CN106327184B - A mobile intelligent terminal payment system and method based on secure hardware isolation - Google Patents

A mobile intelligent terminal payment system and method based on secure hardware isolation Download PDF

Info

Publication number
CN106327184B
CN106327184B CN201610702269.3A CN201610702269A CN106327184B CN 106327184 B CN106327184 B CN 106327184B CN 201610702269 A CN201610702269 A CN 201610702269A CN 106327184 B CN106327184 B CN 106327184B
Authority
CN
China
Prior art keywords
payment
user
intelligent terminal
secure
mobile intelligent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610702269.3A
Other languages
Chinese (zh)
Other versions
CN106327184A (en
Inventor
胡铭铭
王瑜
王雅哲
梁超
汪祖辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201610702269.3A priority Critical patent/CN106327184B/en
Publication of CN106327184A publication Critical patent/CN106327184A/en
Application granted granted Critical
Publication of CN106327184B publication Critical patent/CN106327184B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Accounting & Taxation (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Finance (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

本发明涉及一种基于安全硬件隔离的移动智能终端支付系统及方法,包括:支付服务器、移动智能终端、安全硬件;安全硬件独立于移动智能终端,具有单独的系统即独立运行环境,保护用户的认证数据安全,并对外提供随机数生成,证书请求,信息签名服务;同时具有安全存储功能,能够保护预置的用户认证信息;在支付系统支付过程中,安全硬件需要用户输入支付密码进行验证,在验证通过后利用用户支付公钥证书私钥对支付数据签名加密后返回至移动智能终端。本发明将用户支付证书私钥和密码存储在安全硬件中,有效防止这些敏感数据被攻击者获取,并且支付信息将由用户在安全硬件进行确认,有效防止支付信息被恶意篡改,大大提高了支付系统的安全性。

The present invention relates to a mobile intelligent terminal payment system and method based on security hardware isolation, including: a payment server, a mobile intelligent terminal, and security hardware; the security hardware is independent of the mobile intelligent terminal, has a separate system, that is, an independent operating environment, and protects the user's The authentication data is safe, and it provides random number generation, certificate request, and information signature services; it also has a secure storage function that can protect the preset user authentication information; during the payment process of the payment system, the security hardware requires the user to enter the payment password for verification. After passing the verification, use the user's payment public key certificate private key to encrypt the payment data signature and return it to the mobile smart terminal. The invention stores the private key and password of the user's payment certificate in the secure hardware, effectively preventing these sensitive data from being obtained by an attacker, and the payment information will be confirmed by the user on the secure hardware, effectively preventing the payment information from being maliciously tampered with, and greatly improving the payment system. security.

Description

一种基于安全硬件隔离的移动智能终端支付系统及方法A mobile intelligent terminal payment system and method based on secure hardware isolation

技术领域technical field

本发明属于信息安全中的身份认证领域,具体涉及一种基于安全硬件隔离的移动智能终端支付系统及方法。The invention belongs to the field of identity authentication in information security, and in particular relates to a mobile intelligent terminal payment system and method based on security hardware isolation.

背景技术Background technique

在移动智能终端支付过程中,用户的认证凭据(如支付密码,证书等)是一种需要保护的资源。现有移动智能终端由于其操作系统的开放性和灵活性,许多攻击者可以利用移动智能终端系统或者应用的漏洞,窃取用户输入的或者保存的认证凭据。现有的保护技术主要是将PC端的保护思想利用到移动智能终端上,如安全软件、访问控制等,但是移动智能终端面临着许多不同于PC端的攻击(如界面覆盖,攻击者伪造相同的输入框覆盖原有的输入框,窃取用户输入),且移动智能终端易于被ROOT,这些防护方案不能很好的保护用户认证凭据。In the payment process of mobile smart terminals, user authentication credentials (such as payment passwords, certificates, etc.) are resources that need to be protected. Due to the openness and flexibility of the operating systems of existing mobile smart terminals, many attackers can exploit vulnerabilities in mobile smart terminal systems or applications to steal authentication credentials entered or saved by users. Existing protection technologies mainly apply the protection ideas of the PC side to the mobile smart terminal, such as security software, access control, etc., but the mobile smart terminal faces many different attacks from the PC side (such as interface overlay, the attacker forges the same input box covers the original input box, stealing user input), and the mobile smart terminal is easy to be rooted, these protection schemes cannot protect user authentication credentials well.

安全硬件是独立于移动智能终端单独用于支付的硬件,它有自身的运行空间,并实现了与移动智能终端系统相隔离。它具有输入输出能力,并具有一定的计算能力。由于其系统单一,功能简单,攻击者难以利用系统漏洞等手段进行攻击,可以更好的保护用户的输入、数据的显示与保存,提供较移动智能终端更高的安全性保护。Security hardware is hardware that is used for payment independently of the mobile smart terminal. It has its own operating space and is isolated from the mobile smart terminal system. It has input and output capabilities and has certain computing capabilities. Due to its single system and simple functions, it is difficult for attackers to exploit system vulnerabilities and other means to attack. It can better protect user input, data display and storage, and provide higher security protection than mobile smart terminals.

针对已公开的专利(一种移动支付单元支付系统和安全支付方法,201410341832)中的安全支付方法,该方法欠缺考虑用户对支付过程的参与,如何实现支付信息安全的展示给用户确认,如何使用户显式的安全的完成对支付的授权,以防止中用户对错误的支付信息进行授权。针对已公开的专利(一种智能终端安全支付系统及方法,201310729282)中的安全支付系统及方法,该方法欠缺考虑没有将两个系统真正的物理隔离,一旦安全操作系统存在漏洞,则攻击者可能从不安全操作系统中接入并窃取用户支付数据。Regarding the secure payment method in the published patent (a mobile payment unit payment system and secure payment method, 201410341832), this method lacks consideration of the user’s participation in the payment process, how to realize the safe display of payment information to the user for confirmation, and how to use The user explicitly and securely completes the authorization of payment to prevent the user from authorizing wrong payment information. Regarding the secure payment system and method in the published patent (a smart terminal secure payment system and method, 201310729282), this method lacks consideration of the real physical isolation of the two systems. Once there is a loophole in the security operating system, the attacker It is possible to access and steal user payment data from an insecure operating system.

发明内容Contents of the invention

本发明克服现有技术的不足,结合了PKI数字认证保护体系、基于安全硬件的隔离环境及基于双向信任的移动智能终端支付方案,提出了一种基于安全硬件隔离的移动智能终端支付系统及方法。The present invention overcomes the deficiencies of the prior art, combines the PKI digital authentication protection system, the isolation environment based on safe hardware and the mobile smart terminal payment scheme based on two-way trust, and proposes a mobile smart terminal payment system and method based on safe hardware isolation .

本发明实施了一种基于安全硬件隔离的移动智能终端支付系统及方法,所述系统与方法适用于移动智能终端,所述系统和方法包括:The present invention implements a mobile intelligent terminal payment system and method based on security hardware isolation, the system and method are suitable for mobile intelligent terminals, and the system and method include:

在所述移动智能终端进行支付操作时,移动智能终端上安装的支付应用可以与服务器连接实现支付一般流程(如生成订单等),可以与安全硬件进行点对点无线连接并进行数据加密传输,实现用户密码验证及支付认证信息传递。When the mobile smart terminal performs a payment operation, the payment application installed on the mobile smart terminal can be connected to the server to realize the general payment process (such as generating an order, etc.), and can perform point-to-point wireless connection with the security hardware and perform encrypted data transmission to realize user Password verification and payment authentication information transmission.

在安全硬件使用进行操作之前,通过信任预置操作将支付服务器的公钥证书,CA证书,用户支付公钥证书导入,构建形成服务器与安全硬件双向信任体系基础,并要求用户设定支付密码,该支付密码用于实现用户对安全硬件中用户支付公钥证书进行支付操作的授权。Before the safe hardware is used for operation, the public key certificate of the payment server, the CA certificate, and the user payment public key certificate are imported through the trust preset operation to build the basis of a two-way trust system between the server and the safe hardware, and the user is required to set the payment password. The payment password is used to authorize the user to perform payment operations on the user's payment public key certificate in the security hardware.

在移动智能终端需要进行支付操作时,通过支付应用与服务器交互完成支付数据生成,并将支付数据通过点对点无线连接的方式加密发送至安全硬件进行签名后返回服务器完成验证,具体包括:When the mobile smart terminal needs to perform payment operations, the payment application and the server interact to complete the payment data generation, and the payment data is encrypted and sent to the security hardware through a point-to-point wireless connection for signature and then returned to the server to complete the verification, including:

1)当移动智能终端需要进行支付操作时,利用支付应用与服务器交互,完成支付数据 (包括用户ID,商户ID,商品ID,数量,单价,总价,订单ID,支付信息ID,随机挑战值等)的生成。1) When the mobile smart terminal needs to perform a payment operation, use the payment application to interact with the server to complete the payment data (including user ID, merchant ID, commodity ID, quantity, unit price, total price, order ID, payment information ID, random challenge value) etc.) generation.

2)移动智能终端上支付应用与安全硬件建立点对点连接,并进行密钥协商建立加密信道。2) The payment application on the mobile smart terminal establishes a point-to-point connection with the security hardware, and conducts key negotiation to establish an encrypted channel.

3)移动智能终端支付应用将随机挑战、订单ID、支付信息ID、支付信息(用户ID、商户ID、总价等)加密后发送至安全硬件。3) The mobile smart terminal payment application encrypts the random challenge, order ID, payment information ID, and payment information (user ID, merchant ID, total price, etc.) and sends it to the secure hardware.

4)安全硬件将支付信息解密后显示,用户在确认无误后输入支付密码,并对该支付密码进行验证。验证通过后利用用户支付公钥证书对应的私钥对接受到的数据签名后,生成对称加密密钥,利用该加密密钥对签名信息、订单ID、支付信息ID进行加密得到数据A,利用服务器公钥对加密密钥进行加密得到B,将两者组合成数字信封。将数字信封通过已建立的安全信道返回至移动智能终端。4) The security hardware decrypts the payment information and displays it, and the user enters the payment password after confirming that it is correct, and verifies the payment password. After the verification is passed, use the private key corresponding to the user's payment public key certificate to sign the received data, generate a symmetric encryption key, and use the encryption key to encrypt the signature information, order ID, and payment information ID to obtain data A. Encrypt the encryption key to obtain B, and combine the two into a digital envelope. Return the digital envelope to the mobile smart terminal through the established secure channel.

5)移动智能终端将接受到的数字信封转发给服务器。5) The mobile smart terminal forwards the received digital envelope to the server.

6)服务器利用私钥解密数据B得到加密密钥,在利用加密密钥对A进行解密,得到签名信息、订单ID、支付信息ID。利用用户公钥验证签名信息,并验证订单ID、支付信息ID等信息后,验证支付是否成功。6) The server uses the private key to decrypt data B to obtain the encryption key, and then uses the encryption key to decrypt data A to obtain the signature information, order ID, and payment information ID. Use the user's public key to verify the signature information, and after verifying the order ID, payment information ID and other information, verify whether the payment is successful.

7)服务器将支付结果返回至移动智能终端。7) The server returns the payment result to the mobile smart terminal.

下面介绍本方案的基本思想,本发明在吸取已有解决方案的优点的基础之上,提出了自己的设计思想,具体来说,本发明技术包括方案包括以下几个方面:Introduce the basic thought of this scheme below, the present invention is on the basis of absorbing the advantage of existing solution, has proposed own design idea, specifically, the technology of the present invention includes scheme and includes the following aspects:

方面一:支付系统主要包含支付服务器、移动智能终端和安全硬件三个部分。支付服务器与移动智能终端交互,完成支付流程中除去用户认证以外的其他环节。安全硬件与移动智能终端交互,完成支付流程中最为重要的用户认证部分。利用安全硬件的独立运行环境,保护用户的认证数据安全;通过安全硬件中的信任预置,以移动智能终端为通道,与服务器建立双向信任的支付实现方法。Aspect 1: The payment system mainly includes three parts: payment server, mobile smart terminal and security hardware. The payment server interacts with the mobile smart terminal to complete other links in the payment process except user authentication. The security hardware interacts with the mobile smart terminal to complete the most important user authentication part in the payment process. Utilize the independent operating environment of the secure hardware to protect the security of the user's authentication data; through the trust preset in the secure hardware, use the mobile smart terminal as the channel to establish a two-way trust payment implementation method with the server.

方面二:安全硬件独立于移动智能终端,具有单独的系统,并对外提供随机数生成,证书请求,信息签名等服务。安全硬件具有安全存储功能,能够保护预置的用户认证信息。在支付过程中,安全硬件需要用户输入支付密码进行验证,在验证通过后利用用户支付公钥证书私钥对支付数据签名加密后返回至移动智能终端。主要有下面几点:Aspect 2: The security hardware is independent of the mobile smart terminal, has a separate system, and provides external services such as random number generation, certificate request, and information signature. The security hardware has a security storage function and can protect preset user authentication information. During the payment process, the security hardware requires the user to enter the payment password for verification. After the verification is passed, the payment data is signed and encrypted with the user's payment public key certificate and private key, and then returned to the mobile smart terminal. There are mainly the following points:

随机数生成模块:安全硬件提供真随机数发生器,一次可以提供任意长度的随机数,该随机数可以用来当作对称加密的密钥。Random number generation module: The security hardware provides a true random number generator, which can provide a random number of any length at a time, and the random number can be used as a key for symmetric encryption.

支付签名模块:安全硬件在接收到订单ID、支付信息ID和支付信息后,请求指定账号进行签名。安全硬件将利用硬件显示提示用户交易(如闪亮交易LED灯),并将支付信息显示在安全硬件的显示屏,等待用户输入支付密码确认。支付密码用于解密验证支付的私钥进行签名运算。Payment signature module: After receiving the order ID, payment information ID and payment information, the security hardware requests the designated account to sign. The security hardware will use the hardware display to prompt the user for transactions (such as flashing transaction LED lights), and display the payment information on the display screen of the security hardware, waiting for the user to enter the payment password for confirmation. The payment password is used to decrypt and verify the private key of payment for signature calculation.

可信证书模块:安全硬件存储有预置的可信证书,包括支付服务器的公钥证书、CA证书、用户支付公钥证书。通过约定的索引获取这些可信证书。Trusted certificate module: The secure hardware stores preset trusted certificates, including the payment server's public key certificate, CA certificate, and user payment public key certificate. Get these trusted certificates through an agreed upon index.

方面三:本方法提供基于安全硬件隔离的移动智能终端支付系统及方法,主要在支付整个流程中对敏感数据进行保护。数据在支付服务器和移动智能终端交互时由加密信道保护,数据在移动智能终端和安全硬件交互时由加密信道保护。用户的敏感数据如用户支付证书私钥保存在安全硬件中,攻击者无法读取敏感数据。经由移动智能终端传递的数据为动态的临时数据,在支付过程完成后即失效。通过加密信道和安全硬件的保护,攻击者无法获取用户的支付信息,全面的提高了支付过程中的安全性。Aspect 3: This method provides a mobile intelligent terminal payment system and method based on secure hardware isolation, and mainly protects sensitive data during the entire payment process. The data is protected by an encrypted channel when the payment server interacts with the smart mobile terminal, and the data is protected by an encrypted channel when the smart mobile terminal interacts with the security hardware. Sensitive data of the user, such as the private key of the user's payment certificate, is stored in secure hardware, and attackers cannot read sensitive data. The data transmitted through the mobile smart terminal is dynamic temporary data, which will become invalid after the payment process is completed. Through the protection of encrypted channels and secure hardware, attackers cannot obtain the user's payment information, which comprehensively improves the security of the payment process.

本发明与现有技术相比,具有以下优点:Compared with the prior art, the present invention has the following advantages:

(1)将用户支付证书私钥和密码存储在安全硬件中,有效防止这些敏感数据被攻击者获取,大大提高了支付系统的安全性。(1) Store the private key and password of the user's payment certificate in secure hardware, effectively preventing these sensitive data from being obtained by attackers, and greatly improving the security of the payment system.

(2)支付信息将由用户在安全硬件进行确认,有效防止支付信息被恶意篡改,进一步提高了支付系统的安全性。(2) The payment information will be confirmed by the user on the security hardware, effectively preventing the payment information from being maliciously tampered with, and further improving the security of the payment system.

附图说明Description of drawings

图1为本发明实施总体框架;Fig. 1 is that the present invention implements overall frame;

图2为发明中基于信任预置的安全启动的流程图;Fig. 2 is the flow chart of the safe startup based on trust preset in the invention;

图3为本发明中基于双向信任的移动智能终端支付实现方法的流程图。Fig. 3 is a flow chart of the method for realizing the mobile intelligent terminal payment based on two-way trust in the present invention.

具体实施方式Detailed ways

为使本发明的目的、优点以及技术方案更加清楚明白,以下通过具体实施,并结合附图,对本发明进一步详细说明。In order to make the objectives, advantages and technical solutions of the present invention more clear, the present invention will be further described in detail below through specific implementation and in conjunction with the accompanying drawings.

如图1所示,本发明具体实现如下:As shown in Figure 1, the specific implementation of the present invention is as follows:

一、基于信任预置的安全硬件的实现方法1. Implementation method of secure hardware based on trust preset

安全硬件信任预置,是指在安全硬件用于支付之前,需要对安全硬件进行证书导入、用户密码设置等初始化操作,初步建立支付的信任体系。预置在安全硬件中的有支付服务器的公钥证书、CA证书、用户支付公钥证书。支付服务器的公钥证书主要用于对对称加密密钥进行加密,实现数字信封的封装;CA证书用于安全启动过程,实现对安全硬件的验证;用户支付公钥证书主要用于向服务器表明用户身份。用户需要在安全硬件设置支付密码,该支付密码将被用于对用户支付公钥证书对应的私钥进行加密,在后续支付过程中,需要用户输入支付密码,从而得到支付公钥证书对应的私钥。Security hardware trust presetting means that before the security hardware is used for payment, it is necessary to perform initialization operations such as certificate import and user password setting on the security hardware to initially establish a payment trust system. The public key certificate of the payment server, CA certificate, and user payment public key certificate are preset in the secure hardware. The public key certificate of the payment server is mainly used to encrypt the symmetric encryption key to realize the encapsulation of the digital envelope; the CA certificate is used for the secure boot process to realize the verification of the secure hardware; the user payment public key certificate is mainly used to indicate to the server that the user identity. The user needs to set a payment password on the security hardware, which will be used to encrypt the private key corresponding to the user's payment public key certificate. In the subsequent payment process, the user needs to enter the payment password to obtain the private key corresponding to the payment public key certificate. key.

如图2所示,安全硬件安全启动过程中,分为三个组成部分,包括固化片上镜像,根验证包镜像、安全固件。其中,固化片上镜像含有校验代码,以及加载根验证包镜像的代码;根验证包镜像含有根验证包镜像的签名哈希校验值、校验代码,以及加载安全固件的代码;安全固件包括安全固件的签名哈希校验值、安全系统代码;具体流程如下:As shown in Figure 2, the secure boot process of secure hardware is divided into three components, including solidifying the on-chip image, root verification package image, and secure firmware. Among them, the image on the solidified chip contains the verification code and the code for loading the root verification package image; the root verification package image contains the signature hash verification value of the root verification package image, the verification code, and the code for loading the security firmware; the security firmware includes Signature hash verification value of secure firmware, secure system code; the specific process is as follows:

(1)系统上电,加载固化片上镜像,固化片上镜像读取根验证包镜像并用预置的CA证书计算其哈希,并与存储的哈希校验值进行比较。如果一致的话,则加载根验证包镜像,跳转至根验证包镜像运行,否则,则停止启动。(1) The system is powered on, the on-chip image is loaded, and the on-chip image reads the root verification package image and calculates its hash with the preset CA certificate, and compares it with the stored hash check value. If they are consistent, load the root verification package image and jump to the root verification package image to run, otherwise, stop the startup.

(2)根验证包镜像读取安全固件,并计算安全固件的签名哈希值,与安全固件中的签名哈希校验值进行比较验证。如果一直的话,则加载安全固件并跳转至安全固件运行,否则,停止启动。(2) The root verification package image reads the secure firmware, calculates the signature hash value of the secure firmware, and compares and verifies it with the signature hash check value in the secure firmware. If it has been, then load the security firmware and jump to the security firmware to run, otherwise, stop starting.

(3)安全固件开始运行,加载并运行随机数生成模块、支付签名模块、可信证书模块。(3) The secure firmware starts running, loads and runs the random number generation module, the payment signature module, and the trusted certificate module.

安全硬件启动后,主要有随机数生成服务、可信证书服务,并为移动智能终端提供支付签名服务,主要包括:After the security hardware is started, there are mainly random number generation services, trusted certificate services, and payment signature services for mobile smart terminals, mainly including:

随机数生成服务:安全硬件提供随机数发生器,一次可以提供任意长度的随机数,该随机数可以用来当作对称加密的密钥。支付签名服务向安全硬件发送随机数请求,并携带参数 N(N为描述请求随机数的长度),在正确情况下,安全硬件返回长度为N的随机数。否则返回错误码。Random number generation service: The security hardware provides a random number generator, which can provide a random number of any length at a time, and the random number can be used as a key for symmetric encryption. The payment signature service sends a random number request to the security hardware, and carries a parameter N (N is the length of the random number describing the request), and under correct conditions, the security hardware returns a random number with a length of N. Otherwise return an error code.

支付签名服务:安全硬件在接收到订单ID、支付信息ID和支付信息后,请求指定账号进行签名。安全硬件将利用硬件显示提示用户交易(如闪亮交易LED灯),并将支付信息显示在安全硬件的显示屏,等待用户输入支付密码确认。支付密码用于解密验证支付的私钥进行签名运算。支付密码验证通过后,支付签名服务向随机数生成服务发起请求,得到对称加密密钥,利用该加密密钥对签名信息、订单ID、支付信息ID进行加密得到数据A,利用服务器公钥对加密密钥进行加密得到B,将两者组合成数字信封。移动智能终端向安全硬件发送支付签名请求,参数有签名算法ID,随机数长度、随机数、支付信息的长度、支付信息 ID、订单ID、支付买家账户长度、支付买家账户、支付卖家账户长度、支付卖家账户、支付金额。这些为签名的明文信息。安全硬件平台接受到参数进行处理,正确情况下,返回生成的数字信封。错误返回错误码。Payment signature service: After receiving the order ID, payment information ID and payment information, the security hardware requests the designated account to sign. The security hardware will use the hardware display to prompt the user for transactions (such as flashing transaction LED lights), and display the payment information on the display screen of the security hardware, waiting for the user to enter the payment password for confirmation. The payment password is used to decrypt and verify the private key of payment for signature calculation. After the payment password verification is passed, the payment signature service initiates a request to the random number generation service to obtain a symmetric encryption key, and uses the encryption key to encrypt the signature information, order ID, and payment information ID to obtain data A, and uses the server public key to encrypt The key is encrypted to obtain B, and the two are combined into a digital envelope. The mobile smart terminal sends a payment signature request to the security hardware. The parameters include signature algorithm ID, random number length, random number, payment information length, payment information ID, order ID, payment buyer account length, payment buyer account, payment seller account Length, payment seller account, payment amount. These are signed plaintext messages. The secure hardware platform receives the parameters for processing, and returns the generated digital envelope if it is correct. Error returns an error code.

可信证书服务:安全硬件存储有预置的可信证书,包括支付服务器的公钥证书、CA证书、用户支付公钥证书。通过约定的索引获取这些可信证书。支付签名服务向安全硬件发送可信证书模块,参数为证书索引ID。安全硬件平台根据参数进行处理,正确情况下,返回证书格式、可信证书长度以及可信证书内容。错误返回错误码。Trusted certificate service: The secure hardware stores preset trusted certificates, including the payment server's public key certificate, CA certificate, and user payment public key certificate. Get these trusted certificates through an agreed upon index. The payment signature service sends the trusted certificate module to the secure hardware, and the parameter is the certificate index ID. The secure hardware platform processes according to the parameters, and returns the format of the certificate, the length of the trusted certificate, and the content of the trusted certificate if it is correct. Error returns an error code.

二、基于双向信任的移动智能终端支付实现方法2. Implementation method of mobile intelligent terminal payment based on two-way trust

如图3所示,移动智能终端终端支付方案主要依托服务器证书与用户支付证书构建的双向信任关系,保证支付过程的安全性和正确性。要求进行支付操作流程之前,需要对安全硬件进行信任预置的初始化操作。完整的支付流程包括下列步骤:As shown in Figure 3, the mobile smart terminal terminal payment scheme mainly relies on the two-way trust relationship between the server certificate and the user payment certificate to ensure the security and correctness of the payment process. Before the payment operation process is required, the security hardware needs to be initialized with trust presetting. The complete payment process includes the following steps:

(1)用户在移动智能终端的支付应用内完成商品的购买,向服务器提交用户ID,商户 ID,商品ID,数量,单价,总价等数据,请求生成订单。(1) The user completes the purchase of the product in the payment application of the mobile smart terminal, submits the user ID, merchant ID, product ID, quantity, unit price, total price and other data to the server, and requests to generate an order.

(2)服务器根据支付应用传送的数据(用户ID,商户ID,商品ID,数量,单价,总价)生成一条新的订单,并把生成的订单ID和订单信息插入到数据库中,然后把订单ID返回给支付应用。(2) The server generates a new order according to the data sent by the payment application (user ID, merchant ID, product ID, quantity, unit price, total price), inserts the generated order ID and order information into the database, and then inserts the order ID is returned to the payment application.

(3)支付应用选择对应的订单进行支付,向服务器提交订单支付请求,并提交订单ID。(3) The payment application selects the corresponding order for payment, submits the order payment request to the server, and submits the order ID.

(4)服务器根据其接收的订单ID生成一条支付信息,并把支付信息ID传给支付应用。同时服务器会生成一个随机数S,与支付信息ID同时传回给支付应用。(4) The server generates a piece of payment information according to the received order ID, and sends the payment information ID to the payment application. At the same time, the server will generate a random number S, and send it back to the payment application at the same time as the payment information ID.

(5)支付应用与安全硬件建立点对点无线连接(可以是Wi-Fi Direct,蓝牙等),并利用密钥协商协议协商对称密钥,建立加密信道。(5) The payment application establishes a point-to-point wireless connection (Wi-Fi Direct, Bluetooth, etc.) with the security hardware, and uses a key agreement protocol to negotiate a symmetric key to establish an encrypted channel.

(6)支付应用将随机数S,订单ID、支付信息ID、支付信息(包括买家账号、卖家账号、支付金额)通过步骤(5)得到的对称密钥加密后发送至安全硬件。(6) The payment application encrypts the random number S, order ID, payment information ID, and payment information (including buyer account number, seller account number, and payment amount) with the symmetric key obtained in step (5) and sends it to the secure hardware.

(7)安全硬件利用对称加密密钥解密步骤(6)的数据,并将支付信息显示,提示用户输入支付密码。(7) The security hardware uses the symmetric encryption key to decrypt the data in step (6), displays the payment information, and prompts the user to input the payment password.

(8)用户输入支付密码,安全硬件根据支付密码解密得到用户支付公钥证书对应的私钥,用该私钥进行签名操作。(8) The user enters the payment password, and the security hardware decrypts the payment password to obtain the private key corresponding to the user's payment public key certificate, and uses the private key to perform the signature operation.

(9)安全硬件利用(8)得到的私钥对随机数S、订单ID、支付信息ID、支付信息进行签名,得到签名信息,包括签名值、签名公钥ID。(9) The security hardware uses the private key obtained in (8) to sign the random number S, order ID, payment information ID, and payment information to obtain signature information, including signature value and signature public key ID.

(10)安全硬件生成签名信息后,开始进行数字信封的封装,随机数生成服务生成随机数作为对称密钥,可信证书服务提供服务器证书。(10) After the security hardware generates the signature information, it begins to encapsulate the digital envelope, the random number generation service generates a random number as a symmetric key, and the trusted certificate service provides a server certificate.

(11)安全硬件开始计算得到数字信封:将步骤(10)得到的随机数作为对称密钥,对签名信息、订单ID、支付信息ID进行加密得到数据A。然后用服务器证书中的公钥对对称密钥进行加密得到数据B,数据A、B组成数字信封。并将数字信封发送至移动终端设备。(11) The secure hardware starts to calculate the digital envelope: use the random number obtained in step (10) as a symmetric key to encrypt the signature information, order ID, and payment information ID to obtain data A. Then use the public key in the server certificate to encrypt the symmetric key to obtain data B, and data A and B form a digital envelope. And send the digital envelope to the mobile terminal device.

(12)移动智能终端将接受到的数字信封转发给服务器。(12) The mobile intelligent terminal forwards the received digital envelope to the server.

(13)服务器得到数字信封后,首先利用服务器证书对应的私钥对数据B进行解密得到对称密钥,然后利用对称密钥对数据A进行解密,得到签名信息、订单ID、支付信息ID。用支付信息ID对应的用户的证书公钥对签名信息进行验证,确认买家账号、卖家账号、支付金额没有错误。并验证订单ID、支付信息ID的合法性。验证通过后,表明服务器与用户的身份都正确,双向信任关系已经建立。该关系的建立则说明该笔支付完成,可以进行扣款等操作。服务器将支付结果返回支付应用。(13) After the server obtains the digital envelope, it first uses the private key corresponding to the server certificate to decrypt data B to obtain a symmetric key, and then uses the symmetric key to decrypt data A to obtain signature information, order ID, and payment information ID. Use the user's certificate public key corresponding to the payment information ID to verify the signature information, and confirm that the buyer account, seller account, and payment amount are correct. And verify the legitimacy of the order ID and payment information ID. After the verification is passed, it indicates that the identities of the server and the user are correct, and a two-way trust relationship has been established. The establishment of this relationship means that the payment is completed and operations such as deduction can be performed. The server returns the payment result to the payment application.

(16)支付应用显示支付结果给用户。(16) The payment application displays the payment result to the user.

提供以上实施例仅仅是为了描述本发明的目的,而并非要限制本发明的范围。本发明的范围由所附权利要求限定。不脱离本发明的精神和原理而做出的各种等同替换和修改,均应涵盖在本发明的范围之内。The above embodiments are provided only for the purpose of describing the present invention, not to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalent replacements and modifications made without departing from the spirit and principle of the present invention shall fall within the scope of the present invention.

Claims (2)

1. a kind of mobile intelligent terminal payment system based on secure hardware isolation, comprising: payment server, intelligent movable are whole End, it is characterised in that: increase secure hardware in paid payment system;Payment server is interacted with mobile intelligent terminal, is completed Other links other than user authentication are removed in payment flow;Secure hardware is interacted with mobile intelligent terminal, completes payment flow In mostly important user authentication part;It is preset by the trust in secure hardware, using mobile intelligent terminal as channel, with service Device establishes the payment implementation method of two-way trust;
Secure hardware has individual system, that is, independent operating environment, protects the certification number of user independently of mobile intelligent terminal According to safety, and generating random number is externally provided, certificate request, Information Signature service;There is secure storage function, Neng Goubao simultaneously Protect preset user authentication information;In payment system payment process, secure hardware needs user's input payment cipher to test Card, it is whole to intelligent movable is back to after payment data encrypted signature using user's payment public key certificate private key after being verified End;
The secure hardware includes random number generation module, payment signature blocks and trusted certificates module;Wherein:
Random number generation module: real random number generator is provided, can once provide the random number of random length, which can To be used to the key as symmetric cryptography;
It pays signature blocks: after receiving order ID, payment information ID and payment information, specified account being requested to be signed; Hardware display reminding customer transaction will be utilized, and payment information is shown into the display screen in secure hardware, user is waited to input branch Pay password confirming;Private key of the payment cipher for decryption verification payment carries out signature operation;
Trusted certificates module: equipped with preset trusted certificates, public key certificate, CA certificate, user's payment including payment server Public key certificate obtains these trusted certificates by the index of agreement;
The payment system protects sensitive data in payment whole flow process, and data are in payment server and intelligent movable It is protected when terminal interaction by encryption channel, data are protected in mobile intelligent terminal and secure hardware interaction by encryption channel;With The sensitive data such as user's payment certificate private key at family are stored in secure hardware, and attacker can not read sensitive data, via shifting The data of dynamic intelligent terminal transmitting are dynamic ephemeral data, are failed after the completion of payment process;Pass through encryption channel and peace The protection of devices at full hardware, attacker can not obtain the payment information of user, improve the safety in payment process comprehensively;
The secure hardware secure launch process is specific as follows:
(1) system electrification loads mirror image in cured sheets, and mirror image reads root verifying packet mirror image and with preset CA certificate in cured sheets The cryptographic Hash of root verifying packet mirror image is calculated, and is compared with the hash check value of storage;If consistent, load root and test Packet mirror image is demonstrate,proved, root verifying packet mirror image operation is jumped to, otherwise, then stops starting;
(2) root verifying packet mirror image reads secure firmware, and calculates the signature cryptographic Hash of secure firmware, breathes out with signing in secure firmware Uncommon check value is compared verifying;If consistent, load secure firmware and jump to secure firmware operation, otherwise, stop Only start;
(3) secure firmware brings into operation, and loads and run random number generation module, payment signature blocks, trusted certificates module;
Wherein, mirror image contains check code, and the code of load root verifying packet mirror image in cured sheets;Root verifying packet mirror image contains Root verifies signature hash check value, the check code of packet mirror image, and the code of load secure firmware;Secure firmware includes safety The signature hash check value of firmware, security system code;
After secure hardware starting, there are generating random number service, trusted certificates service, and provide payment signature for mobile intelligent terminal Service.
2. a kind of carry out mobile intelligence using the mobile intelligent terminal payment system described in claim 1 based on secure hardware isolation The method of energy terminal payment, it is characterised in that the following steps are included:
(1) when the mobile intelligent terminal carries out delivery operation, the payment installed on mobile intelligent terminal is applied to be taken with payment Business device connection, realizes that payment removes other links other than user authentication;Point-to-point wireless connection is carried out with secure hardware to go forward side by side Row Data Encryption Transmission realizes user password verifying and the transmitting of payment authentication information;
(2) before secure hardware use is operated, by trusting preset operation for the public key certificate of payment server, CA card Book, user pay public key certificate and import, and building forms server and the two-way trust systems basis of secure hardware, and user is required to set Determine payment cipher, which pays public key certificate progress delivery operation to user in secure hardware for realizing user and award Power;
(3) it when mobile intelligent terminal needs to carry out delivery operation, is interacted by payment application with server and completes payment data It generates, and payment data is encrypted by way of point-to-point wireless connection and is sent to after secure hardware is signed the service that returns Device completes verifying;
(3) include:
(31) it when mobile intelligent terminal needs to carry out delivery operation, is interacted using payment application with server, completes payment number According to generation, the payment data includes User ID, trade company ID, commodity ID, quantity, unit price, total price, order ID, payment information ID, random challenge value;
(32) application is paid on mobile intelligent terminal and establish point-to-point connection with secure hardware, and carry out key agreement and establish encryption Channel;
(33) mobile intelligent terminal payment application will be sent after random challenge value, order ID, payment information ID, payment information encryption To secure hardware;
(34) it is shown after secure hardware decrypts payment information, user is confirming errorless rear input payment cipher, and to the payment Password is verified, raw after paying the corresponding private key of public key certificate to the data signature received using user after being verified At symmetric cryptographic key, signing messages, order ID, payment information ID are encrypted using the encryption key to obtain data A, benefit Encryption key is encrypted with server public key to obtain B, combines both into digital envelope;By digital envelope by having been established Safe lane be back to mobile intelligent terminal;
(35) digital envelope received is transmitted to server by mobile intelligent terminal;
(36) server by utilizing private key ciphertext data B obtains encryption key, recycles encryption key that A is decrypted, is signed Name information, order ID, payment information ID verify signing messages using client public key, and verify order ID, payment information id information Afterwards, whether validation of payment succeeds;
(37) payment result is back to mobile intelligent terminal by payment server.
CN201610702269.3A 2016-08-22 2016-08-22 A mobile intelligent terminal payment system and method based on secure hardware isolation Expired - Fee Related CN106327184B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610702269.3A CN106327184B (en) 2016-08-22 2016-08-22 A mobile intelligent terminal payment system and method based on secure hardware isolation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610702269.3A CN106327184B (en) 2016-08-22 2016-08-22 A mobile intelligent terminal payment system and method based on secure hardware isolation

Publications (2)

Publication Number Publication Date
CN106327184A CN106327184A (en) 2017-01-11
CN106327184B true CN106327184B (en) 2019-09-13

Family

ID=57742804

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610702269.3A Expired - Fee Related CN106327184B (en) 2016-08-22 2016-08-22 A mobile intelligent terminal payment system and method based on secure hardware isolation

Country Status (1)

Country Link
CN (1) CN106327184B (en)

Families Citing this family (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106339939B (en) * 2016-08-26 2020-05-15 南京喜玛拉云信息技术有限公司 Non-tamper-able distributed bill system based on secure hardware and transaction processing method
CN108629186A (en) * 2017-03-23 2018-10-09 惠尔丰(中国)信息系统有限公司 A kind of embedded-type security applied to Android system pays POS machine and method
CN107392589B (en) * 2017-07-01 2023-08-01 武汉天喻信息产业股份有限公司 Android system intelligent POS system, security verification method and storage medium
US11636478B2 (en) 2017-07-27 2023-04-25 Nanyang Technological University Method of performing authentication for a transaction and a system thereof
CN107274185A (en) * 2017-08-15 2017-10-20 鼎讯网络安全技术有限公司 Safe and intelligent POS and method for secure transactions
CN107332671A (en) * 2017-08-15 2017-11-07 鼎讯网络安全技术有限公司 A kind of safety mobile terminal system and method for secure transactions based on safety chip
CN109495269B (en) * 2017-09-13 2023-11-03 厦门雅迅网络股份有限公司 Method and system for verifying credibility of vehicle-mounted terminal access equipment and vehicle-mounted terminal
CN109932953A (en) * 2017-12-19 2019-06-25 陈新 Intelligent supercomputer programmable controller
CN108377190B (en) * 2018-02-14 2020-11-24 飞天诚信科技股份有限公司 An authentication device and its working method
CN108599938A (en) * 2018-04-23 2018-09-28 北京数字认证股份有限公司 The method and system of mobile terminal private data are protected by credible performing environment
MX2020010495A (en) * 2018-04-24 2020-10-28 Spectrum Brands Inc Certificate provisioning for electronic lock authentication to a server.
CN108334927B (en) * 2018-04-25 2024-03-26 江苏恒宝智能系统技术有限公司 NFC (near field communication) receipt tag and payment method thereof
CN116362747A (en) * 2018-05-01 2023-06-30 浙江浩安信息技术有限公司 Block chain digital signature system
CN108846662A (en) * 2018-05-29 2018-11-20 数字乾元科技有限公司 wireless payment method and wearable device
US11620623B2 (en) * 2018-05-31 2023-04-04 Nxp B.V. Merchant transaction mirroring for personal point of sale (pPOS) for card present e-commerce and in vehicle transaction
CN109379335B (en) * 2018-09-14 2021-04-09 广州杰赛科技股份有限公司 Equipment checking method, system and storage medium
CN111915290A (en) * 2019-05-07 2020-11-10 北京创原天地科技有限公司 Mobile payment password keyboard based on key splitting protection under iOS system and implementation method thereof
CN111917680A (en) * 2019-05-07 2020-11-10 中国移动通信集团湖南有限公司 An encryption system, method, server and storage medium
JPWO2021033477A1 (en) * 2019-08-16 2021-02-25
CN112311752A (en) * 2020-05-09 2021-02-02 杭州绿鲸科技有限公司 Internet of things smart meter safety system and implementation method
CN111786733B (en) * 2020-05-14 2021-08-31 上海易托邦建筑科技有限公司 Optical interaction system and optical interaction control method
CN111832884A (en) * 2020-05-27 2020-10-27 福建亿能达信息技术股份有限公司 Clinician operation workload evaluation system
CN112101930B (en) * 2020-08-27 2022-10-25 东南大学 NFC payment system based on elliptic curve password
CN112702740B (en) * 2020-12-24 2023-04-07 国网浙江省电力有限公司经济技术研究院 Data safety transmission method of LoRa Internet of things system
CN112333208B (en) * 2021-01-04 2021-03-30 北京笔新互联网科技有限公司 Block chain credibility verification method and device and block chain all-in-one machine
CN113393242B (en) * 2021-04-27 2022-11-01 连通(杭州)技术服务有限公司 Method and equipment for safe off-line electronic payment of token model payers
CN113592484B (en) * 2021-07-16 2024-07-12 支付宝(杭州)信息技术有限公司 Account opening method, system and device
CN113891147B (en) * 2021-09-23 2024-11-08 亦非云科技(上海)有限公司 A video service system design method based on smart TV application and external hardware
CN114240435A (en) * 2021-12-07 2022-03-25 大汉电子商务有限公司 Data verification system and method for preventing payment data from being tampered
CN118917848B (en) * 2024-10-10 2025-02-11 广东通莞科技股份有限公司 Payment environment information security management method for aggregated payment
CN119692994A (en) * 2024-11-18 2025-03-25 杭州信雅达三佳系统工程股份有限公司 A mobile payment encryption system based on data random algorithm

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103729587A (en) * 2013-12-23 2014-04-16 杭州晟元芯片技术有限公司 Chip integrating with fingerprint interface, fingerprint algorithm, security algorithms and correlated accelerators
CN104123646A (en) * 2014-07-21 2014-10-29 深圳前海君浩银通科技发展有限公司 Composite type mobile uKey and electronic wallet payment system
CN104281945A (en) * 2014-09-16 2015-01-14 马洁韵 Mobile safety payment system and safety payment method
CN105049945A (en) * 2015-08-13 2015-11-11 中国科学院信息工程研究所 Safety payment system and method based on smart TV multi-screen interaction
CN105205370A (en) * 2015-08-24 2015-12-30 北京恒信安科技有限公司 Safety protection method for mobile terminal, mobile terminal, safety system and application method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9571279B2 (en) * 2014-06-05 2017-02-14 Cavium, Inc. Systems and methods for secured backup of hardware security modules for cloud-based web services

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103729587A (en) * 2013-12-23 2014-04-16 杭州晟元芯片技术有限公司 Chip integrating with fingerprint interface, fingerprint algorithm, security algorithms and correlated accelerators
CN104123646A (en) * 2014-07-21 2014-10-29 深圳前海君浩银通科技发展有限公司 Composite type mobile uKey and electronic wallet payment system
CN104281945A (en) * 2014-09-16 2015-01-14 马洁韵 Mobile safety payment system and safety payment method
CN105049945A (en) * 2015-08-13 2015-11-11 中国科学院信息工程研究所 Safety payment system and method based on smart TV multi-screen interaction
CN105205370A (en) * 2015-08-24 2015-12-30 北京恒信安科技有限公司 Safety protection method for mobile terminal, mobile terminal, safety system and application method

Also Published As

Publication number Publication date
CN106327184A (en) 2017-01-11

Similar Documents

Publication Publication Date Title
CN106327184B (en) A mobile intelligent terminal payment system and method based on secure hardware isolation
US11258777B2 (en) Method for carrying out a two-factor authentication
CN107210914B (en) Method for secure credential provisioning
CN112116344B (en) Secure remote payment transaction processing
USH2270H1 (en) Open protocol for authentication and key establishment with privacy
EP4040717B1 (en) Method and device for secure communications over a network using a hardware security engine
EP3001598B1 (en) Method and system for backing up private key in electronic signature token
US20100088236A1 (en) Secure software service systems and methods
CN114362993B (en) Block chain assisted Internet of vehicles security authentication method
CN103326862B (en) Electronically signing method and system
CN106790064B (en) The method that both sides are communicated in credible root server-cloud computing server model
TR201902104T4 (en) Systems and methods for secure communication.
CN110198295A (en) Safety certifying method and device and storage medium
CN102986161B (en) For carrying out the method and system of cryptoguard to application
CN113525152B (en) Method and device for charging authentication
WO2015003521A1 (en) Operation request processing method and system
CN107104795B (en) Method, framework and system for injecting RSA key pair and certificate
CN104393993A (en) A security chip for electricity selling terminal and the realizing method
CN104579679A (en) Wireless public network data forwarding method for rural power distribution network communication equipment
CN105184557A (en) Payment authentication method and system
WO2021082222A1 (en) Communication method and apparatus, storage method and apparatus, and operation method and apparatus
CN117081736A (en) Key distribution method, key distribution device, communication method, and communication device
JP2001134534A (en) Authentication proxy method, authentication proxy service system, authentication proxy server device and client device
CN105933117A (en) Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage
CN119168644B (en) A blockchain transaction signature and verification method and device supporting quantum security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20170911

Address after: 100093 Beijing city Haidian District minzhuang Road No. 89

Applicant after: Institute of Information Engineering, Gas

Address before: 100093 Beijing city Haidian District minzhuang Road No. 89

Applicant before: Institute of Information Engineering, Gas

Applicant before: Lenovo mobile communication software (Wuhan) Co., Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190913

Termination date: 20200822

CF01 Termination of patent right due to non-payment of annual fee