, tests
After label pass through, the second ciphertext is decrypted in the first session key for recycling identity card card-reading terminal and cloud authentication platform just to have
The first certification factor is obtained, prevents other devices other than identity card card-reading terminal that acquisition first is decrypted to the second ciphertext and recognizes
The factor is demonstrate,proved, guarantees the safety of the first certification factor.
In the present embodiment, the concrete mode that identity card is handled to obtain the first authentication data to the first certification factor can
With are as follows: identity card carries out MAC to the first certification factor using security key and MAC value is calculated, the MAC value that will be calculated
As the first authentication data.Identity card also can use security key and be encrypted to obtain the first certification number to the first certification factor
According to.The security key is preset in legal identity card, and only legal identity card just has the security key.Certainly,
Identity card can also be handled to obtain the first authentication data using other modes as defined in the Ministry of Public Security to the first certification factor,
It is not especially limited in the present embodiment.
As an optional embodiment of the present embodiment, master control safety chip 402 is specifically used for close using the first session
Key encrypts the first authentication data to obtain third ciphertext, using identity card card-reading terminal the first private key to third ciphertext into
Row signature, obtains third signature value, third data packet includes at least: third ciphertext and third signature value.
In the present embodiment, master control safety chip 402 encrypt to the first authentication data using the first session key
To after third ciphertext, third ciphertext could be decrypted in the cloud authentication platform of the first session key only having the same,
It prevents other devices other than cloud authentication platform that third ciphertext is decrypted and obtains the first authentication data, guarantee identity card card reading
Terminal is sent to the safety of the first authentication data of cloud authentication platform.
In the present embodiment, the first private key that master control safety chip 402 just has using identity card card-reading terminal is to third
Ciphertext is signed, if cloud authentication platform uses identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal
The first public key third signature value can be decrypted, then show that received third signature value is issued by identity card card-reading terminal
, if cloud authentication platform cannot decrypt third signature value using the first public key of identity card card-reading terminal, show to receive
Data be not to be issued by identity card card-reading terminal, i.e., cloud authentication platform can according to third label name-value pair send third signature
The device of value carries out identity validation.Cloud authentication platform determine third signature value be identity card card-reading terminal send and then
Calculate the abstract of third ciphertext.If third ciphertext is tampered in transmission process, cloud authentication platform is to received third
The digest value of cryptogram computation can also change, therefore, the abstract for the third ciphertext that cloud authentication platform is calculated by comparing
Whether the abstract of third ciphertext obtained with decryption is identical, can guarantee the integrality of received third ciphertext.
In the present embodiment, after cloud authentication platform receives third data packet, safety verification is carried out to third data packet, is being pacified
After being verified entirely, the first authentication data is obtained.Specifically, cloud authentication platform utilizes the first public key pair of identity card card-reading terminal
Third signature value carries out sign test, after sign test passes through, third ciphertext is decrypted using the first session key to obtain the first certification
Data, and the first authentication data is verified.
In the present embodiment, if the first authentication data is that identity card carries out the first certification factor using security key
What MAC was calculated, then the mode that cloud authentication platform verifies the first authentication data can be with are as follows: cloud authentication platform uses body
The identical MAC algorithm in part card end to the first certification factor carries out that authentication data is calculated, and compares the authentication data being calculated
It is whether identical as received first authentication data, if identical, the first authentication data is verified.
In the present embodiment, if the first authentication data is that identity card adds the first certification factor using security key
It is close to obtain, then cloud authentication platform verifies the first authentication data two kinds of optional embodiments are as follows:
Mode one, cloud authentication platform utilize the security key to match with identity card searched according to identity card identification information
The first authentication data received is decrypted, the certification factor is obtained, and compares the certification factor and itself life that decryption obtains
At first certification the factor it is whether identical, if identical, the first authentication data is verified.
Mode two, cloud authentication platform utilize the security key to match with identity card searched according to identity card identification information
The first certification factor generated to itself is encrypted to obtain authentication data, and compare the obtained authentication data of encryption with it is received
Whether the first authentication data is identical, if identical, is verified to the first authentication data.
Certainly, cloud authentication platform can also verify the first authentication data using other modes as defined in the Ministry of Public Security,
It is not especially limited in the present embodiment.Cloud authentication platform is realized and is closed to identity card by verifying to the first authentication data
The verifying of method.If the first authentication data is verified, show that identity card is legal, the 4th data packet of generation;If
The verifying of first authentication data does not pass through, then shows that identity card is illegal, at this point, cloud authentication platform can terminate identity card reading
It takes, and sends prompt information to identity card card-reading terminal.
In the present embodiment, after cloud authentication platform is verified the first authentication data, i.e. cloud authentication platform is to identity card
After certification passes through, request identity card generates the second certification factor, so that identity card carries out authentication to cloud authentication platform.
As an optional embodiment of the present embodiment, the 4th data packet is included at least: the 4th ciphertext and the 4th signature
Value;Master control safety chip 402 carries out sign test to the 4th signature value specifically for the public key using cloud authentication platform, and sign test passes through
Afterwards, the 4th ciphertext is decrypted using the first session key to obtain the second certification factor acquisition request.
Master control safety chip 402 carries out sign test using the public key of cloud authentication platform, if master control safety chip 402 uses cloud
The public key of authentication platform can decrypt the 4th signature value, then show that received 4th signature value is issued by cloud authentication platform
, if master control safety chip 402 cannot decrypt the 4th signature value using the public key of cloud authentication platform, show received the
Four signature values are issued by cloud authentication platform, i.e., master control safety chip 402 can send the 4th according to the 4th label name-value pair
The device of signature value carries out identity validation.Determine that the 4th signature value is it of cloud authentication platform transmission in master control safety chip 402
Afterwards, then the abstract of the 4th ciphertext is calculated.If the 4th ciphertext is tampered in transmission process, master control safety chip 402 is right
The digest value of received 4th cryptogram computation can also convert, therefore, what master control safety chip 402 was calculated by comparing
Whether the abstract of the 4th ciphertext is identical as the abstract for the 4th ciphertext that decryption obtains, and can guarantee the complete of received 4th ciphertext
Property.Confirming that the 4th signature value is to be sent by cloud authentication platform and the 4th ciphertext is not tampered in transmission process, i.e. sign test
By rear, the 4th ciphertext is decrypted in the first session key for recycling identity card card-reading terminal and cloud authentication platform just to have
To the second certification factor acquisition request, prevent other devices other than identity card card-reading terminal that acquisition is decrypted to the 4th ciphertext
Second certification factor acquisition request guarantees the safety of the second certification factor acquisition request.
In the present embodiment, the second certification factor is generated and sent by identity card to cloud authentication platform, and identity card can benefit
It is realized with the second certification factor and the legitimacy of cloud authentication platform is authenticated.The second certification factor can be random for one or a string
Number can be perhaps one or any combination of a string of random characters or a string of random numbers and random character, in the present embodiment
In be not especially limited.
As an optional embodiment of the present embodiment, master control safety chip 402 is specifically used for close using the first session
Key to second certification the factor encrypted to obtain the 5th ciphertext, using identity card card-reading terminal the first private key to the 5th ciphertext into
Row signature, obtains the 5th signature value, the 5th data packet includes at least: the 5th ciphertext and the 5th signature value.
In the present embodiment, master control safety chip 402 encrypt to the second certification factor using the first session key
To after the 5th ciphertext, the 5th ciphertext could be decrypted in the cloud authentication platform of the first session key only having the same,
It prevents other devices other than cloud authentication platform that acquisition the second certification factor is decrypted to the 5th ciphertext, guarantees identity card card reading
Terminal is sent to the safety of the second certification factor of cloud authentication platform.
In the present embodiment, the first private key that master control safety chip 402 just has using identity card card-reading terminal is to the 5th
Ciphertext is signed, if cloud authentication platform uses identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal
The first public key the 5th signature value can be decrypted, then show that received 5th signature value is issued by identity card card-reading terminal
, if cloud authentication platform cannot decrypt the 5th signature value using the first public key of identity card card-reading terminal, show to receive
Data be not to be issued by identity card card-reading terminal, i.e., cloud authentication platform can according to the 5th label name-value pair send the 5th signature
The device of value carries out identity validation.Cloud authentication platform determine the 5th signature value be identity card card-reading terminal send and then
Calculate the abstract of the 5th ciphertext.If the 5th ciphertext is tampered in transmission process, cloud authentication platform is to the received 5th
The digest value of cryptogram computation can also change, therefore, the abstract for the 5th ciphertext that cloud authentication platform is calculated by comparing
Whether the abstract of the 5th ciphertext obtained with decryption is identical, can guarantee the integrality of received 5th ciphertext.
In the present embodiment, after cloud authentication platform receives the 5th data packet, safety verification is carried out to the 5th data packet, is being pacified
After being verified entirely, the second certification factor is obtained.Specifically, cloud authentication platform can use the first public affairs of identity card card-reading terminal
Key carries out sign test to the 5th signature value, after sign test passes through, is decrypted to obtain second to the 5th ciphertext using the first session key
The factor is authenticated, the second certification factor is handled to obtain the second authentication data.Cloud authentication platform carries out the second certification factor
The concrete mode that processing obtains the second authentication data can be with are as follows: cloud authentication platform calculate to presupposed information that obtain safety close
Key recycles security key to carry out MAC to the second certification factor and MAC value is calculated, using the MAC value being calculated as second
Authentication data.Cloud authentication platform also can use the security key to match with identity card and encrypt to the second certification factor
To the second authentication data.Certainly, cloud authentication platform can also using other modes as defined in the Ministry of Public Security to the second certification factor into
Row processing obtains the second authentication data, is not especially limited in the present embodiment.
As an optional embodiment of the present embodiment, the 6th data packet is included at least: the 6th ciphertext and the 6th signature
Value;Master control safety chip 402 carries out sign test to the 6th signature value specifically for the public key using cloud authentication platform, and sign test passes through
Afterwards, the 6th ciphertext is decrypted to obtain the second authentication data using the first session key.
Master control safety chip 402 carries out sign test using the public key of cloud authentication platform, if master control safety chip 402 uses cloud
The public key of authentication platform can decrypt the 6th signature value, then show that received 6th signature value is issued by cloud authentication platform
, if master control safety chip 402 cannot decrypt the 6th signature value using the public key of cloud authentication platform, show received the
Six signature values are issued by cloud authentication platform, i.e., master control safety chip 402 can send the 6th according to the 6th label name-value pair
The device of signature value carries out identity validation.Determine that the 6th signature value is it of cloud authentication platform transmission in master control safety chip 402
Afterwards, then the abstract of the 6th ciphertext is calculated.If the 6th ciphertext is tampered in transmission process, master control safety chip 402 is right
The digest value of received 6th cryptogram computation can also convert, therefore, what master control safety chip 402 was calculated by comparing
Whether the abstract of the 6th ciphertext is identical as the abstract for the 6th ciphertext that decryption obtains, and can guarantee the complete of received 6th ciphertext
Property.Confirming that the 6th signature value is to be sent by cloud authentication platform and the 6th ciphertext is not tampered in transmission process, i.e. sign test
By rear, the 6th ciphertext is decrypted in the first session key for recycling identity card card-reading terminal and cloud authentication platform just to have
To the second authentication data, prevent other devices other than identity card card-reading terminal that the second certification of acquisition is decrypted to the 6th ciphertext
Data guarantee the safety of the second authentication data.
In the present embodiment, after identity card receives the second authentication data, the second authentication data is verified, is verified
Afterwards, identity card data ciphertext is sent to identity card card-reading terminal.Identity card data ciphertext refers in identity card with ciphertext storage
The information such as identity card data, such as identification card number, name, gender, address and photo, the identity card data ciphertext only pass through public affairs
After the identity card safety control module of peace portion authorization is decrypted, corresponding identity card data clear text could be obtained.
In the present embodiment, if the second authentication data be cloud authentication platform using security key to the second certification factor into
MAC value is calculated in row MAC, then the mode that identity card verifies the second authentication data can be with are as follows: identity card uses cloud
The identical MAC algorithm in authentication platform end to the second certification factor carries out that authentication data is calculated, and compares the certification being calculated
Whether data and received second authentication data are identical, if identical, are verified to the second authentication data.
In the present embodiment, if the second authentication data be cloud authentication platform using security key to the second certification factor into
Row encryption obtains, then two kinds of optional embodiments that identity card verifies the second authentication data are as follows:
Mode one, identity card are decrypted the second authentication data received using security key, obtain the certification factor,
And compare the obtained certification factor of decryption is generated with itself second whether authenticate the factor identical, if identical, recognize second
Card data verification passes through.
Mode two, identity card are encrypted to obtain certification number using the second certification factor that security key generates itself
According to, and compare the obtained authentication data of encryption and whether received second authentication data is identical, if identical, to the second certification
Data verification passes through.
Certainly, identity card can also verify the second authentication data using other modes as defined in the Ministry of Public Security, at this
It is not especially limited in embodiment.Identity card is realized by verifying to the second authentication data to cloud authentication platform legitimacy
Verifying.If the second authentication data is verified, show that cloud authentication platform is legal, return identity card data ciphertext;
If the verifying of the second authentication data does not pass through, show that cloud authentication platform is illegal.At this point it is possible to terminate identity card reading flow
Journey.
As an optional embodiment of the present embodiment, master control safety chip 402 is specifically used for utilizing first meeting
Identity card data ciphertext described in words key pair is encrypted to obtain the 7th ciphertext, private using the first of the identity card card-reading terminal
Key signs to the 7th ciphertext, obtains the 7th signature value.
In the present embodiment, master control safety chip 402 encrypts identity card data ciphertext using the first session key
After obtaining the 7th ciphertext, the cloud authentication platform of the first session key only having the same could solve the 7th ciphertext
It is close, it prevents other devices other than cloud authentication platform that the 7th ciphertext is decrypted and obtains identity card data ciphertext, guarantee identity
Card card-reading terminal is sent to the safety of the identity card data ciphertext of cloud authentication platform.
In the present embodiment, the first private key that master control safety chip 402 just has using identity card card-reading terminal is to the 7th
Ciphertext is signed, if cloud authentication platform uses identity card card-reading terminal corresponding with the first private key of identity card card-reading terminal
The first public key the 7th signature value can be decrypted, then show that received 7th signature value is issued by identity card card-reading terminal
, if cloud authentication platform cannot decrypt the 7th signature value using the first public key of identity card card-reading terminal, show to receive
The 7th signature value be not to be issued by identity card card-reading terminal, i.e., cloud authentication platform can send the according to the 7th label name-value pair
The device of seven signature values carries out identity validation.Determine that the 7th signature value is it of identity card card-reading terminal transmission in cloud authentication platform
Afterwards, then the abstract of the 7th ciphertext is calculated.If the 7th ciphertext is tampered in transmission process, cloud authentication platform is to received
The digest value of 7th cryptogram computation can also change, therefore, the 7th ciphertext that cloud authentication platform is calculated by comparing
Whether the abstract for the 7th ciphertext obtained with decryption of making a summary is identical, can guarantee the integrality of received 7th ciphertext.
In the present embodiment, after cloud authentication platform receives the 7th data packet, safety verification is carried out to the 7th data packet, is being pacified
After being verified entirely, identity card data ciphertext is obtained.Specifically, cloud authentication platform utilizes the first public key of identity card card-reading terminal
Sign test is carried out to the 7th signature value, after sign test passes through, the 7th ciphertext is decrypted to obtain identity card using the first session key
Data ciphertext decrypts to obtain identity card data using the identity card safety control module that the Ministry of Public Security authorizes to identity card data ciphertext
In plain text.Cloud authentication platform carries out safe handling to identity card data clear text and obtains the 8th data packet.
As an optional embodiment of the present embodiment, the 8th data packet is included at least: the 8th ciphertext and the 8th signature
Value;Master control safety chip 402 carries out sign test to the 8th signature value specifically for the public key using cloud authentication platform, and sign test passes through
Afterwards, the 8th ciphertext is decrypted to obtain identity card data clear text using the first session key.
Master control safety chip 402 carries out sign test using the public key of cloud authentication platform, if master control safety chip 402 uses cloud
The public key of authentication platform can decrypt the 8th signature value, then show that received 8th signature value is issued by cloud authentication platform
, if master control safety chip 402 cannot decrypt the 8th signature value using the public key of cloud authentication platform, show received the
Eight signature values are issued by cloud authentication platform, i.e., master control safety chip 402 can send the 8th according to the 8th label name-value pair
The device of signature value carries out identity validation.Determine that the 8th signature value is it of cloud authentication platform transmission in master control safety chip 402
Afterwards, then the abstract of the 8th ciphertext is calculated.If the 8th ciphertext is tampered in transmission process, master control safety chip 402 is right
The digest value of received 8th cryptogram computation can also convert, therefore, what master control safety chip 402 was calculated by comparing
Whether the abstract of the 8th ciphertext is identical as the abstract for the 8th ciphertext that decryption obtains, and can guarantee the complete of received 8th ciphertext
Property.Confirming that the 8th signature value is to be sent by cloud authentication platform and the 8th ciphertext is not tampered in transmission process, i.e. sign test
By rear, the 8th ciphertext is decrypted in the first session key for recycling identity card card-reading terminal and cloud authentication platform just to have
To identity card data clear text, prevent other devices other than identity card card-reading terminal that acquisition identity card is decrypted to the 8th ciphertext
Data clear text guarantees the safety of identity card data clear text.
As an optional embodiment of the present embodiment, master control safety chip 402 is also used to generate the first random number,
The First Certificate of the first random number and identity card card-reading terminal sign using the first private key of identity card card-reading terminal
To the 9th signature value, the 9th data packet is sent to communication interface 403, the 9th data packet includes at least: the first random number, identity card
The First Certificate of card-reading terminal and the 9th signature value, wherein First Certificate includes at least the first public key of identity card card-reading terminal;
Communication interface 403 is also used to receive the 9th data packet, sends the 9th data packet to cloud authentication platform;Communication interface 403, is also used
In the tenth data packet for receiving the return of cloud authentication platform, the tenth data packet is sent to master control safety chip 402, the tenth data packet is extremely
It less include: the tenth ciphertext and the tenth signature value;Master control safety chip 402 is also used to receive the tenth data packet, is authenticated using cloud flat
The public key of platform carries out sign test to the tenth signature value, close to the tenth using the first private key of identity card card-reading terminal after sign test passes through
Text is decrypted to obtain the first random number and the second random number, and the second random number is generated by cloud authentication platform;Master control safety chip
402, the first random number that the first random number and decryption for being also used to compare generation obtain compares unanimously, utilizes the first random number
With second the first session key of generating random number.
After identity card card-reading terminal obtains the first session key, using the first session key to identity card card-reading terminal and cloud
The data transmitted between authentication platform carry out encryption and decryption, ensure that the safety of data transmission.
In the present embodiment, the First Certificate of identity card card-reading terminal is recognized by third party's certified authority digital certificate
The distribution of card center.In addition to the first public key including identity card card-reading terminal in the First Certificate of identity card card-reading terminal, also wrap
Include digital signature and the title etc. of certificate authority.
In the present embodiment, the first private key that master control safety chip just has using identity card card-reading terminal is random to first
Several and identity card card-reading terminal First Certificate is signed, if cloud authentication platform uses first with identity card card-reading terminal
First public key of the corresponding identity card card-reading terminal of private key can decrypt the 9th signature value, then show received 9th signature value
It is to be issued by identity card card-reading terminal, if cloud authentication platform cannot be to the 9th using the first public key of identity card card-reading terminal
The decryption of signature value, then show that received 9th signature value is issued by identity card card-reading terminal, i.e. cloud authentication platform can
Identity validation is carried out according to the device that the 9th label name-value pair sends the 9th signature value.Determine that the 9th signature value is in cloud authentication platform
The abstract of First Certificate that is that identity card card-reading terminal is sent and then calculating the first random number and identity card card-reading terminal.Such as
The First Certificate of the first random number of fruit and identity card card-reading terminal is tampered in transmission process, then cloud authentication platform is to reception
The first random number and the digest value that calculates of First Certificate of identity card card-reading terminal can also change, therefore, cloud certification is flat
The abstract of the First Certificate of the first random number and identity card card-reading terminal that platform is calculated by comparing and decryption obtain the
Whether the abstract of the First Certificate of one random number and identity card card-reading terminal is identical, can guarantee received first random number and body
The integrality of the First Certificate of part card card-reading terminal.
In the present embodiment, after cloud authentication platform receives the 9th data packet, using root certificate to identity card card-reading terminal
First Certificate is verified, and is verified, then shows that the First Certificate of identity card card-reading terminal is legal.Identity card card reading is whole
After the First Certificate at end is verified, cloud authentication platform is using the first public key in the First Certificate of identity card card-reading terminal to the
Nine signature values carry out sign test, after sign test passes through, obtain the first random number, and generate the second random number, cloud authentication platform can benefit
With the first random number and second the first session key of generating random number.Cloud authentication platform uses the first public affairs of identity card card-reading terminal
Key is encrypted to obtain the tenth ciphertext to the first random number and the second random number, using the private key of cloud authentication platform to the tenth ciphertext
It is signed to obtain the tenth signature value.
In the present embodiment, identity card card-reading terminal can obtain cloud from the certificate of pre-stored cloud authentication platform and recognize
Demonstrate,prove the public key of platform;It can also send and request to cloud authentication platform, request cloud authentication platform sends the public key of cloud authentication platform
To identity card card-reading terminal.Master control safety chip 402 carries out sign test using the public key of cloud authentication platform, if master control safety chip
402 can decrypt the tenth signature value using the public key of cloud authentication platform, then show that received tenth signature value is authenticated by cloud
What platform issued, if master control safety chip 402 cannot decrypt the tenth signature value using the public key of cloud authentication platform, show
Received tenth signature value is issued by cloud authentication platform.Determine that the tenth signature value is that cloud is recognized in master control safety chip 402
Demonstrate,prove abstract that is that platform is sent and then calculating the tenth ciphertext.If the tenth ciphertext is tampered in transmission process, master control
Safety chip 402 can also convert the digest value of received tenth cryptogram computation, and therefore, master control safety chip 402 passes through
Compare the abstract for the tenth ciphertext being calculated and whether the abstract of the tenth ciphertext that decryption obtains is identical, can guarantee received
The integrality of tenth ciphertext.Confirming that the tenth signature value is to be sent by cloud authentication platform and the tenth ciphertext does not have in transmission process
It is tampered, i.e., after sign test passes through, the first session key for recycling identity card card-reading terminal and cloud authentication platform just to have is to the tenth
Ciphertext is decrypted to obtain the first random number and the second random number, prevents other devices other than identity card card-reading terminal to second
Ciphertext, which is decrypted, obtains the first random number and the second random number, guarantees the safety of the first random number and the second random number.
In the present embodiment, after the tenth ciphertext of the decryption of master control safety chip 402 obtains the first random number and the second random number,
It compares the first random number that decryption obtains and whether the first random number generated is identical, if identical, show cloud authentication platform
Have received that the first random number and received first random number of cloud authentication platform and identity card card-reading terminal generate first with
Machine number is identical, and master control safety chip and cloud authentication platform can be according to identical algorithms to the first random number and the second nonce count
It calculates and generates the first session key, and encryption and decryption is carried out to data using the first session key;If it is not the same, then showing that cloud authenticates
The first random number that the first random number and identity card card-reading terminal that platform end obtains generate is not identical, master control safety chip and cloud
Different two sessions are calculated to respective first random number and the second random number using identical algorithm in authentication platform
Key, i.e. the first session key of the first session key of master control safety chip and cloud authentication platform, master control safety chip and cloud
The ciphertext received from other side cannot be decrypted in authentication platform.
As an optional embodiment of the present embodiment, master control safety chip 402 is also used to utilize authenticated encryption key
The acquisition request of first session key is encrypted to obtain the 11st ciphertext, utilizes the first private key pair of identity card card-reading terminal
11st ciphertext is signed to obtain the 11st signature value, sends the 11st data packet to communication interface 403, the 11st data packet
It includes at least: the First Certificate of identity card card-reading terminal and the second certificate, the 11st ciphertext and the 11st signature value, wherein the
One certificate includes at least the first public key of identity card card-reading terminal, and the second certificate includes at least the second public affairs of identity card card-reading terminal
Key;Communication interface 403 is also used to receive the 11st data packet, sends the 11st data packet to cloud authentication platform;Communication interface
403, it is also used to receive the 12nd data packet of cloud authentication platform return, sends the 12nd data packet to master control safety chip 402,
12nd data packet includes at least: the 12nd ciphertext and the 12nd signature value;Master control safety chip 402 is also used to receive the tenth
Two data packets carry out sign test to the 12nd signature value using the public key of cloud authentication platform, after sign test passes through, utilize identity card card reading
Second private key of terminal is decrypted to obtain the first session key to the 12nd ciphertext.
After identity card card-reading terminal obtains the first session key, using the first session key to identity card card-reading terminal and cloud
The data transmitted between authentication platform carry out encryption and decryption, ensure that the safety of data transmission.
In the present embodiment, authenticated encryption key preset configuration is in identity card card-reading terminal, in identity card card-reading terminal
Before obtaining the first session key, master control safety chip 402 is sent to the data of cloud authentication platform using authenticated encryption key pair
It is encrypted.
In the present embodiment, the First Certificate of identity card card-reading terminal and the second certificate are by third party's certified authority
Digital certificate authentication center distribution.In addition to second including identity card card-reading terminal in second certificate of identity card card-reading terminal
Public key further includes the information such as digital signature and the title of certificate authority.In the present embodiment, the of identity card card-reading terminal
One certificate and the second certificate can be different two certificates, be also possible to the same certificate.
In the present embodiment, master control safety chip 402 uses the acquisition request of the first session key of authenticated encryption key pair
It is encrypted after obtaining the 11st ciphertext, only has the cloud authentication platform of corresponding certification decruption key could be to the 11st
Ciphertext is decrypted, and prevents other devices other than cloud authentication platform that the 11st ciphertext is decrypted and obtains the first session key
Acquisition request, guarantee identity card card-reading terminal be sent to cloud authentication platform the first session key acquisition request safety
Property.It authenticates decruption key and authenticated encryption key is identical key, i.e. symmetric key.Decruption key preset configuration is authenticated in cloud
In authentication platform.
In the present embodiment, the first private key that master control safety chip 402 just has using identity card card-reading terminal is to the tenth
One ciphertext is signed, if cloud authentication platform is whole using identity card card reading corresponding with the first private key of identity card card-reading terminal
First public key at end can decrypt the 11st signature value, then show that received 11st signature value is by identity card card-reading terminal
It issues, if cloud authentication platform cannot decrypt the 11st signature value using the first public key of identity card card-reading terminal, table
Bright received 11st signature value is issued by identity card card-reading terminal, i.e., cloud authentication platform can be according to the 11st signature
It is worth and identity validation is carried out to the device for sending the 11st signature value.Determine that the 11st signature value is that identity card is read in cloud authentication platform
Abstract that is that card terminal is sent and then calculating the 11st ciphertext.If the 11st ciphertext is tampered in transmission process,
Cloud authentication platform can also change to the digest value of received 11st cryptogram computation, and therefore, cloud authentication platform is by comparing
Whether the abstract for the 11st ciphertext being calculated is identical as the abstract for the 11st ciphertext that decryption obtains, and can guarantee received
The integrality of 11st ciphertext.
In the present embodiment, it is whole to identity card card reading using root certificate after cloud authentication platform receives the 11st data packet
The First Certificate at end and the second certificate are verified, and are verified, then show the First Certificate and second of identity card card-reading terminal
Certificate is legal.After the First Certificate of identity card card-reading terminal and the second certification authentication pass through, cloud authentication platform utilizes identity
The first public key demonstrate,proved in the First Certificate of card-reading terminal carries out sign test to the 11st signature value, after sign test passes through, is solved using certification
Close the 11st ciphertext of key pair is decrypted to obtain the acquisition request of the first session key.
In the present embodiment, after cloud authentication platform obtains the acquisition request of the first session key, the first session key is generated,
The first session key is encrypted using the second public key in the second certificate of identity card card-reading terminal, it is close to obtain the 12nd
Text, and the 12nd ciphertext is signed to obtain the 12nd signature value using the private key of cloud authentication platform.
In the present embodiment, master control safety chip 402 carries out sign test using the public key of cloud authentication platform, if master control is safe
Chip 402 can decrypt the 12nd signature value using the public key of cloud authentication platform, then show that received 12nd signature value is
It is issued by cloud authentication platform, if master control safety chip 402 cannot be to the 12nd signature value using the public key of cloud authentication platform
Decryption, then show that received 12nd signature value is issued by cloud authentication platform, i.e., master control safety chip 402 being capable of basis
The device that 12nd label name-value pair sends the 12nd signature value carries out identity validation.The 12nd is determined in master control safety chip 402
Signature value is the abstract that cloud authentication platform sent and then calculated the 12nd ciphertext.If the 12nd ciphertext is in transmission process
In be tampered, then master control safety chip 402 can also convert the digest value of received 12nd cryptogram computation, therefore,
The abstract for the 12nd ciphertext that the abstract for the 12nd ciphertext that master control safety chip 402 is calculated by comparing and decryption obtain
It is whether identical, it can guarantee the integrality of received 12nd ciphertext.Confirming that the 12nd signature value is sent out by cloud authentication platform
It send and the 12nd ciphertext is not tampered in transmission process, i.e., after sign test passes through, recycle the second of identity card card-reading terminal
Private key is decrypted to obtain the first session key to the 12nd ciphertext, prevents other devices other than identity card card-reading terminal to
12 ciphertexts, which are decrypted, obtains the first session key, guarantees the safety of the first session key.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes
It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion
Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable
Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, to execute function, this should be of the invention
Embodiment person of ordinary skill in the field understood.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned
In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage
Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware
Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal
Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene
Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
Suddenly be that relevant hardware can be instructed to complete by program, program can store in a kind of computer readable storage medium
In, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in a processing module
It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.If integrated module with
The form of software function module is realized and when sold or used as an independent product, also can store computer-readable at one
It takes in storage medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any
One or more embodiment or examples in can be combined in any suitable manner.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example
Property, it is not considered as limiting the invention, those skilled in the art are not departing from the principle of the present invention and objective
In the case where can make changes, modifications, alterations, and variations to the above described embodiments within the scope of the invention.The scope of the present invention
By appended claims and its equivalent limit.
Claims (8)
1. a kind of identity card read method, which is characterized in that the described method includes:
Card reading interface receives the identity card identification information that identity card is sent, and sends the identity card identification information to the safe core of master control
Piece;
The master control safety chip receives the identity card identification information, carries out safe handling to the identity card identification information and obtains
To the first data packet, first data packet is sent to communication interface;
The communication interface receives first data packet, sends first data packet to cloud authentication platform;
The communication interface receives the second data packet that the cloud authentication platform returns, and sends second data packet to the master
Control safety chip;
The master control safety chip receives second data packet, carries out safety verification to second data packet, tests in safety
After card passes through, the first certification factor is obtained, sends the first certification factor to the card reading interface;
The card reading interface receives the first certification factor, sends the first certification factor to the identity card;
The card reading interface receives the first authentication data that the identity card returns, and sends first authentication data to the master
Safety chip is controlled, the first authentication data identity card is handled to obtain to the first certification factor;
The master control safety chip receives first authentication data, carries out safe handling to first authentication data and obtains the
Three data packets send the third data packet to the communication interface;
The communication interface receives the third data packet, sends the third data packet to the cloud authentication platform;
The communication interface receives the 4th data packet that the cloud authentication platform returns, and sends the 4th data packet to the master
Control safety chip;
The master control safety chip receives the 4th data packet, carries out safety verification to the 4th data packet, tests in safety
After card passes through, the second certification factor acquisition request is obtained, sends the second certification factor acquisition request to the card reading interface;
The card reading interface receives the second certification factor acquisition request, sends the second certification factor acquisition request to institute
State identity card;
The card reading interface receives the second certification factor that the identity card returns, and sends the second certification factor to the master
Control safety chip;
The master control safety chip receives the second certification factor, carries out safe handling to the second certification factor and obtains the
Five data packets send the 5th data packet to the communication interface;
The communication interface receives the 5th data packet, sends the 5th data packet to the cloud authentication platform;
The communication interface receives the 6th data packet that the cloud authentication platform returns, and sends the 6th data packet to the master
Control safety chip;
The master control safety chip receives the 6th data packet, carries out safety verification to the 6th data packet, tests in safety
After card passes through, the second authentication data is obtained, sends second authentication data to the card reading interface;
The card reading interface receives second authentication data, sends second authentication data to the identity card, and described the
The two authentication datas cloud authentication platform is handled to obtain to the second certification factor;
The card reading interface receives the identity card data ciphertext that the identity card returns, and sends the identity card data ciphertext to master
Control safety chip;
The master control safety chip carries out safe handling to the identity card data ciphertext and obtains the 7th data packet, sends described the
Seven data packets are to the communication interface;
The communication interface sends the 7th data packet to the cloud authentication platform;
The communication interface receives the 8th data packet that the cloud authentication platform returns, and sends the 8th data packet to the master
Control safety chip;
The master control safety chip receives the 8th data packet, carries out safety verification to the 8th data packet, tests in safety
After card passes through, identity card data clear text is obtained.
2. the method according to claim 1, wherein
The master control safety chip carries out safe handling to the identity card identification information and obtains the first data packet, comprising:
The master control safety chip encrypts the identity card identification information using the first session key to obtain the first ciphertext, benefit
It is signed with the first private key of the identity card card-reading terminal to first ciphertext, obtains the first signature value, described first
Data packet includes at least: first ciphertext and the first signature value;
Second data packet includes at least: the second ciphertext and the second signature value;The master control safety chip, to second number
Safety verification, which is carried out, according to packet obtains the first certification factor after safety verification passes through, comprising:
The master control safety chip carries out sign test to the second signature value using the public key of the cloud authentication platform, and sign test is logical
Later, second ciphertext is decrypted using first session key to obtain the first certification factor;
The master control safety chip carries out safe handling to first authentication data and obtains third data packet, comprising:
The master control safety chip is encrypted to obtain third close using first session key to first authentication data
Text signs to the third ciphertext using the first private key of the identity card card-reading terminal, obtains third signature value, described
Third data packet includes at least: the third ciphertext and the third signature value;
4th data packet includes at least: the 4th ciphertext and the 4th signature value;The master control safety chip, to the 4th number
Safety verification, which is carried out, according to packet obtains the second certification factor acquisition request after safety verification passes through, comprising:
The master control safety chip carries out sign test to the 4th signature value using the public key of the cloud authentication platform, and sign test is logical
Later, the 4th ciphertext is decrypted using first session key to obtain the second certification factor acquisition request;
The master control safety chip carries out safe handling to the second certification factor and obtains the 5th data packet, comprising:
The master control safety chip is encrypted to obtain the 5th close using first session key to the second certification factor
Text signs to the 5th ciphertext using the first private key of the identity card card-reading terminal, obtains the 5th signature value, described
5th data packet includes at least: the 5th ciphertext and the 5th signature value;
6th data packet includes at least: the 6th ciphertext and the 6th signature value;The master control safety chip, to the 6th number
Safety verification, which is carried out, according to packet obtains the second authentication data after safety verification passes through, comprising:
The master control safety chip carries out sign test to the 6th signature value using the public key of the cloud authentication platform, and sign test is logical
Later, the 6th ciphertext is decrypted to obtain the second authentication data using first session key;
The master control safety chip carries out safe handling to the identity card data ciphertext and obtains the 7th data packet, comprising:
The master control safety chip is encrypted to obtain the 7th using first session key to the identity card data ciphertext
Ciphertext signs to the 7th ciphertext using the first private key of the identity card card-reading terminal, obtains the 7th signature value;
8th data packet includes at least: the 8th ciphertext and the 8th signature value;The master control safety chip, to the 8th number
Safety verification, which is carried out, according to packet obtains identity card data clear text after safety verification passes through, comprising:
The master control safety chip carries out sign test to the 8th signature value using the public key of the cloud authentication platform, and sign test is logical
Later, the 8th ciphertext is decrypted to obtain identity card data clear text using first session key.
3. method according to claim 1 or 2, which is characterized in that in the master control safety chip to the identity card mark
Before knowledge information progress safe handling obtains the first data packet, the method also includes:
The master control safety chip generates the first random number, using the first private key of the identity card card-reading terminal to described first
The First Certificate of random number and identity card card-reading terminal is signed to obtain the 9th signature value, is sent the 9th data packet and is led to described
Communication interface, the 9th data packet include at least: first random number, the First Certificate of the identity card card-reading terminal and institute
State the 9th signature value, wherein the First Certificate includes at least the first public key of identity card card-reading terminal;
The communication interface receives the 9th data packet, sends the 9th data packet to the cloud authentication platform;
The communication interface receives the tenth data packet that the cloud authentication platform returns, and sends the tenth data packet to the master
Safety chip is controlled, the tenth data packet includes at least: the tenth ciphertext and the tenth signature value;
The master control safety chip receives the tenth data packet, using the public key of the cloud authentication platform to the tenth signature
Value carries out sign test, and after sign test passes through, the tenth ciphertext is decrypted using the first private key of the identity card card-reading terminal
First random number and the second random number are obtained, second random number is generated by the cloud authentication platform;
The first random number that the master control safety chip compares the first random number of the generation and the decryption obtains, compares one
It causes, utilizes first random number and first session key of the second generating random number.
4. method according to claim 1 or 2, which is characterized in that in the master control safety chip to the identity card mark
Before knowledge information progress safe handling obtains the first data packet, the method also includes:
The master control safety chip is encrypted to obtain the tenth using the acquisition request of the first session key of authenticated encryption key pair
One ciphertext signs the 11st ciphertext to obtain the 11st signature using the first private key of the identity card card-reading terminal
Value sends the 11st data packet to the communication interface, and the 11st data packet includes at least: the identity card card-reading terminal
First Certificate and the second certificate, the 11st ciphertext and the 11st signature value, wherein the First Certificate at least wraps
First public key of the card-reading terminal containing identity card, second certificate include at least the second public key of identity card card-reading terminal;
The communication interface receives the 11st data packet, sends the 11st data packet to the cloud authentication platform;
The communication interface receives the 12nd data packet that the cloud authentication platform returns, and sends the 12nd data packet to institute
Master control safety chip is stated, the 12nd data packet includes at least: the 12nd ciphertext and the 12nd signature value;
The master control safety chip receives the 12nd data packet, using the public key of the cloud authentication platform to the described 12nd
Signature value carry out sign test, after sign test passes through, using the identity card card-reading terminal the second private key to the 12nd ciphertext into
Row decryption obtains the first session key.
5. a kind of identity card card-reading terminal characterized by comprising
Card reading interface sends the identity card identification information to master control for receiving the identity card identification information of identity card transmission
Safety chip;
The master control safety chip carries out safety to the identity card identification information for receiving the identity card identification information
Processing obtains the first data packet, sends first data packet to communication interface;
The communication interface sends first data packet to cloud authentication platform for receiving first data packet;
The communication interface is also used to receive the second data packet that the cloud authentication platform returns, and sends second data packet
To the master control safety chip;
The master control safety chip is also used to receive second data packet, carries out safety verification to second data packet,
After safety verification passes through, the first certification factor is obtained, sends the first certification factor to the card reading interface;
The card reading interface is also used to receive the first certification factor, sends the first certification factor to the identity card;
The card reading interface is also used to receive the first authentication data that the identity card returns, and sends first authentication data
To the master control safety chip, first authentication data is that the identity card is handled to obtain to the first certification factor
's;
The master control safety chip is also used to receive first authentication data, carries out safe place to first authentication data
Reason obtains third data packet, sends the third data packet to the communication interface;
The communication interface is also used to receive the third data packet, sends the third data packet to the cloud authentication platform;
The communication interface is also used to receive the 4th data packet that the cloud authentication platform returns, and sends the 4th data packet
To the master control safety chip;
The master control safety chip is also used to receive the 4th data packet, carries out safety verification to the 4th data packet,
After safety verification passes through, the second certification factor acquisition request is obtained, sends the second certification factor acquisition request to the reading
Card interface;
The card reading interface is also used to receive the second certification factor acquisition request, sends the second certification factor and obtains
It requests to the identity card;
The card reading interface is also used to receive the second certification factor that the identity card returns, sends the second certification factor
To the master control safety chip;
The master control safety chip is also used to receive the second certification factor, carries out safe place to the second certification factor
Reason obtains the 5th data packet, sends the 5th data packet to the communication interface;
The communication interface is also used to receive the 5th data packet, sends the 5th data packet to the cloud authentication platform;
The communication interface is also used to receive the 6th data packet that the cloud authentication platform returns, and sends the 6th data packet
To the master control safety chip;
The master control safety chip is also used to receive the 6th data packet, carries out safety verification to the 6th data packet,
After safety verification passes through, the second authentication data is obtained, sends second authentication data to the card reading interface;
The card reading interface, is also used to receive second authentication data, sends second authentication data to the identity card,
The second authentication data cloud authentication platform is handled to obtain to the second certification factor;
The card reading interface is also used to receive the identity card data ciphertext that the identity card returns, sends the identity card data
Ciphertext is to master control safety chip;
The master control safety chip is also used to carry out safe handling to the identity card data ciphertext to obtain the 7th data packet, send out
Send the 7th data packet to the communication interface;
The communication interface is also used to send the 7th data packet to the cloud authentication platform;
The communication interface is also used to receive the 8th data packet that the cloud authentication platform returns, and sends the 8th data packet
To the master control safety chip;
The master control safety chip is also used to receive the 8th data packet, carries out safety verification to the 8th data packet,
After safety verification passes through, identity card data clear text is obtained.
6. identity card card-reading terminal according to claim 5, which is characterized in that
The master control safety chip, specifically for encrypting to obtain first to the identity card identification information using the first session key
Ciphertext signs to first ciphertext using the first private key of the identity card card-reading terminal, obtains the first signature value, institute
It states the first data packet to include at least: first ciphertext and the first signature value;
Second data packet includes at least: the second ciphertext and the second signature value;
The master control safety chip tests the second signature value specifically for the public key using the cloud authentication platform
Label, after sign test passes through, are decrypted second ciphertext using first session key to obtain the first certification factor;
The master control safety chip, specifically for encrypt to first authentication data using first session key
To third ciphertext, is signed using the first private key of the identity card card-reading terminal to the third ciphertext, obtain third label
Name value, the third data packet include at least: the third ciphertext and the third signature value;
4th data packet includes at least: the 4th ciphertext and the 4th signature value;
The master control safety chip tests the 4th signature value specifically for the public key using the cloud authentication platform
Label after sign test passes through, are decrypted the 4th ciphertext using first session key to obtain the acquisition of the second certification factor
Request;
The master control safety chip, specifically for encrypt to the second certification factor using first session key
It to the 5th ciphertext, is signed using the first private key of the identity card card-reading terminal to the 5th ciphertext, obtains the 5th label
Name value, the 5th data packet include at least: the 5th ciphertext and the 5th signature value;
6th data packet includes at least: the 6th ciphertext and the 6th signature value;
The master control safety chip tests the 6th signature value specifically for the public key using the cloud authentication platform
Label, after sign test passes through, are decrypted to obtain the second authentication data using first session key to the 6th ciphertext;
The master control safety chip, specifically for being encrypted using first session key to the identity card data ciphertext
The 7th ciphertext is obtained, is signed using the first private key of the identity card card-reading terminal to the 7th ciphertext, obtains the 7th
Signature value;
8th data packet includes at least: the 8th ciphertext and the 8th signature value;
The master control safety chip tests the 8th signature value specifically for the public key using the cloud authentication platform
Label, after sign test passes through, are decrypted to obtain identity card data clear text using first session key to the 8th ciphertext.
7. identity card card-reading terminal according to claim 5 or 6, which is characterized in that
The master control safety chip, is also used to generate the first random number,
It is demonstrate,proved using the first private key of the identity card card-reading terminal the first of first random number and identity card card-reading terminal
Book is signed to obtain the 9th signature value, sends the 9th data packet to the communication interface, the 9th data packet includes at least:
First random number, the First Certificate of the identity card card-reading terminal and the 9th signature value, wherein the First Certificate
Including at least the first public key of identity card card-reading terminal;
The communication interface is also used to receive the 9th data packet, sends the 9th data packet to the cloud authentication platform;
The communication interface is also used to receive the tenth data packet that the cloud authentication platform returns, and sends the tenth data packet
To the master control safety chip, the tenth data packet is included at least: the tenth ciphertext and the tenth signature value;
The master control safety chip is also used to receive the tenth data packet, using the public key of the cloud authentication platform to described
Tenth signature value carries out sign test, after sign test passes through, using the first private key of the identity card card-reading terminal to the tenth ciphertext
It is decrypted to obtain first random number and the second random number, second random number is generated by the cloud authentication platform;
The master control safety chip is also used to compare the first random number of the generation and described to decrypt first obtained random
Number compares unanimously, utilizes first random number and first session key of the second generating random number.
8. identity card card-reading terminal according to claim 5 or 6, which is characterized in that
The master control safety chip is also used to carry out using the acquisition request of the first session key of authenticated encryption key pair to encrypt
To the 11st ciphertext, the 11st ciphertext is signed to obtain the tenth using the first private key of the identity card card-reading terminal
One signature value sends the 11st data packet to the communication interface, and the 11st data packet includes at least: the identity card is read
The First Certificate of card terminal and the second certificate, the 11st ciphertext and the 11st signature value, wherein the First Certificate
Including at least the first public key of identity card card-reading terminal, second certificate includes at least the second public affairs of identity card card-reading terminal
Key;
The communication interface is also used to receive the 11st data packet, sends the 11st data packet to the cloud and authenticates
Platform;
The communication interface is also used to receive the 12nd data packet that the cloud authentication platform returns, and sends the 12nd number
According to packet to the master control safety chip, the 12nd data packet is included at least: the 12nd ciphertext and the 12nd signature value;
The master control safety chip is also used to receive the 12nd data packet, using the public key of the cloud authentication platform to institute
It states the 12nd signature value and carries out sign test, after sign test passes through, using the second private key of the identity card card-reading terminal to the described tenth
Two ciphertexts are decrypted to obtain the first session key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610243357.1A CN106027483B (en) | 2016-04-18 | 2016-04-18 | A kind of identity card read method and identity card card-reading terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610243357.1A CN106027483B (en) | 2016-04-18 | 2016-04-18 | A kind of identity card read method and identity card card-reading terminal |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106027483A CN106027483A (en) | 2016-10-12 |
CN106027483B true CN106027483B (en) | 2019-02-19 |
Family
ID=57081444
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610243357.1A Active CN106027483B (en) | 2016-04-18 | 2016-04-18 | A kind of identity card read method and identity card card-reading terminal |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106027483B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108471418A (en) * | 2018-03-28 | 2018-08-31 | 湖南东方华龙信息科技有限公司 | The data safe transmission method of terminal device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101599832A (en) * | 2008-06-05 | 2009-12-09 | 北京思创银联科技有限公司 | A kind of personal identification method and system that realize the network system login |
US8781530B2 (en) * | 2008-12-16 | 2014-07-15 | At&T Intellectual Property I, L.P. | OTA file upload servers |
CN104574599A (en) * | 2014-12-30 | 2015-04-29 | 张泽 | Authentication method and device, and intelligent door lock |
CN104636777A (en) * | 2015-01-15 | 2015-05-20 | 李明 | Identity card information obtaining system |
CN104994114A (en) * | 2015-07-27 | 2015-10-21 | 尤磊 | Identity authentication system and method based on electronic identification card |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013110074A1 (en) * | 2012-01-20 | 2013-07-25 | Identive Group, Inc. | Cloud secure channel access control |
-
2016
- 2016-04-18 CN CN201610243357.1A patent/CN106027483B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101599832A (en) * | 2008-06-05 | 2009-12-09 | 北京思创银联科技有限公司 | A kind of personal identification method and system that realize the network system login |
US8781530B2 (en) * | 2008-12-16 | 2014-07-15 | At&T Intellectual Property I, L.P. | OTA file upload servers |
CN104574599A (en) * | 2014-12-30 | 2015-04-29 | 张泽 | Authentication method and device, and intelligent door lock |
CN104636777A (en) * | 2015-01-15 | 2015-05-20 | 李明 | Identity card information obtaining system |
CN104994114A (en) * | 2015-07-27 | 2015-10-21 | 尤磊 | Identity authentication system and method based on electronic identification card |
Non-Patent Citations (1)
Title |
---|
"身份证件的安全要求和可使用的密码学技术";武传坤;《信息网络安全》;20150510;21-27页 |
Also Published As
Publication number | Publication date |
---|---|
CN106027483A (en) | 2016-10-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
CN101300808B (en) | Method and arrangement for secure autentication | |
CN107358441B (en) | Payment verification method and system, mobile device and security authentication device | |
CN103621127B (en) | For the access point controller of wireless authentication, method and integrated circuit | |
CN103136664B (en) | There is smart card transaction system and the method for electronic signature functionality | |
CN101783800B (en) | Embedded system safety communication method, device and system | |
CN103503366A (en) | Managing data for authentication devices | |
CN106130982A (en) | Intelligent household appliance remote control method based on PKI system | |
CN103326862B (en) | Electronically signing method and system | |
CN109617675B (en) | Method and system for authenticating identifiers of both sides between charge and discharge facility and user terminal | |
CN104579679B (en) | Wireless public network data forwarding method for agriculture distribution communication equipment | |
CN108599925A (en) | A kind of modified AKA identity authorization systems and method based on quantum communication network | |
CN106027250B (en) | A kind of ID card information safe transmission method and system | |
JP2012530311A5 (en) | ||
CN106156677B (en) | Identity card card reading method and system | |
CN104243162B (en) | A kind of information interacting method, system and intelligent cipher key equipment | |
CN109474419A (en) | A kind of living body portrait photo encryption and decryption method and encrypting and deciphering system | |
CN106056419A (en) | Method, system and device for realizing independent transaction by using electronic signature equipment | |
CN106027249A (en) | Identity card reading method and system | |
CN103136667B (en) | There is the smart card of electronic signature functionality, smart card transaction system and method | |
CN106027256B (en) | A kind of identity card card reading response system | |
CN112367664A (en) | Method and device for safely accessing external equipment to intelligent electric meter | |
CN106027483B (en) | A kind of identity card read method and identity card card-reading terminal | |
CN105989481B (en) | Data interaction method and system | |
CN106022141B (en) | A kind of identity card read method and identity card card-reading terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220425 Address after: Tiantianrong building, No. 1, Zhongguancun, Beiqing Road, Haidian District, Beijing 100094 Patentee after: TENDYRON Corp. Address before: 100086 room 603, building 12, taiyueyuan, Haidian District, Beijing Patentee before: Li Ming |
|
TR01 | Transfer of patent right |